Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qkkcfptf.exe

Overview

General Information

Sample name:qkkcfptf.exe
Analysis ID:1503658
MD5:fed6d9f141d4ac6b3388a2c90722bd62
SHA1:3480f699c94d4a520c8d92dfd2f6c84d5bd9668b
SHA256:b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Yara signature match

Classification

  • System is w10x64
  • qkkcfptf.exe (PID: 6692 cmdline: "C:\Users\user\Desktop\qkkcfptf.exe" MD5: FED6D9F141D4AC6B3388A2C90722BD62)
    • cmd.exe (PID: 5660 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdomrpcj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3724 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6564 cmdline: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6952 cmdline: "C:\Windows\System32\sc.exe" description tdomrpcj "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7184 cmdline: "C:\Windows\System32\sc.exe" start tdomrpcj MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7292 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2856 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 5532 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6632 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6148 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2648 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6504 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 8016 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • lsremmuy.exe (PID: 7244 cmdline: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d"C:\Users\user\Desktop\qkkcfptf.exe" MD5: 42ADE3A590E500EFD32B843D033A73E4)
    • svchost.exe (PID: 7368 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 7448 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7528 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7780 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.3.qkkcfptf.exe.780000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.qkkcfptf.exe.780000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.qkkcfptf.exe.660e67.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.qkkcfptf.exe.660e67.1.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.2.qkkcfptf.exe.660e67.1.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d"C:\Users\user\Desktop\qkkcfptf.exe", ParentImage: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe, ParentProcessId: 7244, ParentProcessName: lsremmuy.exe, ProcessCommandLine: svchost.exe, ProcessId: 7368, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\qkkcfptf.exe", ParentImage: C:\Users\user\Desktop\qkkcfptf.exe, ParentProcessId: 6692, ParentProcessName: qkkcfptf.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6564, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.42.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7368, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d"C:\Users\user\Desktop\qkkcfptf.exe", ParentImage: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe, ParentProcessId: 7244, ParentProcessName: lsremmuy.exe, ProcessCommandLine: svchost.exe, ProcessId: 7368, ProcessName: svchost.exe
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\qkkcfptf.exe", ParentImage: C:\Users\user\Desktop\qkkcfptf.exe, ParentProcessId: 6692, ParentProcessName: qkkcfptf.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\, ProcessId: 3724, ProcessName: cmd.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7368, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tdomrpcj
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\qkkcfptf.exe", ParentImage: C:\Users\user\Desktop\qkkcfptf.exe, ParentProcessId: 6692, ParentProcessName: qkkcfptf.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6564, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 2856, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: 0.2.qkkcfptf.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: qkkcfptf.exeReversingLabs: Detection: 39%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\lsremmuy.exeJoe Sandbox ML: detected
        Source: qkkcfptf.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\qkkcfptf.exeUnpacked PE file: 0.2.qkkcfptf.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeUnpacked PE file: 20.2.lsremmuy.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\tdomrpcjJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.206.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.42.0 52.101.42.0
        Source: Joe Sandbox ViewIP Address: 98.136.96.74 98.136.96.74
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.7:49701 -> 52.101.42.0:25
        Source: global trafficTCP traffic: 192.168.2.7:49719 -> 98.136.96.74:25
        Source: global trafficTCP traffic: 192.168.2.7:49722 -> 74.125.206.27:25
        Source: global trafficTCP traffic: 192.168.2.7:49727 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: time.windows.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439670175.0000021129977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
        Source: svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
        Source: svchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489251397.00000211290C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
        Source: svchost.exe, 00000018.00000003.1439670175.0000021129977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbA
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2490264872.0000021129EB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
        Source: svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_AAAAAAAA
        Source: svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_AAAAAAAAAA
        Source: svchost.exe, 00000018.00000002.2488410594.00000211290A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: svchost.exe, 00000018.00000003.1309036980.0000021129955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
        Source: svchost.exe, 00000018.00000003.1439765910.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.com/P
        Source: svchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAA
        Source: svchost.exe, 00000018.00000002.2489831128.000002112997E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
        Source: svchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
        Source: svchost.exe, 00000018.00000003.1389433073.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdo9e6dt
        Source: svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
        Source: svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
        Source: svchost.exe, 00000018.00000003.1439765910.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
        Source: svchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA
        Source: svchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
        Source: svchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
        Source: svchost.exe, 00000018.00000003.1309036980.0000021129955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsden.or
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
        Source: svchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
        Source: svchost.exe, 00000018.00000003.1466296857.0000021129975000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.sis-op
        Source: svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489983391.0000021129E39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: svchost.exe, 00000018.00000002.2489752544.0000021129937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1491960510.0000021129989000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489752544.0000021129937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
        Source: svchost.exe, 00000018.00000002.2489831128.000002112997E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyAAAAA
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policysrf
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
        Source: svchost.exe, 00000018.00000003.1309036980.0000021129955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
        Source: svchost.exe, 00000018.00000002.2489037349.00000211290B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1295250087.0000021129953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
        Source: svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489251397.00000211290C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
        Source: svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
        Source: svchost.exe, 0000000C.00000002.2487152680.00000227DE287000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.12.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
        Source: svchost.exe, 00000006.00000002.1364680041.000002499EA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: svchost.exe, 00000018.00000002.2489037349.00000211290B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
        Source: svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=8
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
        Source: svchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Chang
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/i
        Source: svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
        Source: svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
        Source: svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293701818.0000021129957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
        Source: svchost.exe, 00000006.00000003.1364284929.000002499EA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364836971.000002499EA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 00000006.00000002.1364836971.000002499EA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 00000006.00000003.1364284929.000002499EA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 00000006.00000003.1364149895.000002499EA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 00000006.00000002.1364713310.000002499EA35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tp
        Source: svchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 00000006.00000003.1263647128.000002499EA38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
        Source: svchost.exe, 00000006.00000003.1364149895.000002499EA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.co
        Source: svchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
        Source: svchost.exe, 00000018.00000002.2489368157.00000211290FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.00000211290F9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.00000211290F8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
        Source: svchost.exe, 00000018.00000002.2489368157.00000211290FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.00000211290F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfd
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
        Source: svchost.exe, 00000018.00000003.1294128035.0000021129927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
        Source: svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294128035.0000021129927000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfssuer
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
        Source: svchost.exe, 00000018.00000003.1294128035.0000021129927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
        Source: svchost.exe, 00000018.00000002.2488410594.00000211290A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465658759.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465588120.000002112990E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DlGphEoPOxhoO7M7iM7trbE2mupJzX2EsQ
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293962021.000002112996B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
        Source: svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfls
        Source: svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
        Source: svchost.exe, 00000018.00000002.2489983391.0000021129E39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfom
        Source: svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfue
        Source: svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLo
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
        Source: svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
        Source: svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293701818.0000021129957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
        Source: svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
        Source: svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293355214.000002112995A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
        Source: svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
        Source: svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
        Source: svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
        Source: svchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489251397.00000211290C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
        Source: svchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfityCRL
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsofto
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure
        Source: svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
        Source: svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
        Source: svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
        Source: svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
        Source: svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
        Source: svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
        Source: svchost.exe, 00000018.00000003.1294128035.0000021129927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
        Source: svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
        Source: svchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
        Source: svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
        Source: svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000006.00000003.1364236576.000002499EA5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qkkcfptf.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lsremmuy.exe PID: 7244, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7368, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.3.qkkcfptf.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.qkkcfptf.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.qkkcfptf.exe.660e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.qkkcfptf.exe.660e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.3.lsremmuy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.3.lsremmuy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000014.00000002.1286235546.00000000009F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tdomrpcj\Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_0040C91320_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_02C6C91323_2_02C6C913
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: String function: 006627AB appears 35 times
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: String function: 00402544 appears 53 times
        Source: 0.3.qkkcfptf.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.qkkcfptf.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.qkkcfptf.exe.660e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.qkkcfptf.exe.660e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.3.lsremmuy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.3.lsremmuy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000014.00000002.1286235546.00000000009F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@35/8@10/5
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_006A8CC8 CreateToolhelp32Snapshot,Module32First,0_2_006A8CC8
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_02C69A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_02C69A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile created: C:\Users\user~1\AppData\Local\Temp\lsremmuy.exeJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: qkkcfptf.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile read: C:\Users\user\Desktop\qkkcfptf.exeJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14608
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_20-14716
        Source: unknownProcess created: C:\Users\user\Desktop\qkkcfptf.exe "C:\Users\user\Desktop\qkkcfptf.exe"
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdomrpcj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tdomrpcj "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tdomrpcj
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d"C:\Users\user\Desktop\qkkcfptf.exe"
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdomrpcj\Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tdomrpcj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tdomrpcjJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dmiso8601utils.dllJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: installservice.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: starttiledata.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: eamprogresshandler.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.web.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptowinrt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wuapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wups.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: qkkcfptf.exeStatic file information: File size 12178944 > 1048576
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\qkkcfptf.exeUnpacked PE file: 0.2.qkkcfptf.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeUnpacked PE file: 20.2.lsremmuy.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\qkkcfptf.exeUnpacked PE file: 0.2.qkkcfptf.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeUnpacked PE file: 20.2.lsremmuy.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\qkkcfptf.exeFile created: C:\Users\user\AppData\Local\Temp\lsremmuy.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdomrpcjJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\qkkcfptf.exeJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,23_2_02C6199C
        Source: C:\Users\user\Desktop\qkkcfptf.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15577
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_20-16054
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_23-6460
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_23-6142
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_20-15105
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_23-6422
        Source: C:\Users\user\Desktop\qkkcfptf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15804
        Source: C:\Users\user\Desktop\qkkcfptf.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-14795
        Source: C:\Users\user\Desktop\qkkcfptf.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-14847
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_23-7445
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_20-14737
        Source: C:\Users\user\Desktop\qkkcfptf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14624
        Source: C:\Users\user\Desktop\qkkcfptf.exeAPI coverage: 5.9 %
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeAPI coverage: 4.4 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 7392Thread sleep count: 38 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 7392Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: svchost.exe, 0000000A.00000002.2488086101.0000015878C7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
        Source: svchost.exe, 0000000A.00000002.2488086101.0000015878C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000x
        Source: svchost.exe, 0000000C.00000002.2488496497.00000227DEB32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 2$@S
        Source: svchost.exe, 00000018.00000002.2488410594.00000211290A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
        Source: svchost.exe, 0000000A.00000002.2488633766.0000015878D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000000A.00000002.2487567340.0000015878C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: svchost.exe, 00000017.00000002.2486505317.0000000003000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
        Source: svchost.exe, 00000019.00000002.2486773771.000001FB97A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: svchost.exe, 0000000A.00000002.2487567340.0000015878C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
        Source: svchost.exe, 0000000A.00000002.2487904184.0000015878C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000000A.00000002.2487904184.0000015878C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000ni
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
        Source: svchost.exe, 0000000A.00000002.2487208474.0000015878C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
        Source: svchost.exe, 0000000C.00000002.2488496497.00000227DEB32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 2$@System\CurrentControlSet\Services\ClipSVC\Parameters
        Source: svchost.exe, 0000000A.00000002.2488086101.0000015878C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
        Source: svchost.exe, 00000018.00000002.2489983391.0000021129E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXT15E6VMWare
        Source: svchost.exe, 0000000A.00000002.2487904184.0000015878C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
        Source: svchost.exe, 0000000C.00000003.1309412455.00000227DEB37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeAPI call chain: ExitProcess graph end nodegraph_20-15108

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_20-16115
        Source: C:\Users\user\Desktop\qkkcfptf.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16112
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0066092B mov eax, dword ptr fs:[00000030h]0_2_0066092B
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00660D90 mov eax, dword ptr fs:[00000030h]0_2_00660D90
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_006A85A5 push dword ptr fs:[00000030h]0_2_006A85A5
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_0077092B mov eax, dword ptr fs:[00000030h]20_2_0077092B
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_00770D90 mov eax, dword ptr fs:[00000030h]20_2_00770D90
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_00A01F95 push dword ptr fs:[00000030h]20_2_00A01F95
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_02C69A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_02C69A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.206.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.74 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C60000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C60000Jump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AC6008Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdomrpcj\Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tdomrpcj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tdomrpcjJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\qkkcfptf.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\qkkcfptf.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: svchost.exe, 00000011.00000002.2489075414.0000016BE3F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
        Source: svchost.exe, 00000011.00000002.2489075414.0000016BE3F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qkkcfptf.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lsremmuy.exe PID: 7244, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7368, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.660e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.lsremmuy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qkkcfptf.exe.780000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.qkkcfptf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.9c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.lsremmuy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qkkcfptf.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: lsremmuy.exe PID: 7244, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7368, type: MEMORYSTR
        Source: C:\Users\user\Desktop\qkkcfptf.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exeCode function: 20_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,20_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_02C688B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,23_2_02C688B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        1
        Windows Management Instrumentation
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        4
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts41
        Native API
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Command and Scripting Interpreter
        14
        Windows Service
        1
        Access Token Manipulation
        1
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts3
        Service Execution
        Login Hook14
        Windows Service
        2
        Software Packing
        NTDS26
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets251
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials23
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron23
        Virtualization/Sandbox Evasion
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503658 Sample: qkkcfptf.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 51 yahoo.com 2->51 53 vanaheim.cn 2->53 55 7 other IPs or domains 2->55 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 9 other signatures 2->69 8 lsremmuy.exe 2->8         started        11 qkkcfptf.exe 2 2->11         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 file5 77 Detected unpacking (changes PE section rights) 8->77 79 Detected unpacking (overwrites its own PE header) 8->79 81 Found API chain indicative of debugger detection 8->81 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\lsremmuy.exe, PE32 11->49 dropped 83 Uses netsh to modify the Windows network and firewall settings 11->83 85 Modifies the windows firewall 11->85 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 87 Changes security center settings (notifications, updates, antivirus, firewall) 14->87 29 MpCmdRun.exe 2 14->29         started        89 Query firmware table information (likely to detect VMs) 16->89 signatures6 process7 dnsIp8 57 mta6.am0.yahoodns.net 98.136.96.74, 25 YAHOO-NE1US United States 18->57 59 microsoft-com.mail.protection.outlook.com 52.101.42.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->59 61 3 other IPs or domains 18->61 71 System process connects to network (likely due to code injection or exploit) 18->71 73 Deletes itself after installation 18->73 75 Adds extensions / path to Windows Defender exclusion list (Registry) 18->75 47 C:\Windows\SysWOW64\...\lsremmuy.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        qkkcfptf.exe39%ReversingLabs
        qkkcfptf.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\lsremmuy.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://dev.ditu.live.com/REST/v1/Routes/0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Routes/Walking0%URL Reputationsafe
        http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%URL Reputationsafe
        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%URL Reputationsafe
        http://www.bingmapsportal.com0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Routes/0%URL Reputationsafe
        https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%URL Reputationsafe
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Locations0%URL Reputationsafe
        https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Routes/Transit0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%URL Reputationsafe
        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Routes/Driving0%URL Reputationsafe
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%URL Reputationsafe
        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
        https://dev.ditu.live.com/mapcontrol/logging.ashx0%URL Reputationsafe
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%URL Reputationsafe
        http://www.w3.o0%URL Reputationsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA0%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure0%Avira URL Cloudsafe
        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
        https://login.microsoftonline.com/ppsecure/ResolveUser.srf0%Avira URL Cloudsafe
        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2004/09/policy0%URL Reputationsafe
        https://login.microsoftonline.com/ppsecure0%Avira URL Cloudsafe
        https://account.live.com/InlineSignup.aspx?iww=1&id=80%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds0%Avira URL Cloudsafe
        jotunheim.name:443100%Avira URL Cloudmalware
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAA0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/devicechangecredential.srf0%Avira URL Cloudsafe
        http://Passport.NET/tbA0%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
        https://dev.ditu.live.com/REST/v1/Transit/Stops/0%URL Reputationsafe
        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%URL Reputationsafe
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%URL Reputationsafe
        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%URL Reputationsafe
        https://dev.virtualearth.net/mapcontrol/logging.ashx0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/Issue0%URL Reputationsafe
        https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/sc0%URL Reputationsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA0%Avira URL Cloudsafe
        http://docs.sis-op0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf0%Avira URL Cloudsafe
        https://account.live.com/InlineSignup.aspx?iww=1&id=805020%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ0%Avira URL Cloudsafe
        https://dynamic.api.tp0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x0%Avira URL Cloudsafe
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
        http://Passport.NET/tb_0%Avira URL Cloudsafe
        https://account.live.com/msangcwam0%Avira URL Cloudsafe
        https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2004/09/policyAAAAA0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA0%Avira URL Cloudsafe
        https://login.microsofto0%Avira URL Cloudsafe
        http://Passport.NET/tb_AAAAAAAAAA0%Avira URL Cloudsafe
        vanaheim.cn:443100%Avira URL Cloudphishing
        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee0%Avira URL Cloudsafe
        http://crl.ver)0%Avira URL Cloudsafe
        http://passport.net/tb0%Avira URL Cloudsafe
        https://login.ecur0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf0%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceQuery.srf0%Avira URL Cloudsafe
        http://schemas.xmlsoap.org/ws/2004/09/policysrf0%Avira URL Cloudsafe
        https://login.microsoftonline.com/MSARST2.srf0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
        http://Passport.NET/STS0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-0%Avira URL Cloudsafe
        https://account.live.com/i0%Avira URL Cloudsafe
        https://login.live.co0%Avira URL Cloudsafe
        http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd0%Avira URL Cloudsafe
        https://account.live.com/Wizard/Password/Chang0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM0%Avira URL Cloudsafe
        https://signup.live.com/signup.aspx0%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806010%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806000%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806030%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdo9e6dt0%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806050%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806040%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsden.or0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf0%Avira URL Cloudsafe
        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf0%Avira URL Cloudsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(0%Avira URL Cloudsafe
        https://account.live.com/Wizard/Password/Change?id=806010%Avira URL Cloudsafe
        https://account.live.com/inlinesignup.aspx?iww=1&id=806010%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        98.136.96.74
        truetrue
          unknown
          mxs.mail.ru
          94.100.180.31
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.42.0
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                74.125.206.27
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    time.windows.com
                    unknown
                    unknowntrue
                      unknown
                      yahoo.com
                      unknown
                      unknowntrue
                        unknown
                        mail.ru
                        unknown
                        unknowntrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          jotunheim.name:443true
                          • Avira URL Cloud: malware
                          unknown
                          vanaheim.cn:443true
                          • Avira URL Cloud: phishing
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://Passport.NET/tbAsvchost.exe, 00000018.00000003.1439670175.0000021129977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuresvchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 0000000C.00000002.2487152680.00000227DE287000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.12.drfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1364284929.000002499EA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364836971.000002499EA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://account.live.com/InlineSignup.aspx?iww=1&id=8svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAsvchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecuresvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.sis-opsvchost.exe, 00000018.00000003.1466296857.0000021129975000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAsvchost.exe, 00000018.00000002.2489831128.000002112997E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.bingmapsportal.comsvchost.exe, 00000006.00000002.1364680041.000002499EA13000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1364284929.000002499EA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://Passport.NET/tb_svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2490264872.0000021129EB2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dynamic.api.tpsvchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.1364236576.000002499EA5C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000006.00000003.1364149895.000002499EA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsvchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://account.live.com/msangcwamsvchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293701818.0000021129957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://crl.ver)svchost.exe, 00000018.00000002.2488410594.00000211290A4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://passport.net/tbsvchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489983391.0000021129E39000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000006.00000003.1263647128.000002499EA38000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://Passport.NET/tb_AAAAAAAAAAsvchost.exe, 00000018.00000002.2490222365.0000021129EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dynamic.tsvchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftosvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2004/09/policyAAAAAsvchost.exe, 00000018.00000002.2489831128.000002112997E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAsvchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489251397.00000211290C9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issueesvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessuesvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.ecursvchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000006.00000002.1364713310.000002499EA35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2004/09/policysrfsvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1481666612.0000021129969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000018.00000003.1309036980.0000021129955000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://Passport.NET/STSsvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465641460.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439670175.0000021129977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.live.cosvchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://account.live.com/isvchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.w3.osvchost.exe, 00000018.00000002.2489037349.00000211290B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://Passport.NET/tbsvchost.exe, 00000018.00000002.2490058055.0000021129E5D000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000018.00000003.1439524561.000002112996E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482062934.000002112997E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://account.live.com/Wizard/Password/Changsvchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 00000018.00000003.1294128035.0000021129927000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://signup.live.com/signup.aspxsvchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1364149895.000002499EA67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364822917.000002499EA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1482161153.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489368157.0000021129102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1453334021.0000021129102000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1491960510.0000021129989000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2489752544.0000021129937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000018.00000002.2489752544.0000021129937000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 00000018.00000003.1439473576.000002112995A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdo9e6dtsvchost.exe, 00000018.00000003.1389433073.000002112990E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000006.00000002.1364836971.000002499EA70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364120552.000002499EA6E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488131237.000002112902B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364393865.000002499EA65000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.1364308263.000002499EA47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 00000018.00000003.1293336086.0000021129910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000002.1364809783.000002499EA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364741617.000002499EA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364174880.000002499EA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364319823.000002499EA43000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000006.00000002.1364783336.000002499EA58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364333009.000002499EA57000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000018.00000002.2489037349.00000211290B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1295250087.0000021129953000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsden.orsvchost.exe, 00000018.00000003.1309036980.0000021129955000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(svchost.exe, 00000018.00000003.1439765910.000002112990E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000002.1364698436.000002499EA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000018.00000002.2488410594.000002112905E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1294737809.0000021129956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.000002112992C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293206617.0000021129929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293378452.0000021129952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000018.00000002.2489781336.000002112995F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1465529687.000002112990E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000018.00000002.2488317172.0000021129046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293618927.000002112993B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293758803.0000021129940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000003.1293783138.0000021129963000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            52.101.42.0
                            microsoft-com.mail.protection.outlook.comUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                            74.125.206.27
                            smtp.google.comUnited States
                            15169GOOGLEUSfalse
                            98.136.96.74
                            mta6.am0.yahoodns.netUnited States
                            36646YAHOO-NE1UStrue
                            77.232.41.29
                            vanaheim.cnRussian Federation
                            28968EUT-ASEUTIPNetworkRUtrue
                            94.100.180.31
                            mxs.mail.ruRussian Federation
                            47764MAILRU-ASMailRuRUtrue
                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1503658
                            Start date and time:2024-09-03 19:05:11 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 43s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:32
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:qkkcfptf.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@35/8@10/5
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 67
                            • Number of non-executed functions: 257
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, UsoClient.exe
                            • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.70.246.20, 20.231.239.246, 20.236.44.162, 20.112.250.133, 40.126.32.68, 40.126.32.74, 20.190.160.14, 40.126.32.136, 40.126.32.138, 20.190.160.17, 20.190.160.22, 40.126.32.133, 20.101.57.9
                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, twc.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtEnumerateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: qkkcfptf.exe
                            TimeTypeDescription
                            14:26:24API Interceptor11x Sleep call for process: svchost.exe modified
                            14:26:40API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            52.101.42.0fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                              .exeGet hashmaliciousUnknownBrowse
                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                        file.exeGet hashmaliciousTofseeBrowse
                                          sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                            U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                              bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                98.136.96.74rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                      file.exeGet hashmaliciousTofseeBrowse
                                                        newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                data.log.exeGet hashmaliciousUnknownBrowse
                                                                  test.dat.exeGet hashmaliciousUnknownBrowse
                                                                    77.232.41.29knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                        UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                            94.100.180.31UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                              igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                        SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                            AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                              file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                mxs.mail.ruknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                mta6.am0.yahoodns.netknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.75
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.76
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.77
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.106
                                                                                                .exeGet hashmaliciousUnknownBrowse
                                                                                                • 98.136.96.76
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.73
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.74
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.74
                                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.75
                                                                                                I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.110
                                                                                                microsoft-com.mail.protection.outlook.comknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.11.0
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.11.0
                                                                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.8.49
                                                                                                igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.42.0
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.11.0
                                                                                                .exeGet hashmaliciousUnknownBrowse
                                                                                                • 52.101.40.26
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.42.0
                                                                                                vanaheim.cnknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.11.0
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                Pensacola Country Club.pdfGet hashmaliciousUnknownBrowse
                                                                                                • 52.108.66.1
                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                • 13.107.246.67
                                                                                                http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 20.190.160.20
                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                • 13.107.246.60
                                                                                                http://www.harmonyhomesestateagency.comGet hashmaliciousUnknownBrowse
                                                                                                • 168.61.99.102
                                                                                                PossiblePhishing.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 13.107.246.60
                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                • 13.107.246.60
                                                                                                YAHOO-NE1USknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.75
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.76
                                                                                                .exeGet hashmaliciousUnknownBrowse
                                                                                                • 98.136.96.76
                                                                                                VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                                • 216.252.107.64
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.74
                                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.76
                                                                                                botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                • 98.138.56.151
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.91
                                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.75
                                                                                                s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                • 98.139.105.91
                                                                                                EUT-ASEUTIPNetworkRUknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                • 77.232.41.29
                                                                                                Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                file.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                file.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                file.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                file.exeGet hashmaliciousCryptbotBrowse
                                                                                                • 77.232.42.234
                                                                                                MAILRU-ASMailRuRUknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                • 5.181.61.0
                                                                                                tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                • 5.181.61.0
                                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                                • 94.100.180.209
                                                                                                SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                                • 188.93.63.129
                                                                                                SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                                • 188.93.63.180
                                                                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                No context
                                                                                                No context
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):697182
                                                                                                Entropy (8bit):5.235513021710934
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:HBXiKZWAAllNJheaP7Qata86tcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDpl10:i+
                                                                                                MD5:71FFFB8A2B3508C2B65537C70FC4EAAC
                                                                                                SHA1:6FC9C7C5FDE9D25F6D4DE51038A4CBCBF029FF81
                                                                                                SHA-256:1F1A4D14D8652A5CA50092DAFFE13990B93857D0E7FCA7AEA09C6F9CD6041FAE
                                                                                                SHA-512:ED232C03AEA35F09A70D10D4E004649D1A89EC586820F3CCE144E3632358DE03D36542749D8020970F0CE2784218C6DDE840823ADF7227F0B2A78D2F90CF0EBF
                                                                                                Malicious:false
                                                                                                Preview:....(...N..H.eDl.?lQ...Z...U.X'.z..$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):697182
                                                                                                Entropy (8bit):5.235513021710934
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:HBXiKZWAAllNJheaP7Qata86tcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDpl10:i+
                                                                                                MD5:71FFFB8A2B3508C2B65537C70FC4EAAC
                                                                                                SHA1:6FC9C7C5FDE9D25F6D4DE51038A4CBCBF029FF81
                                                                                                SHA-256:1F1A4D14D8652A5CA50092DAFFE13990B93857D0E7FCA7AEA09C6F9CD6041FAE
                                                                                                SHA-512:ED232C03AEA35F09A70D10D4E004649D1A89EC586820F3CCE144E3632358DE03D36542749D8020970F0CE2784218C6DDE840823ADF7227F0B2A78D2F90CF0EBF
                                                                                                Malicious:false
                                                                                                Preview:....(...N..H.eDl.?lQ...Z...U.X'.z..$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4096
                                                                                                Entropy (8bit):1.197129734087731
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:mjqPqF69Fq5D5k56GWtbgjO3s7Nxk56GVQ9s3Ar3N:mc1UGtm2jGtR03N
                                                                                                MD5:3DBAEBE1B905EF895FFEBD04F3B75EA2
                                                                                                SHA1:90421166D7DBBF4776CBDBAC292B208396CBE663
                                                                                                SHA-256:D1EBDF4E03303815015489D997CDEB97F7D8CC7560677728ACDB265D0F175B67
                                                                                                SHA-512:9B690D689C358BFCB6BE5A98BEC8B86397A7C8543BF0D1B193FF63AAC46D0380B352C178FAC0C55275EA27AB711C83DCFBF9653C3BBA05DC73BB71BCA2811888
                                                                                                Malicious:false
                                                                                                Preview:............................................................................D.......X.......#...................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.y.U...............#...........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...0.5.3.6.a.4.1.7.-.5.5.5.1.-.4.8.8.e.-.8.d.0.8.-.f.f.f.4.2.e.0.8.9.e.b.3...1...e.t.l...........P.P.....X.......#...................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):999
                                                                                                Entropy (8bit):4.966299883488245
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                                MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                                SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                                SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                                SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                                Malicious:false
                                                                                                Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..
                                                                                                Process:C:\Users\user\Desktop\qkkcfptf.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):12557824
                                                                                                Entropy (8bit):4.598340424971459
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:Zc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:Z1OZDisvwdaxO0PuG1R4CWs
                                                                                                MD5:42ADE3A590E500EFD32B843D033A73E4
                                                                                                SHA1:9421228E2AC0EA1E990A99F705CC4FC3892AEDF9
                                                                                                SHA-256:6C526EAE6EC97B59821F408738A9933469F841B51374AC482E640325F289CF93
                                                                                                SHA-512:A512171055923BBE0490EA06C99A62EAB6BD69FC0F0BD6EF439DBFDD9B03D3A2695C0FC9E01FDC8C6949A56CF4A2274F7165983176D2360A2A13920F9B8F15BA
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......(...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):2464
                                                                                                Entropy (8bit):3.2433536798164977
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:QOaqdmuF3rkINV+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPi:FaqdF7kIP+AAHdKoqKFxcxkFaIV
                                                                                                MD5:CAEE59AB681EF21658F0F72018D79B35
                                                                                                SHA1:ABF8A2AD8282D7DF9877F451E93B22B3C2B54001
                                                                                                SHA-256:6AFBDA55934B1FCC40C69E4EFE83CAA2A1F73EF30627FDDC754DEE52A7E6305A
                                                                                                SHA-512:497CCA85773A942B027D462F8A0B1D25D1FED429CB784BFD0957312DB5E1CE830059CD7FBBA922A8DEA8EA9AC77603BFC1833D1301EBF14B0239BD2A5CDF980A
                                                                                                Malicious:false
                                                                                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. S.e.p. .. 0.3. .. 2.0.2.4. .1.4.:.2.6.:.4.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):12557824
                                                                                                Entropy (8bit):4.598340424971459
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:Zc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:Z1OZDisvwdaxO0PuG1R4CWs
                                                                                                MD5:42ADE3A590E500EFD32B843D033A73E4
                                                                                                SHA1:9421228E2AC0EA1E990A99F705CC4FC3892AEDF9
                                                                                                SHA-256:6C526EAE6EC97B59821F408738A9933469F841B51374AC482E640325F289CF93
                                                                                                SHA-512:A512171055923BBE0490EA06C99A62EAB6BD69FC0F0BD6EF439DBFDD9B03D3A2695C0FC9E01FDC8C6949A56CF4A2274F7165983176D2360A2A13920F9B8F15BA
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......(...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3773
                                                                                                Entropy (8bit):4.7109073551842435
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                Malicious:false
                                                                                                Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):4.600500924058611
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:qkkcfptf.exe
                                                                                                File size:12'178'944 bytes
                                                                                                MD5:fed6d9f141d4ac6b3388a2c90722bd62
                                                                                                SHA1:3480f699c94d4a520c8d92dfd2f6c84d5bd9668b
                                                                                                SHA256:b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf
                                                                                                SHA512:f678216084e177bc51879d697f6e4201449874ed1c6f4c41fc1cb62aecf8ed5c3ab17784c1d30c481ee99c727fe0a29cd2854bdcaf554b3da425d59b5e957719
                                                                                                SSDEEP:6144:rc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:r1OZDisvwdaxO0PuG1R4CWs
                                                                                                TLSH:39C6537392E5BD54FA627A329E2FC6FC361EF951CD08379A2118BF0F2471162D1AA311
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e...................
                                                                                                Icon Hash:cd4d3d2e4e054d03
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Sep 3, 2024 19:06:10.699621916 CEST4970125192.168.2.752.101.42.0
                                                                                                Sep 3, 2024 19:06:11.709086895 CEST4970125192.168.2.752.101.42.0
                                                                                                Sep 3, 2024 19:06:13.724699020 CEST4970125192.168.2.752.101.42.0
                                                                                                Sep 3, 2024 19:06:14.053828955 CEST49707443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:14.053872108 CEST4434970777.232.41.29192.168.2.7
                                                                                                Sep 3, 2024 19:06:14.054115057 CEST49707443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:17.724771023 CEST4970125192.168.2.752.101.42.0
                                                                                                Sep 3, 2024 19:06:25.724807978 CEST4970125192.168.2.752.101.42.0
                                                                                                Sep 3, 2024 19:06:30.713567019 CEST4971925192.168.2.798.136.96.74
                                                                                                Sep 3, 2024 19:06:31.724771023 CEST4971925192.168.2.798.136.96.74
                                                                                                Sep 3, 2024 19:06:33.724781036 CEST4971925192.168.2.798.136.96.74
                                                                                                Sep 3, 2024 19:06:37.724822998 CEST4971925192.168.2.798.136.96.74
                                                                                                Sep 3, 2024 19:06:45.724833965 CEST4971925192.168.2.798.136.96.74
                                                                                                Sep 3, 2024 19:06:50.749098063 CEST4972225192.168.2.774.125.206.27
                                                                                                Sep 3, 2024 19:06:51.756155014 CEST4972225192.168.2.774.125.206.27
                                                                                                Sep 3, 2024 19:06:53.771939039 CEST4972225192.168.2.774.125.206.27
                                                                                                Sep 3, 2024 19:06:54.068819046 CEST49707443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:54.068882942 CEST4434970777.232.41.29192.168.2.7
                                                                                                Sep 3, 2024 19:06:54.068933010 CEST49707443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:54.178782940 CEST49723443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:54.178833008 CEST4434972377.232.41.29192.168.2.7
                                                                                                Sep 3, 2024 19:06:54.178917885 CEST49723443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:06:57.771893024 CEST4972225192.168.2.774.125.206.27
                                                                                                Sep 3, 2024 19:07:05.771800995 CEST4972225192.168.2.774.125.206.27
                                                                                                Sep 3, 2024 19:07:10.758471966 CEST4972725192.168.2.794.100.180.31
                                                                                                Sep 3, 2024 19:07:11.771855116 CEST4972725192.168.2.794.100.180.31
                                                                                                Sep 3, 2024 19:07:13.771823883 CEST4972725192.168.2.794.100.180.31
                                                                                                Sep 3, 2024 19:07:17.771984100 CEST4972725192.168.2.794.100.180.31
                                                                                                Sep 3, 2024 19:07:25.772036076 CEST4972725192.168.2.794.100.180.31
                                                                                                Sep 3, 2024 19:07:34.178509951 CEST49723443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:07:34.178606033 CEST4434972377.232.41.29192.168.2.7
                                                                                                Sep 3, 2024 19:07:34.178678036 CEST49723443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:07:34.288604021 CEST49728443192.168.2.777.232.41.29
                                                                                                Sep 3, 2024 19:07:34.288659096 CEST4434972877.232.41.29192.168.2.7
                                                                                                Sep 3, 2024 19:07:34.288743973 CEST49728443192.168.2.777.232.41.29
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Sep 3, 2024 19:06:10.690984964 CEST4970753192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:10.699084997 CEST53497071.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:06:13.150185108 CEST5211653192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:13.678658962 CEST5925253192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:14.053198099 CEST53592521.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:06:30.694114923 CEST5941053192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:30.701314926 CEST53594101.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:06:30.703849077 CEST5816153192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST53581611.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:06:50.725470066 CEST5958153192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:50.739492893 CEST53595811.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:06:50.740232944 CEST5352153192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST53535211.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:07:10.741189957 CEST5857853192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:07:10.749372005 CEST53585781.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:07:10.749847889 CEST5741053192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:07:10.758018970 CEST53574101.1.1.1192.168.2.7
                                                                                                Sep 3, 2024 19:08:11.672493935 CEST5718553192.168.2.71.1.1.1
                                                                                                Sep 3, 2024 19:08:11.710716009 CEST53571851.1.1.1192.168.2.7
                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Sep 3, 2024 19:06:10.690984964 CEST192.168.2.71.1.1.10xeb92Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:13.150185108 CEST192.168.2.71.1.1.10x96bcStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:13.678658962 CEST192.168.2.71.1.1.10xbabeStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.694114923 CEST192.168.2.71.1.1.10x24fStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.703849077 CEST192.168.2.71.1.1.10x2f66Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.725470066 CEST192.168.2.71.1.1.10x978dStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.740232944 CEST192.168.2.71.1.1.10x3bccStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:07:10.741189957 CEST192.168.2.71.1.1.10xddaStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:07:10.749847889 CEST192.168.2.71.1.1.10x24f1Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:08:11.672493935 CEST192.168.2.71.1.1.10x413eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Sep 3, 2024 19:06:10.699084997 CEST1.1.1.1192.168.2.70xeb92No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:10.699084997 CEST1.1.1.1192.168.2.70xeb92No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:10.699084997 CEST1.1.1.1192.168.2.70xeb92No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:10.699084997 CEST1.1.1.1192.168.2.70xeb92No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:13.157033920 CEST1.1.1.1192.168.2.70x96bcNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:14.053198099 CEST1.1.1.1192.168.2.70xbabeNo error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.701314926 CEST1.1.1.1192.168.2.70x24fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.701314926 CEST1.1.1.1192.168.2.70x24fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.701314926 CEST1.1.1.1192.168.2.70x24fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:30.712985992 CEST1.1.1.1192.168.2.70x2f66No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.739492893 CEST1.1.1.1192.168.2.70x978dNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST1.1.1.1192.168.2.70x3bccNo error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST1.1.1.1192.168.2.70x3bccNo error (0)smtp.google.com142.251.173.26A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST1.1.1.1192.168.2.70x3bccNo error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST1.1.1.1192.168.2.70x3bccNo error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:06:50.748500109 CEST1.1.1.1192.168.2.70x3bccNo error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:07:10.749372005 CEST1.1.1.1192.168.2.70xddaNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                Sep 3, 2024 19:07:10.758018970 CEST1.1.1.1192.168.2.70x24f1No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:07:10.758018970 CEST1.1.1.1192.168.2.70x24f1No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:08:11.710716009 CEST1.1.1.1192.168.2.70x413eNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.4A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:08:11.710716009 CEST1.1.1.1192.168.2.70x413eNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.36A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:08:11.710716009 CEST1.1.1.1192.168.2.70x413eNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.9A (IP address)IN (0x0001)false
                                                                                                Sep 3, 2024 19:08:11.710716009 CEST1.1.1.1192.168.2.70x413eNo error (0)microsoft-com.mail.protection.outlook.com52.101.9.11A (IP address)IN (0x0001)false

                                                                                                Click to jump to process

                                                                                                Click to jump to process

                                                                                                Click to dive into process behavior distribution

                                                                                                Click to jump to process

                                                                                                Target ID:0
                                                                                                Start time:13:06:05
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Users\user\Desktop\qkkcfptf.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\qkkcfptf.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:12'178'944 bytes
                                                                                                MD5 hash:FED6D9F141D4AC6B3388A2C90722BD62
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1249791218.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:2
                                                                                                Start time:13:06:06
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tdomrpcj\
                                                                                                Imagebase:0x410000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:3
                                                                                                Start time:13:06:06
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:4
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\lsremmuy.exe" C:\Windows\SysWOW64\tdomrpcj\
                                                                                                Imagebase:0x410000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:5
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:6
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:7
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" create tdomrpcj binPath= "C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d\"C:\Users\user\Desktop\qkkcfptf.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                Imagebase:0xf10000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                Target ID:8
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:9
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                Imagebase:0x7ff66cbd0000
                                                                                                File size:329'504 bytes
                                                                                                MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:10
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:11
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                Target ID:12
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:13
                                                                                                Start time:13:06:07
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:14
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" description tdomrpcj "wifi internet conection"
                                                                                                Imagebase:0xf10000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:15
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:17
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:18
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" start tdomrpcj
                                                                                                Imagebase:0xf10000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:19
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:20
                                                                                                Start time:13:06:08
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe /d"C:\Users\user\Desktop\qkkcfptf.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:12'557'824 bytes
                                                                                                MD5 hash:42ADE3A590E500EFD32B843D033A73E4
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000002.1286182935.00000000009C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000014.00000002.1286235546.00000000009F2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000003.1285227786.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Has exited:true

                                                                                                Target ID:21
                                                                                                Start time:13:06:09
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                Imagebase:0x1770000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:22
                                                                                                Start time:13:06:09
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:23
                                                                                                Start time:13:06:09
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:svchost.exe
                                                                                                Imagebase:0x670000
                                                                                                File size:46'504 bytes
                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Has exited:false

                                                                                                Target ID:24
                                                                                                Start time:13:06:10
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:25
                                                                                                Start time:13:06:12
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:28
                                                                                                Start time:14:26:02
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:29
                                                                                                Start time:14:26:40
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                Imagebase:0x7ff6f2860000
                                                                                                File size:468'120 bytes
                                                                                                MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:30
                                                                                                Start time:14:26:40
                                                                                                Start date:03/09/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff75da10000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.9%
                                                                                                  Dynamic/Decrypted Code Coverage:30.2%
                                                                                                  Signature Coverage:27.2%
                                                                                                  Total number of Nodes:1594
                                                                                                  Total number of Limit Nodes:19
                                                                                                  execution_graph 14592 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14710 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14592->14710 14594 409a95 14595 409aa3 GetModuleHandleA GetModuleFileNameA 14594->14595 14600 40a3c7 14594->14600 14607 409ac4 14595->14607 14596 40a41c CreateThread WSAStartup 14879 40e52e 14596->14879 15758 40405e CreateEventA 14596->15758 14597 40a406 DeleteFileA 14597->14600 14601 40a40d 14597->14601 14599 409afd GetCommandLineA 14608 409b22 14599->14608 14600->14596 14600->14597 14600->14601 14603 40a3ed GetLastError 14600->14603 14601->14596 14602 40a445 14898 40eaaf 14602->14898 14603->14601 14605 40a3f8 Sleep 14603->14605 14605->14597 14606 40a44d 14902 401d96 14606->14902 14607->14599 14613 409c0c 14608->14613 14619 409b47 14608->14619 14610 40a457 14950 4080c9 14610->14950 14711 4096aa 14613->14711 14623 409b96 lstrlenA 14619->14623 14625 409b58 14619->14625 14620 40a1d2 14626 40a1e3 GetCommandLineA 14620->14626 14621 409c39 14624 40a167 GetModuleHandleA GetModuleFileNameA 14621->14624 14717 404280 CreateEventA 14621->14717 14623->14625 14628 409c05 ExitProcess 14624->14628 14629 40a189 14624->14629 14625->14628 14634 40675c 21 API calls 14625->14634 14653 40a205 14626->14653 14629->14628 14636 40a1b2 GetDriveTypeA 14629->14636 14637 409be3 14634->14637 14636->14628 14638 40a1c5 14636->14638 14637->14628 14816 406a60 CreateFileA 14637->14816 14860 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14638->14860 14645 40a491 14646 40a49f GetTickCount 14645->14646 14649 40a4be Sleep 14645->14649 14652 40a4b7 GetTickCount 14645->14652 14996 40c913 14645->14996 14646->14645 14646->14649 14647 409ca0 GetTempPathA 14648 409e3e 14647->14648 14651 409cba 14647->14651 14659 409e6b GetEnvironmentVariableA 14648->14659 14660 409e04 14648->14660 14649->14645 14772 4099d2 lstrcpyA 14651->14772 14652->14649 14656 40a285 lstrlenA 14653->14656 14669 40a239 14653->14669 14656->14669 14659->14660 14661 409e7d 14659->14661 14855 40ec2e 14660->14855 14662 4099d2 16 API calls 14661->14662 14663 409e9d 14662->14663 14663->14660 14668 409eb0 lstrcpyA lstrlenA 14663->14668 14665 409d5f 14835 406cc9 14665->14835 14667 40a3c2 14872 4098f2 14667->14872 14670 409ef4 14668->14670 14868 406ec3 14669->14868 14674 406dc2 6 API calls 14670->14674 14677 409f03 14670->14677 14673 40a35f 14673->14667 14673->14673 14679 40a37b 14673->14679 14674->14677 14675 40a39d StartServiceCtrlDispatcherA 14675->14667 14678 409f32 RegOpenKeyExA 14677->14678 14680 409f48 RegSetValueExA RegCloseKey 14678->14680 14684 409f70 14678->14684 14679->14675 14680->14684 14681 409cf6 14779 409326 14681->14779 14690 409f9d GetModuleHandleA GetModuleFileNameA 14684->14690 14685 409e0c DeleteFileA 14685->14648 14686 409dde GetFileAttributesExA 14686->14685 14687 409df7 14686->14687 14687->14660 14689 409dff 14687->14689 14845 4096ff 14689->14845 14692 409fc2 14690->14692 14693 40a093 14690->14693 14692->14693 14699 409ff1 GetDriveTypeA 14692->14699 14694 40a103 CreateProcessA 14693->14694 14695 40a0a4 wsprintfA 14693->14695 14696 40a13a 14694->14696 14697 40a12a DeleteFileA 14694->14697 14851 402544 14695->14851 14696->14660 14703 4096ff 3 API calls 14696->14703 14697->14696 14699->14693 14701 40a00d 14699->14701 14700 40a0d3 lstrcatA 14853 40ee2a 14700->14853 14705 40a02d lstrcatA 14701->14705 14703->14660 14706 40a046 14705->14706 14707 40a052 lstrcatA 14706->14707 14708 40a064 lstrcatA 14706->14708 14707->14708 14708->14693 14709 40a081 lstrcatA 14708->14709 14709->14693 14710->14594 14712 4096b9 14711->14712 15099 4073ff 14712->15099 14714 4096e2 14715 4096f7 14714->14715 15119 40704c 14714->15119 14715->14620 14715->14621 14718 4042a5 14717->14718 14719 40429d 14717->14719 15144 403ecd 14718->15144 14719->14624 14744 40675c 14719->14744 14721 4042b0 15148 404000 14721->15148 14724 4043c1 CloseHandle 14724->14719 14725 4042ce 15154 403f18 WriteFile 14725->15154 14730 4043ba CloseHandle 14730->14724 14731 404318 14732 403f18 4 API calls 14731->14732 14733 404331 14732->14733 14734 403f18 4 API calls 14733->14734 14735 40434a 14734->14735 15162 40ebcc GetProcessHeap RtlAllocateHeap 14735->15162 14738 403f18 4 API calls 14739 404389 14738->14739 14740 40ec2e codecvt 4 API calls 14739->14740 14741 40438f 14740->14741 14742 403f8c 4 API calls 14741->14742 14743 40439f CloseHandle CloseHandle 14742->14743 14743->14719 14745 406784 CreateFileA 14744->14745 14746 40677a SetFileAttributesA 14744->14746 14747 4067a4 CreateFileA 14745->14747 14748 4067b5 14745->14748 14746->14745 14747->14748 14749 4067c5 14748->14749 14750 4067ba SetFileAttributesA 14748->14750 14751 406977 14749->14751 14752 4067cf GetFileSize 14749->14752 14750->14749 14751->14624 14751->14647 14751->14648 14753 4067e5 14752->14753 14771 406965 14752->14771 14755 4067ed ReadFile 14753->14755 14753->14771 14754 40696e FindCloseChangeNotification 14754->14751 14756 406811 SetFilePointer 14755->14756 14755->14771 14757 40682a ReadFile 14756->14757 14756->14771 14758 406848 SetFilePointer 14757->14758 14757->14771 14759 406867 14758->14759 14758->14771 14760 4068d5 14759->14760 14761 406878 ReadFile 14759->14761 14760->14754 14762 40ebcc 4 API calls 14760->14762 14763 406891 14761->14763 14765 4068d0 14761->14765 14764 4068f8 14762->14764 14763->14761 14763->14765 14766 406900 SetFilePointer 14764->14766 14764->14771 14765->14760 14767 40695a 14766->14767 14768 40690d ReadFile 14766->14768 14769 40ec2e codecvt 4 API calls 14767->14769 14768->14767 14770 406922 14768->14770 14769->14771 14770->14754 14771->14754 14773 4099eb 14772->14773 14774 409a2f lstrcatA 14773->14774 14775 40ee2a 14774->14775 14776 409a4b lstrcatA 14775->14776 14777 406a60 13 API calls 14776->14777 14778 409a60 14777->14778 14778->14648 14778->14681 14829 406dc2 14778->14829 15168 401910 14779->15168 14782 40934a GetModuleHandleA GetModuleFileNameA 14784 40937f 14782->14784 14785 4093a4 14784->14785 14786 4093d9 14784->14786 14787 4093c3 wsprintfA 14785->14787 14788 409401 wsprintfA 14786->14788 14790 409415 14787->14790 14788->14790 14789 4094a0 15170 406edd 14789->15170 14790->14789 14792 406cc9 5 API calls 14790->14792 14799 409439 14792->14799 14793 4094ac 14794 40962f 14793->14794 14795 4094e8 RegOpenKeyExA 14793->14795 14800 409646 14794->14800 15198 401820 14794->15198 14797 409502 14795->14797 14798 4094fb 14795->14798 14802 40951f RegQueryValueExA 14797->14802 14798->14794 14804 40958a 14798->14804 15183 40ef1e lstrlenA 14799->15183 14809 4095d6 14800->14809 15178 4091eb 14800->15178 14806 409530 14802->14806 14807 409539 14802->14807 14804->14800 14805 409593 14804->14805 14805->14809 15185 40f0e4 14805->15185 14810 40956e RegCloseKey 14806->14810 14811 409556 RegQueryValueExA 14807->14811 14808 409462 14812 40947e wsprintfA 14808->14812 14809->14685 14809->14686 14810->14798 14811->14806 14811->14810 14812->14789 14814 4095bb 14814->14809 15192 4018e0 14814->15192 14817 406b8c GetLastError 14816->14817 14818 406a8f GetDiskFreeSpaceA 14816->14818 14820 406b86 14817->14820 14819 406ac5 14818->14819 14826 406ad7 14818->14826 15247 40eb0e 14819->15247 14820->14628 14824 406b56 FindCloseChangeNotification 14824->14820 14828 406b65 GetLastError CloseHandle 14824->14828 14825 406b36 GetLastError CloseHandle 14827 406b7f DeleteFileA 14825->14827 15241 406987 14826->15241 14827->14820 14828->14827 14830 406e24 14829->14830 14831 406dd7 14829->14831 14830->14665 14832 406cc9 5 API calls 14831->14832 14833 406ddc 14832->14833 14833->14830 14833->14833 14834 406e02 GetVolumeInformationA 14833->14834 14834->14830 14836 406cdc GetModuleHandleA GetProcAddress 14835->14836 14837 406dbe lstrcpyA lstrcatA lstrcatA 14835->14837 14838 406d12 GetSystemDirectoryA 14836->14838 14839 406cfd 14836->14839 14837->14681 14840 406d27 GetWindowsDirectoryA 14838->14840 14841 406d1e 14838->14841 14839->14838 14843 406d8b 14839->14843 14842 406d42 14840->14842 14841->14840 14841->14843 14844 40ef1e lstrlenA 14842->14844 14843->14837 14844->14843 14846 402544 14845->14846 14847 40972d RegOpenKeyExA 14846->14847 14848 409740 14847->14848 14849 409765 14847->14849 14850 40974f RegDeleteValueA RegCloseKey 14848->14850 14849->14660 14850->14849 14852 402554 14851->14852 14852->14700 14852->14852 14854 40a0ec lstrcatA 14853->14854 14854->14694 14856 40ec37 14855->14856 14857 40a15d 14855->14857 15255 40eba0 14856->15255 14857->14624 14857->14628 14861 402544 14860->14861 14862 40919e wsprintfA 14861->14862 14863 4091bb 14862->14863 15258 409064 GetTempPathA 14863->15258 14866 4091d5 ShellExecuteA 14867 4091e7 14866->14867 14867->14628 14869 406ed5 14868->14869 14870 406ecc 14868->14870 14869->14673 14871 406e36 2 API calls 14870->14871 14871->14869 14873 4098f6 14872->14873 14874 404280 30 API calls 14873->14874 14875 409904 Sleep 14873->14875 14876 409915 14873->14876 14874->14873 14875->14873 14875->14876 14878 409947 14876->14878 15265 40977c 14876->15265 14878->14600 15287 40dd05 GetTickCount 14879->15287 14881 40e538 15294 40dbcf 14881->15294 14883 40e544 14884 40e555 GetFileSize 14883->14884 14888 40e5b8 14883->14888 14885 40e5b1 CloseHandle 14884->14885 14886 40e566 14884->14886 14885->14888 15304 40db2e 14886->15304 15313 40e3ca RegOpenKeyExA 14888->15313 14890 40e576 ReadFile 14890->14885 14892 40e58d 14890->14892 15308 40e332 14892->15308 14894 40e5f2 14896 40e3ca 19 API calls 14894->14896 14897 40e629 14894->14897 14896->14897 14897->14602 14899 40eabe 14898->14899 14901 40eaba 14898->14901 14900 40dd05 6 API calls 14899->14900 14899->14901 14900->14901 14901->14606 14903 40ee2a 14902->14903 14904 401db4 GetVersionExA 14903->14904 14905 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14904->14905 14907 401e24 14905->14907 14908 401e16 GetCurrentProcess 14905->14908 15366 40e819 14907->15366 14908->14907 14910 401e3d 14911 40e819 11 API calls 14910->14911 14912 401e4e 14911->14912 14913 401e77 14912->14913 15373 40df70 14912->15373 15382 40ea84 14913->15382 14916 401e6c 14918 40df70 12 API calls 14916->14918 14918->14913 14919 40e819 11 API calls 14920 401e93 14919->14920 15386 40199c inet_addr LoadLibraryA 14920->15386 14923 40e819 11 API calls 14924 401eb9 14923->14924 14925 401ed8 14924->14925 14926 40f04e 4 API calls 14924->14926 14927 40e819 11 API calls 14925->14927 14928 401ec9 14926->14928 14929 401eee 14927->14929 14930 40ea84 30 API calls 14928->14930 14931 401f0a 14929->14931 15399 401b71 14929->15399 14930->14925 14933 40e819 11 API calls 14931->14933 14935 401f23 14933->14935 14934 401efd 14936 40ea84 30 API calls 14934->14936 14943 401f3f 14935->14943 15403 401bdf 14935->15403 14936->14931 14938 40e819 11 API calls 14940 401f5e 14938->14940 14942 401f77 14940->14942 14944 40ea84 30 API calls 14940->14944 14941 40ea84 30 API calls 14941->14943 15410 4030b5 14942->15410 14943->14938 14944->14942 14947 406ec3 2 API calls 14949 401f8e GetTickCount 14947->14949 14949->14610 14951 406ec3 2 API calls 14950->14951 14952 4080eb 14951->14952 14953 4080f9 14952->14953 14954 4080ef 14952->14954 14956 40704c 16 API calls 14953->14956 15458 407ee6 14954->15458 14957 408110 14956->14957 14958 4080f4 14957->14958 14960 408156 RegOpenKeyExA 14957->14960 14959 40675c 21 API calls 14958->14959 14968 408269 CreateThread 14958->14968 14964 408244 14959->14964 14960->14958 14961 40816d RegQueryValueExA 14960->14961 14962 4081f7 14961->14962 14963 40818d 14961->14963 14965 40820d RegCloseKey 14962->14965 14967 40ec2e codecvt 4 API calls 14962->14967 14963->14962 14969 40ebcc 4 API calls 14963->14969 14966 40ec2e codecvt 4 API calls 14964->14966 14964->14968 14965->14958 14966->14968 14974 4081dd 14967->14974 14975 405e6c 14968->14975 15787 40877e 14968->15787 14970 4081a0 14969->14970 14970->14965 14971 4081aa RegQueryValueExA 14970->14971 14971->14962 14972 4081c4 14971->14972 14973 40ebcc 4 API calls 14972->14973 14973->14974 14974->14965 15526 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14975->15526 14977 405e71 15527 40e654 14977->15527 14979 405ec1 14980 403132 14979->14980 14981 40df70 12 API calls 14980->14981 14982 40313b 14981->14982 14983 40c125 14982->14983 15538 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14983->15538 14985 40c12d 14986 40e654 13 API calls 14985->14986 14987 40c2bd 14986->14987 14988 40e654 13 API calls 14987->14988 14989 40c2c9 14988->14989 14990 40e654 13 API calls 14989->14990 14991 40a47a 14990->14991 14992 408db1 14991->14992 14993 408dbc 14992->14993 14994 40e654 13 API calls 14993->14994 14995 408dec Sleep 14994->14995 14995->14645 14997 40c92f 14996->14997 14998 40c93c 14997->14998 15539 40c517 14997->15539 15000 40ca2b 14998->15000 15001 40e819 11 API calls 14998->15001 15000->14645 15002 40c96a 15001->15002 15003 40e819 11 API calls 15002->15003 15004 40c97d 15003->15004 15005 40e819 11 API calls 15004->15005 15006 40c990 15005->15006 15007 40c9aa 15006->15007 15008 40ebcc 4 API calls 15006->15008 15007->15000 15556 402684 15007->15556 15008->15007 15013 40ca26 15563 40c8aa 15013->15563 15016 40ca44 15017 40ca4b closesocket 15016->15017 15018 40ca83 15016->15018 15017->15013 15019 40ea84 30 API calls 15018->15019 15020 40caac 15019->15020 15021 40f04e 4 API calls 15020->15021 15022 40cab2 15021->15022 15023 40ea84 30 API calls 15022->15023 15024 40caca 15023->15024 15025 40ea84 30 API calls 15024->15025 15026 40cad9 15025->15026 15571 40c65c 15026->15571 15029 40cb60 closesocket 15029->15000 15031 40dad2 closesocket 15032 40e318 23 API calls 15031->15032 15032->15000 15033 40df4c 20 API calls 15060 40cb70 15033->15060 15038 40e654 13 API calls 15038->15060 15040 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15040->15060 15042 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15042->15060 15046 40ea84 30 API calls 15046->15060 15047 40d569 closesocket Sleep 15618 40e318 15047->15618 15048 40d815 wsprintfA 15048->15060 15049 40cc1c GetTempPathA 15049->15060 15050 407ead 6 API calls 15050->15060 15051 40c517 23 API calls 15051->15060 15053 40e8a1 30 API calls 15053->15060 15054 40d582 ExitProcess 15055 40cfe3 GetSystemDirectoryA 15055->15060 15056 40cfad GetEnvironmentVariableA 15056->15060 15057 40675c 21 API calls 15057->15060 15058 40d027 GetSystemDirectoryA 15058->15060 15059 40d105 lstrcatA 15059->15060 15060->15031 15060->15033 15060->15038 15060->15040 15060->15042 15060->15046 15060->15047 15060->15048 15060->15049 15060->15050 15060->15051 15060->15053 15060->15055 15060->15056 15060->15057 15060->15058 15060->15059 15061 40ef1e lstrlenA 15060->15061 15062 40cc9f CreateFileA 15060->15062 15063 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15060->15063 15065 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15060->15065 15066 40d15b CreateFileA 15060->15066 15071 40d149 SetFileAttributesA 15060->15071 15072 40d36e GetEnvironmentVariableA 15060->15072 15073 40d1bf SetFileAttributesA 15060->15073 15075 40d22d GetEnvironmentVariableA 15060->15075 15076 40d3af lstrcatA 15060->15076 15078 40d3f2 CreateFileA 15060->15078 15080 407fcf 64 API calls 15060->15080 15086 40d4b1 CreateProcessA 15060->15086 15087 40d3e0 SetFileAttributesA 15060->15087 15088 40d26e lstrcatA 15060->15088 15091 40d2b1 CreateFileA 15060->15091 15092 407ee6 64 API calls 15060->15092 15093 40d452 SetFileAttributesA 15060->15093 15096 40d29f SetFileAttributesA 15060->15096 15098 40d31d SetFileAttributesA 15060->15098 15579 40c75d 15060->15579 15591 407e2f 15060->15591 15613 407ead 15060->15613 15623 4031d0 15060->15623 15640 403c09 15060->15640 15650 403a00 15060->15650 15654 40e7b4 15060->15654 15657 40c06c 15060->15657 15663 406f5f GetUserNameA 15060->15663 15674 40e854 15060->15674 15684 407dd6 15060->15684 15061->15060 15062->15060 15064 40ccc6 WriteFile 15062->15064 15063->15060 15067 40cdcc CloseHandle 15064->15067 15068 40cced CloseHandle 15064->15068 15065->15060 15066->15060 15069 40d182 WriteFile CloseHandle 15066->15069 15067->15060 15074 40cd2f 15068->15074 15069->15060 15070 40cd16 wsprintfA 15070->15074 15071->15066 15072->15060 15073->15060 15074->15070 15600 407fcf 15074->15600 15075->15060 15076->15060 15076->15078 15078->15060 15081 40d415 WriteFile CloseHandle 15078->15081 15080->15060 15081->15060 15082 40cd81 WaitForSingleObject CloseHandle CloseHandle 15084 40f04e 4 API calls 15082->15084 15083 40cda5 15085 407ee6 64 API calls 15083->15085 15084->15083 15089 40cdbd DeleteFileA 15085->15089 15086->15060 15090 40d4e8 CloseHandle CloseHandle 15086->15090 15087->15078 15088->15060 15088->15091 15089->15060 15090->15060 15091->15060 15094 40d2d8 WriteFile CloseHandle 15091->15094 15092->15060 15093->15060 15094->15060 15096->15091 15098->15060 15100 40741b 15099->15100 15101 406dc2 6 API calls 15100->15101 15102 40743f 15101->15102 15103 407469 RegOpenKeyExA 15102->15103 15105 4077f9 15103->15105 15115 407487 ___ascii_stricmp 15103->15115 15104 407703 RegEnumKeyA 15106 407714 RegCloseKey 15104->15106 15104->15115 15105->14714 15106->15105 15107 40f1a5 lstrlenA 15107->15115 15108 4074d2 RegOpenKeyExA 15108->15115 15109 40772c 15111 407742 RegCloseKey 15109->15111 15112 40774b 15109->15112 15110 407521 RegQueryValueExA 15110->15115 15111->15112 15113 4077ec RegCloseKey 15112->15113 15113->15105 15114 4076e4 RegCloseKey 15114->15115 15115->15104 15115->15107 15115->15108 15115->15109 15115->15110 15115->15114 15117 40777e GetFileAttributesExA 15115->15117 15118 407769 15115->15118 15116 4077e3 RegCloseKey 15116->15113 15117->15118 15118->15116 15120 407073 15119->15120 15121 4070b9 RegOpenKeyExA 15120->15121 15122 4070d0 15121->15122 15136 4071b8 15121->15136 15123 406dc2 6 API calls 15122->15123 15126 4070d5 15123->15126 15124 40719b RegEnumValueA 15125 4071af RegCloseKey 15124->15125 15124->15126 15125->15136 15126->15124 15128 4071d0 15126->15128 15142 40f1a5 lstrlenA 15126->15142 15129 407205 RegCloseKey 15128->15129 15130 407227 15128->15130 15129->15136 15131 4072b8 ___ascii_stricmp 15130->15131 15132 40728e RegCloseKey 15130->15132 15133 4072cd RegCloseKey 15131->15133 15134 4072dd 15131->15134 15132->15136 15133->15136 15135 407311 RegCloseKey 15134->15135 15138 407335 15134->15138 15135->15136 15136->14715 15137 4073d5 RegCloseKey 15139 4073e4 15137->15139 15138->15137 15140 40737e GetFileAttributesExA 15138->15140 15141 407397 15138->15141 15140->15141 15141->15137 15143 40f1c3 15142->15143 15143->15126 15145 403edc 15144->15145 15147 403ee2 15144->15147 15146 406dc2 6 API calls 15145->15146 15146->15147 15147->14721 15149 40400b CreateFileA 15148->15149 15150 40402c GetLastError 15149->15150 15151 404052 15149->15151 15150->15151 15152 404037 15150->15152 15151->14719 15151->14724 15151->14725 15152->15151 15153 404041 Sleep 15152->15153 15153->15149 15153->15151 15155 403f7c 15154->15155 15156 403f4e GetLastError 15154->15156 15158 403f8c ReadFile 15155->15158 15156->15155 15157 403f5b WaitForSingleObject GetOverlappedResult 15156->15157 15157->15155 15159 403ff0 15158->15159 15160 403fc2 GetLastError 15158->15160 15159->14730 15159->14731 15160->15159 15161 403fcf WaitForSingleObject GetOverlappedResult 15160->15161 15161->15159 15165 40eb74 15162->15165 15166 40eb7b GetProcessHeap HeapSize 15165->15166 15167 404350 15165->15167 15166->15167 15167->14738 15169 401924 GetVersionExA 15168->15169 15169->14782 15171 406eef AllocateAndInitializeSid 15170->15171 15177 406f55 15170->15177 15172 406f44 15171->15172 15173 406f1c CheckTokenMembership 15171->15173 15172->15177 15204 406e36 GetUserNameW 15172->15204 15174 406f3b FreeSid 15173->15174 15175 406f2e 15173->15175 15174->15172 15175->15174 15177->14793 15179 40920e 15178->15179 15182 409308 15178->15182 15180 4092f1 Sleep 15179->15180 15181 4092bf ShellExecuteA 15179->15181 15179->15182 15180->15179 15181->15179 15181->15182 15182->14809 15184 40ef32 15183->15184 15184->14808 15186 40f0f1 15185->15186 15187 40f0ed 15185->15187 15188 40f119 15186->15188 15189 40f0fa lstrlenA SysAllocStringByteLen 15186->15189 15187->14814 15191 40f11c MultiByteToWideChar 15188->15191 15190 40f117 15189->15190 15189->15191 15190->14814 15191->15190 15193 401820 17 API calls 15192->15193 15194 4018f2 15193->15194 15195 4018f9 15194->15195 15207 401280 15194->15207 15195->14809 15197 401908 15197->14809 15220 401000 15198->15220 15200 401839 15201 401851 GetCurrentProcess 15200->15201 15202 40183d 15200->15202 15203 401864 15201->15203 15202->14800 15203->14800 15205 406e97 15204->15205 15206 406e5f LookupAccountNameW 15204->15206 15205->15177 15206->15205 15210 4012e1 ShellExecuteExW 15207->15210 15209 4016f9 GetLastError 15211 401699 15209->15211 15210->15209 15217 4013a8 15210->15217 15211->15197 15212 401570 lstrlenW 15212->15217 15213 4015be GetStartupInfoW 15213->15217 15214 4015ff CreateProcessWithLogonW 15215 4016bf GetLastError 15214->15215 15216 40163f WaitForSingleObject 15214->15216 15215->15211 15216->15217 15218 401659 CloseHandle 15216->15218 15217->15211 15217->15212 15217->15213 15217->15214 15219 401668 CloseHandle 15217->15219 15218->15217 15219->15217 15221 40100d LoadLibraryA 15220->15221 15231 401023 15220->15231 15222 401021 15221->15222 15221->15231 15222->15200 15223 4010b5 GetProcAddress 15224 4010d1 GetProcAddress 15223->15224 15225 40127b 15223->15225 15224->15225 15226 4010f0 GetProcAddress 15224->15226 15225->15200 15226->15225 15227 401110 GetProcAddress 15226->15227 15227->15225 15228 401130 GetProcAddress 15227->15228 15228->15225 15229 40114f GetProcAddress 15228->15229 15229->15225 15230 40116f GetProcAddress 15229->15230 15230->15225 15232 40118f GetProcAddress 15230->15232 15231->15223 15240 4010ae 15231->15240 15232->15225 15233 4011ae GetProcAddress 15232->15233 15233->15225 15234 4011ce GetProcAddress 15233->15234 15234->15225 15235 4011ee GetProcAddress 15234->15235 15235->15225 15236 401209 GetProcAddress 15235->15236 15236->15225 15237 401225 GetProcAddress 15236->15237 15237->15225 15238 401241 GetProcAddress 15237->15238 15238->15225 15239 40125c GetProcAddress 15238->15239 15239->15225 15240->15200 15243 4069b9 WriteFile 15241->15243 15244 406a3c 15243->15244 15246 4069ff 15243->15246 15244->14824 15244->14825 15245 406a10 WriteFile 15245->15244 15245->15246 15246->15244 15246->15245 15248 40eb17 15247->15248 15249 40eb21 15247->15249 15251 40eae4 15248->15251 15249->14826 15252 40eb02 GetProcAddress 15251->15252 15253 40eaed LoadLibraryA 15251->15253 15252->15249 15253->15252 15254 40eb01 15253->15254 15254->15249 15256 40eba7 GetProcessHeap HeapSize 15255->15256 15257 40ebbf GetProcessHeap HeapFree 15255->15257 15256->15257 15257->14857 15259 40908d 15258->15259 15260 4090e2 wsprintfA 15259->15260 15261 40ee2a 15260->15261 15262 4090fd CreateFileA 15261->15262 15263 40911a lstrlenA WriteFile CloseHandle 15262->15263 15264 40913f 15262->15264 15263->15264 15264->14866 15264->14867 15266 40ee2a 15265->15266 15267 409794 CreateProcessA 15266->15267 15268 4097c2 15267->15268 15269 4097bb 15267->15269 15270 4097d4 GetThreadContext 15268->15270 15269->14878 15271 409801 15270->15271 15272 4097f5 15270->15272 15279 40637c 15271->15279 15273 4097f6 TerminateProcess 15272->15273 15273->15269 15275 409816 15275->15273 15276 40981e WriteProcessMemory 15275->15276 15276->15272 15277 40983b SetThreadContext 15276->15277 15277->15272 15278 409858 ResumeThread 15277->15278 15278->15269 15280 406386 15279->15280 15281 40638a GetModuleHandleA VirtualAlloc 15279->15281 15280->15275 15282 4063b6 15281->15282 15286 4063f5 15281->15286 15283 4063be VirtualAllocEx 15282->15283 15284 4063d6 15283->15284 15283->15286 15285 4063df WriteProcessMemory 15284->15285 15285->15286 15286->15275 15288 40dd41 InterlockedExchange 15287->15288 15289 40dd20 GetCurrentThreadId 15288->15289 15290 40dd4a 15288->15290 15291 40dd53 GetCurrentThreadId 15289->15291 15292 40dd2e GetTickCount 15289->15292 15290->15291 15291->14881 15292->15290 15293 40dd39 Sleep 15292->15293 15293->15288 15295 40dbf0 15294->15295 15327 40db67 GetEnvironmentVariableA 15295->15327 15297 40dc19 15298 40dcda 15297->15298 15299 40db67 3 API calls 15297->15299 15298->14883 15300 40dc5c 15299->15300 15300->15298 15301 40db67 3 API calls 15300->15301 15302 40dc9b 15301->15302 15302->15298 15303 40db67 3 API calls 15302->15303 15303->15298 15305 40db55 15304->15305 15306 40db3a 15304->15306 15305->14885 15305->14890 15331 40ebed 15306->15331 15340 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15308->15340 15310 40e3be 15310->14885 15311 40e342 15311->15310 15343 40de24 15311->15343 15314 40e528 15313->15314 15315 40e3f4 15313->15315 15314->14894 15316 40e434 RegQueryValueExA 15315->15316 15317 40e458 15316->15317 15318 40e51d RegCloseKey 15316->15318 15319 40e46e RegQueryValueExA 15317->15319 15318->15314 15319->15317 15320 40e488 15319->15320 15320->15318 15321 40db2e 8 API calls 15320->15321 15322 40e499 15321->15322 15322->15318 15323 40e4b9 RegQueryValueExA 15322->15323 15324 40e4e8 15322->15324 15323->15322 15323->15324 15324->15318 15325 40e332 14 API calls 15324->15325 15326 40e513 15325->15326 15326->15318 15328 40dbca 15327->15328 15330 40db89 lstrcpyA CreateFileA 15327->15330 15328->15297 15330->15297 15332 40ec01 15331->15332 15333 40ebf6 15331->15333 15335 40eba0 codecvt 2 API calls 15332->15335 15334 40ebcc 4 API calls 15333->15334 15336 40ebfe 15334->15336 15337 40ec0a GetProcessHeap HeapReAlloc 15335->15337 15336->15305 15338 40eb74 2 API calls 15337->15338 15339 40ec28 15338->15339 15339->15305 15354 40eb41 15340->15354 15344 40de3a 15343->15344 15350 40de4e 15344->15350 15358 40dd84 15344->15358 15347 40ebed 8 API calls 15352 40def6 15347->15352 15348 40de9e 15348->15347 15348->15350 15349 40de76 15362 40ddcf 15349->15362 15350->15311 15352->15350 15353 40ddcf lstrcmpA 15352->15353 15353->15350 15355 40eb4a 15354->15355 15357 40eb54 15354->15357 15356 40eae4 2 API calls 15355->15356 15356->15357 15357->15311 15359 40ddc5 15358->15359 15360 40dd96 15358->15360 15359->15348 15359->15349 15360->15359 15361 40ddad lstrcmpiA 15360->15361 15361->15359 15361->15360 15363 40dddd 15362->15363 15365 40de20 15362->15365 15364 40ddfa lstrcmpA 15363->15364 15363->15365 15364->15363 15365->15350 15367 40dd05 6 API calls 15366->15367 15368 40e821 15367->15368 15369 40dd84 lstrcmpiA 15368->15369 15370 40e82c 15369->15370 15371 40e844 15370->15371 15414 402480 15370->15414 15371->14910 15374 40dd05 6 API calls 15373->15374 15375 40df7c 15374->15375 15376 40dd84 lstrcmpiA 15375->15376 15380 40df89 15376->15380 15377 40dfc4 15377->14916 15378 40ddcf lstrcmpA 15378->15380 15379 40ec2e codecvt 4 API calls 15379->15380 15380->15377 15380->15378 15380->15379 15381 40dd84 lstrcmpiA 15380->15381 15381->15380 15383 40ea98 15382->15383 15423 40e8a1 15383->15423 15385 401e84 15385->14919 15387 4019d5 GetProcAddress GetProcAddress GetProcAddress 15386->15387 15390 4019ce 15386->15390 15388 401ab3 FreeLibrary 15387->15388 15389 401a04 15387->15389 15388->15390 15389->15388 15391 401a14 GetProcessHeap 15389->15391 15390->14923 15391->15390 15393 401a2e HeapAlloc 15391->15393 15393->15390 15394 401a42 15393->15394 15395 401a62 15394->15395 15396 401a52 HeapReAlloc 15394->15396 15397 401aa1 FreeLibrary 15395->15397 15398 401a96 HeapFree 15395->15398 15396->15395 15397->15390 15398->15397 15451 401ac3 LoadLibraryA 15399->15451 15402 401bcf 15402->14934 15404 401ac3 12 API calls 15403->15404 15405 401c09 15404->15405 15406 401c0d GetComputerNameA 15405->15406 15409 401c41 15405->15409 15407 401c45 GetVolumeInformationA 15406->15407 15408 401c1f 15406->15408 15407->15409 15408->15407 15408->15409 15409->14941 15411 40ee2a 15410->15411 15412 4030d0 gethostname gethostbyname 15411->15412 15413 401f82 15412->15413 15413->14947 15413->14949 15417 402419 lstrlenA 15414->15417 15416 402491 15416->15371 15418 402474 15417->15418 15419 40243d lstrlenA 15417->15419 15418->15416 15420 402464 lstrlenA 15419->15420 15421 40244e lstrcmpiA 15419->15421 15420->15418 15420->15419 15421->15420 15422 40245c 15421->15422 15422->15418 15422->15420 15424 40dd05 6 API calls 15423->15424 15425 40e8b4 15424->15425 15426 40dd84 lstrcmpiA 15425->15426 15427 40e8c0 15426->15427 15428 40e8c8 lstrcpynA 15427->15428 15438 40e90a 15427->15438 15430 40e8f5 15428->15430 15429 402419 4 API calls 15431 40e926 lstrlenA lstrlenA 15429->15431 15444 40df4c 15430->15444 15432 40e96a 15431->15432 15433 40e94c lstrlenA 15431->15433 15437 40ebcc 4 API calls 15432->15437 15439 40ea27 15432->15439 15433->15432 15435 40e901 15436 40dd84 lstrcmpiA 15435->15436 15436->15438 15440 40e98f 15437->15440 15438->15429 15438->15439 15439->15385 15440->15439 15441 40df4c 20 API calls 15440->15441 15442 40ea1e 15441->15442 15443 40ec2e codecvt 4 API calls 15442->15443 15443->15439 15445 40dd05 6 API calls 15444->15445 15446 40df51 15445->15446 15447 40f04e 4 API calls 15446->15447 15448 40df58 15447->15448 15449 40de24 10 API calls 15448->15449 15450 40df63 15449->15450 15450->15435 15452 401ae2 GetProcAddress 15451->15452 15453 401b68 GetComputerNameA GetVolumeInformationA 15451->15453 15452->15453 15454 401af5 15452->15454 15453->15402 15455 40ebed 8 API calls 15454->15455 15456 401b29 15454->15456 15455->15454 15456->15453 15457 40ec2e codecvt 4 API calls 15456->15457 15457->15453 15459 406ec3 2 API calls 15458->15459 15460 407ef4 15459->15460 15461 4073ff 17 API calls 15460->15461 15462 407fc9 15460->15462 15463 407f16 15461->15463 15462->14958 15463->15462 15471 407809 GetUserNameA 15463->15471 15465 407f63 15465->15462 15466 40ef1e lstrlenA 15465->15466 15467 407fa6 15466->15467 15468 40ef1e lstrlenA 15467->15468 15469 407fb7 15468->15469 15495 407a95 RegOpenKeyExA 15469->15495 15472 40783d LookupAccountNameA 15471->15472 15473 407a8d 15471->15473 15472->15473 15474 407874 GetLengthSid GetFileSecurityA 15472->15474 15473->15465 15474->15473 15475 4078a8 GetSecurityDescriptorOwner 15474->15475 15476 4078c5 EqualSid 15475->15476 15477 40791d GetSecurityDescriptorDacl 15475->15477 15476->15477 15478 4078dc LocalAlloc 15476->15478 15477->15473 15489 407941 15477->15489 15478->15477 15479 4078ef InitializeSecurityDescriptor 15478->15479 15480 407916 LocalFree 15479->15480 15481 4078fb SetSecurityDescriptorOwner 15479->15481 15480->15477 15481->15480 15483 40790b SetFileSecurityA 15481->15483 15482 40795b GetAce 15482->15489 15483->15480 15484 407980 EqualSid 15484->15489 15485 407a3d 15485->15473 15488 407a43 LocalAlloc 15485->15488 15486 4079be EqualSid 15486->15489 15487 40799d DeleteAce 15487->15489 15488->15473 15490 407a56 InitializeSecurityDescriptor 15488->15490 15489->15473 15489->15482 15489->15484 15489->15485 15489->15486 15489->15487 15491 407a62 SetSecurityDescriptorDacl 15490->15491 15492 407a86 LocalFree 15490->15492 15491->15492 15493 407a73 SetFileSecurityA 15491->15493 15492->15473 15493->15492 15494 407a83 15493->15494 15494->15492 15496 407ac4 15495->15496 15497 407acb GetUserNameA 15495->15497 15496->15462 15498 407da7 RegCloseKey 15497->15498 15499 407aed LookupAccountNameA 15497->15499 15498->15496 15499->15498 15500 407b24 RegGetKeySecurity 15499->15500 15500->15498 15501 407b49 GetSecurityDescriptorOwner 15500->15501 15502 407b63 EqualSid 15501->15502 15503 407bb8 GetSecurityDescriptorDacl 15501->15503 15502->15503 15504 407b74 LocalAlloc 15502->15504 15505 407da6 15503->15505 15514 407bdc 15503->15514 15504->15503 15506 407b8a InitializeSecurityDescriptor 15504->15506 15505->15498 15507 407bb1 LocalFree 15506->15507 15508 407b96 SetSecurityDescriptorOwner 15506->15508 15507->15503 15508->15507 15510 407ba6 RegSetKeySecurity 15508->15510 15509 407bf8 GetAce 15509->15514 15510->15507 15511 407c1d EqualSid 15511->15514 15512 407c5f EqualSid 15512->15514 15513 407cd9 15513->15505 15516 407d5a LocalAlloc 15513->15516 15518 407cf2 RegOpenKeyExA 15513->15518 15514->15505 15514->15509 15514->15511 15514->15512 15514->15513 15515 407c3a DeleteAce 15514->15515 15515->15514 15516->15505 15517 407d70 InitializeSecurityDescriptor 15516->15517 15519 407d7c SetSecurityDescriptorDacl 15517->15519 15520 407d9f LocalFree 15517->15520 15518->15516 15523 407d0f 15518->15523 15519->15520 15521 407d8c RegSetKeySecurity 15519->15521 15520->15505 15521->15520 15522 407d9c 15521->15522 15522->15520 15524 407d43 RegSetValueExA 15523->15524 15524->15516 15525 407d54 15524->15525 15525->15516 15526->14977 15528 40dd05 6 API calls 15527->15528 15529 40e65f 15528->15529 15530 40e6a5 15529->15530 15532 40e68c lstrcmpA 15529->15532 15531 40ebcc 4 API calls 15530->15531 15536 40e6f5 15530->15536 15533 40e6b0 15531->15533 15532->15529 15534 40e6b7 15533->15534 15535 40e6e0 lstrcpynA 15533->15535 15533->15536 15534->14979 15535->15536 15536->15534 15537 40e71d lstrcmpA 15536->15537 15537->15536 15538->14985 15540 40c525 15539->15540 15544 40c532 15539->15544 15542 40ec2e codecvt 4 API calls 15540->15542 15540->15544 15541 40c548 15545 40e7ff lstrcmpiA 15541->15545 15550 40c54f 15541->15550 15542->15544 15544->15541 15691 40e7ff 15544->15691 15546 40c615 15545->15546 15549 40ebcc 4 API calls 15546->15549 15546->15550 15547 40c5d1 15552 40ebcc 4 API calls 15547->15552 15549->15550 15550->14998 15551 40e819 11 API calls 15553 40c5b7 15551->15553 15552->15550 15554 40f04e 4 API calls 15553->15554 15555 40c5bf 15554->15555 15555->15541 15555->15547 15557 402692 inet_addr 15556->15557 15558 40268e 15556->15558 15557->15558 15559 40269e gethostbyname 15557->15559 15560 40f428 15558->15560 15559->15558 15694 40f315 15560->15694 15565 40c8d2 15563->15565 15564 40c907 15564->15000 15565->15564 15566 40c517 23 API calls 15565->15566 15566->15564 15567 40f43e 15568 40f473 recv 15567->15568 15569 40f458 15568->15569 15570 40f47c 15568->15570 15569->15568 15569->15570 15570->15016 15572 40c670 15571->15572 15573 40c67d 15571->15573 15574 40ebcc 4 API calls 15572->15574 15575 40ebcc 4 API calls 15573->15575 15576 40c699 15573->15576 15574->15573 15575->15576 15577 40c6f3 15576->15577 15578 40c73c send 15576->15578 15577->15029 15577->15060 15578->15577 15580 40c770 15579->15580 15581 40c77d 15579->15581 15582 40ebcc 4 API calls 15580->15582 15583 40c799 15581->15583 15584 40ebcc 4 API calls 15581->15584 15582->15581 15585 40c7b5 15583->15585 15587 40ebcc 4 API calls 15583->15587 15584->15583 15586 40f43e recv 15585->15586 15588 40c7cb 15586->15588 15587->15585 15589 40f43e recv 15588->15589 15590 40c7d3 15588->15590 15589->15590 15590->15060 15707 407db7 15591->15707 15594 407e96 15594->15060 15595 40f04e 4 API calls 15597 407e4c 15595->15597 15596 40f04e 4 API calls 15596->15594 15598 40f04e 4 API calls 15597->15598 15599 407e70 15597->15599 15598->15599 15599->15594 15599->15596 15601 406ec3 2 API calls 15600->15601 15602 407fdd 15601->15602 15603 4080c2 CreateProcessA 15602->15603 15604 4073ff 17 API calls 15602->15604 15603->15082 15603->15083 15605 407fff 15604->15605 15605->15603 15606 407809 21 API calls 15605->15606 15607 40804d 15606->15607 15607->15603 15608 40ef1e lstrlenA 15607->15608 15609 40809e 15608->15609 15610 40ef1e lstrlenA 15609->15610 15611 4080af 15610->15611 15612 407a95 24 API calls 15611->15612 15612->15603 15614 407db7 2 API calls 15613->15614 15615 407eb8 15614->15615 15616 40f04e 4 API calls 15615->15616 15617 407ece DeleteFileA 15616->15617 15617->15060 15619 40dd05 6 API calls 15618->15619 15620 40e31d 15619->15620 15711 40e177 15620->15711 15622 40e326 15622->15054 15624 4031f3 15623->15624 15634 4031ec 15623->15634 15625 40ebcc 4 API calls 15624->15625 15639 4031fc 15625->15639 15626 40344b 15627 403459 15626->15627 15628 40349d 15626->15628 15630 40f04e 4 API calls 15627->15630 15629 40ec2e codecvt 4 API calls 15628->15629 15629->15634 15631 40345f 15630->15631 15632 4030fa 4 API calls 15631->15632 15632->15634 15633 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15633->15639 15634->15060 15635 40344d 15636 40ec2e codecvt 4 API calls 15635->15636 15636->15626 15638 403141 lstrcmpiA 15638->15639 15639->15626 15639->15633 15639->15634 15639->15635 15639->15638 15737 4030fa GetTickCount 15639->15737 15641 4030fa 4 API calls 15640->15641 15642 403c1a 15641->15642 15646 403ce6 15642->15646 15742 403a72 15642->15742 15645 403a72 9 API calls 15649 403c5e 15645->15649 15646->15060 15647 403a72 9 API calls 15647->15649 15648 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15648->15649 15649->15646 15649->15647 15649->15648 15651 403a10 15650->15651 15652 4030fa 4 API calls 15651->15652 15653 403a1a 15652->15653 15653->15060 15655 40dd05 6 API calls 15654->15655 15656 40e7be 15655->15656 15656->15060 15658 40c07e wsprintfA 15657->15658 15662 40c105 15657->15662 15751 40bfce GetTickCount wsprintfA 15658->15751 15660 40c0ef 15752 40bfce GetTickCount wsprintfA 15660->15752 15662->15060 15664 407047 15663->15664 15665 406f88 15663->15665 15664->15060 15665->15665 15666 406f94 LookupAccountNameA 15665->15666 15667 407025 15666->15667 15668 406fcb 15666->15668 15669 406edd 5 API calls 15667->15669 15671 406fdb ConvertSidToStringSidA 15668->15671 15670 40702a wsprintfA 15669->15670 15670->15664 15671->15667 15672 406ff1 15671->15672 15673 407013 LocalFree 15672->15673 15673->15667 15675 40dd05 6 API calls 15674->15675 15676 40e85c 15675->15676 15677 40dd84 lstrcmpiA 15676->15677 15678 40e867 15677->15678 15679 40e885 lstrcpyA 15678->15679 15753 4024a5 15678->15753 15756 40dd69 15679->15756 15685 407db7 2 API calls 15684->15685 15687 407de1 15685->15687 15686 407e16 15686->15060 15687->15686 15688 40f04e 4 API calls 15687->15688 15689 407df2 15688->15689 15689->15686 15690 40f04e 4 API calls 15689->15690 15690->15686 15692 40dd84 lstrcmpiA 15691->15692 15693 40c58e 15692->15693 15693->15541 15693->15547 15693->15551 15695 40f33b 15694->15695 15702 40ca1d 15694->15702 15696 40f347 htons socket 15695->15696 15697 40f382 ioctlsocket 15696->15697 15698 40f374 closesocket 15696->15698 15699 40f3aa connect select 15697->15699 15700 40f39d 15697->15700 15698->15702 15699->15702 15703 40f3f2 __WSAFDIsSet 15699->15703 15701 40f39f closesocket 15700->15701 15701->15702 15702->15013 15702->15567 15703->15701 15704 40f403 ioctlsocket 15703->15704 15706 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15704->15706 15706->15702 15708 407dc8 InterlockedExchange 15707->15708 15709 407dc0 Sleep 15708->15709 15710 407dd4 15708->15710 15709->15708 15710->15595 15710->15599 15712 40e184 15711->15712 15713 40e223 15712->15713 15725 40e2e4 15712->15725 15727 40dfe2 15712->15727 15715 40dfe2 8 API calls 15713->15715 15713->15725 15719 40e23c 15715->15719 15716 40e1be 15716->15713 15717 40dbcf 3 API calls 15716->15717 15720 40e1d6 15717->15720 15718 40e21a CloseHandle 15718->15713 15719->15725 15731 40e095 RegCreateKeyExA 15719->15731 15720->15713 15720->15718 15721 40e1f9 WriteFile 15720->15721 15721->15718 15723 40e213 15721->15723 15723->15718 15724 40e2a3 15724->15725 15726 40e095 4 API calls 15724->15726 15725->15622 15726->15725 15728 40dffc 15727->15728 15730 40e024 15727->15730 15729 40db2e 8 API calls 15728->15729 15728->15730 15729->15730 15730->15716 15732 40e172 15731->15732 15735 40e0c0 15731->15735 15732->15724 15733 40e13d 15734 40e14e RegDeleteValueA RegCloseKey 15733->15734 15734->15732 15735->15733 15736 40e115 RegSetValueExA 15735->15736 15736->15733 15736->15735 15738 403122 InterlockedExchange 15737->15738 15739 40312e 15738->15739 15740 40310f GetTickCount 15738->15740 15739->15639 15740->15739 15741 40311a Sleep 15740->15741 15741->15738 15743 40f04e 4 API calls 15742->15743 15750 403a83 15743->15750 15744 403ac1 15744->15645 15744->15646 15745 403be6 15747 40ec2e codecvt 4 API calls 15745->15747 15746 403bc0 15746->15745 15748 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15746->15748 15747->15744 15748->15746 15749 403b66 lstrlenA 15749->15744 15749->15750 15750->15744 15750->15746 15750->15749 15751->15660 15752->15662 15754 402419 4 API calls 15753->15754 15755 4024b6 15754->15755 15755->15679 15757 40dd79 lstrlenA 15756->15757 15757->15060 15759 404084 15758->15759 15760 40407d 15758->15760 15761 403ecd 6 API calls 15759->15761 15762 40408f 15761->15762 15763 404000 3 API calls 15762->15763 15765 404095 15763->15765 15764 404130 15766 403ecd 6 API calls 15764->15766 15765->15764 15770 403f18 4 API calls 15765->15770 15767 404159 CreateNamedPipeA 15766->15767 15768 404167 Sleep 15767->15768 15769 404188 ConnectNamedPipe 15767->15769 15768->15764 15771 404176 CloseHandle 15768->15771 15773 404195 GetLastError 15769->15773 15783 4041ab 15769->15783 15772 4040da 15770->15772 15771->15769 15774 403f8c 4 API calls 15772->15774 15775 40425e DisconnectNamedPipe 15773->15775 15773->15783 15776 4040ec 15774->15776 15775->15769 15777 404127 CloseHandle 15776->15777 15778 404101 15776->15778 15777->15764 15780 403f18 4 API calls 15778->15780 15779 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15779->15783 15781 40411c ExitProcess 15780->15781 15782 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15782->15783 15783->15769 15783->15775 15783->15779 15783->15782 15784 40426a CloseHandle CloseHandle 15783->15784 15785 40e318 23 API calls 15784->15785 15786 40427b 15785->15786 15786->15786 15788 408791 15787->15788 15789 40879f 15787->15789 15791 40f04e 4 API calls 15788->15791 15790 4087bc 15789->15790 15792 40f04e 4 API calls 15789->15792 15793 40e819 11 API calls 15790->15793 15791->15789 15792->15790 15794 4087d7 15793->15794 15807 408803 15794->15807 15809 4026b2 gethostbyaddr 15794->15809 15797 4087eb 15799 40e8a1 30 API calls 15797->15799 15797->15807 15799->15807 15802 40e819 11 API calls 15802->15807 15803 4088a0 Sleep 15803->15807 15804 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15804->15807 15806 4026b2 2 API calls 15806->15807 15807->15802 15807->15803 15807->15804 15807->15806 15808 40e8a1 30 API calls 15807->15808 15814 408cee 15807->15814 15822 40c4d6 15807->15822 15825 40c4e2 15807->15825 15828 402011 15807->15828 15863 408328 15807->15863 15808->15807 15810 4026fb 15809->15810 15811 4026cd 15809->15811 15810->15797 15812 4026e1 inet_ntoa 15811->15812 15813 4026de 15811->15813 15812->15813 15813->15797 15815 408d02 GetTickCount 15814->15815 15816 408dae 15814->15816 15815->15816 15818 408d19 15815->15818 15816->15807 15817 408da1 GetTickCount 15817->15816 15818->15817 15821 408d89 15818->15821 15915 40a677 15818->15915 15918 40a688 15818->15918 15821->15817 15926 40c2dc 15822->15926 15826 40c2dc 142 API calls 15825->15826 15827 40c4ec 15826->15827 15827->15807 15829 402020 15828->15829 15830 40202e 15828->15830 15831 40f04e 4 API calls 15829->15831 15832 40204b 15830->15832 15833 40f04e 4 API calls 15830->15833 15831->15830 15834 40206e GetTickCount 15832->15834 15835 40f04e 4 API calls 15832->15835 15833->15832 15836 402090 15834->15836 15837 4020db GetTickCount 15834->15837 15839 402068 15835->15839 15840 4020d4 GetTickCount 15836->15840 15844 402684 2 API calls 15836->15844 15858 4020ce 15836->15858 16255 401978 15836->16255 15838 402132 GetTickCount GetTickCount 15837->15838 15849 4020e7 15837->15849 15841 40f04e 4 API calls 15838->15841 15839->15834 15840->15837 15843 402159 15841->15843 15842 40212b GetTickCount 15842->15838 15846 40e854 13 API calls 15843->15846 15860 4021b4 15843->15860 15844->15836 15848 40218e 15846->15848 15847 40f04e 4 API calls 15851 4021d1 15847->15851 15853 40e819 11 API calls 15848->15853 15849->15842 15854 401978 15 API calls 15849->15854 15855 402125 15849->15855 16260 402ef8 15849->16260 15852 4021f2 15851->15852 15856 40ea84 30 API calls 15851->15856 15852->15807 15857 40219c 15853->15857 15854->15849 15855->15842 15859 4021ec 15856->15859 15857->15860 16268 401c5f 15857->16268 15858->15840 15861 40f04e 4 API calls 15859->15861 15860->15847 15861->15852 15864 407dd6 6 API calls 15863->15864 15865 40833c 15864->15865 15866 406ec3 2 API calls 15865->15866 15892 408340 15865->15892 15867 40834f 15866->15867 15868 40835c 15867->15868 15874 40846b 15867->15874 15869 4073ff 17 API calls 15868->15869 15893 408373 15869->15893 15870 4085df 15871 408626 GetTempPathA 15870->15871 15872 408638 15870->15872 15882 408762 15870->15882 15871->15872 16340 406ba7 IsBadCodePtr 15872->16340 15873 40675c 21 API calls 15873->15870 15876 4084a7 RegOpenKeyExA 15874->15876 15889 408450 15874->15889 15877 4084c0 RegQueryValueExA 15876->15877 15878 40852f 15876->15878 15880 408521 RegCloseKey 15877->15880 15881 4084dd 15877->15881 15883 408564 RegOpenKeyExA 15878->15883 15896 4085a5 15878->15896 15879 4086ad 15879->15882 15884 407e2f 6 API calls 15879->15884 15880->15878 15881->15880 15886 40ebcc 4 API calls 15881->15886 15888 40ec2e codecvt 4 API calls 15882->15888 15882->15892 15885 408573 RegSetValueExA RegCloseKey 15883->15885 15883->15896 15897 4086bb 15884->15897 15885->15896 15891 4084f0 15886->15891 15887 40875b DeleteFileA 15887->15882 15888->15892 15889->15870 15889->15873 15891->15880 15895 4084f8 RegQueryValueExA 15891->15895 15892->15807 15893->15889 15893->15892 15894 4083ea RegOpenKeyExA 15893->15894 15894->15889 15898 4083fd RegQueryValueExA 15894->15898 15895->15880 15899 408515 15895->15899 15896->15889 15900 40ec2e codecvt 4 API calls 15896->15900 15897->15887 15904 4086e0 lstrcpyA lstrlenA 15897->15904 15901 40842d RegSetValueExA 15898->15901 15902 40841e 15898->15902 15903 40ec2e codecvt 4 API calls 15899->15903 15900->15889 15905 408447 RegCloseKey 15901->15905 15902->15901 15902->15905 15906 40851d 15903->15906 15907 407fcf 64 API calls 15904->15907 15905->15889 15906->15880 15908 408719 CreateProcessA 15907->15908 15909 40873d CloseHandle CloseHandle 15908->15909 15910 40874f 15908->15910 15909->15882 15911 407ee6 64 API calls 15910->15911 15912 408754 15911->15912 15913 407ead 6 API calls 15912->15913 15914 40875a 15913->15914 15914->15887 15921 40a63d 15915->15921 15917 40a685 15917->15818 15919 40a63d GetTickCount 15918->15919 15920 40a696 15919->15920 15920->15818 15922 40a645 15921->15922 15923 40a64d 15921->15923 15922->15917 15924 40a66e 15923->15924 15925 40a65e GetTickCount 15923->15925 15924->15917 15925->15924 15942 40a4c7 GetTickCount 15926->15942 15929 40c45e 15934 40c4d2 15929->15934 15935 40c4ab InterlockedIncrement CreateThread 15929->15935 15930 40c300 GetTickCount 15932 40c337 15930->15932 15931 40c326 15931->15932 15933 40c32b GetTickCount 15931->15933 15932->15929 15937 40c363 GetTickCount 15932->15937 15933->15932 15934->15807 15935->15934 15936 40c4cb CloseHandle 15935->15936 15947 40b535 15935->15947 15936->15934 15937->15929 15938 40c373 15937->15938 15939 40c378 GetTickCount 15938->15939 15940 40c37f 15938->15940 15939->15940 15941 40c43b GetTickCount 15940->15941 15941->15929 15943 40a4f7 InterlockedExchange 15942->15943 15944 40a500 15943->15944 15945 40a4e4 GetTickCount 15943->15945 15944->15929 15944->15930 15944->15931 15945->15944 15946 40a4ef Sleep 15945->15946 15946->15943 15948 40b566 15947->15948 15949 40ebcc 4 API calls 15948->15949 15950 40b587 15949->15950 15951 40ebcc 4 API calls 15950->15951 15972 40b590 15951->15972 15952 40bdcd InterlockedDecrement 15953 40bde2 15952->15953 15955 40ec2e codecvt 4 API calls 15953->15955 15956 40bdea 15955->15956 15958 40ec2e codecvt 4 API calls 15956->15958 15957 40bdb7 Sleep 15957->15972 15959 40bdf2 15958->15959 15961 40be05 15959->15961 15962 40ec2e codecvt 4 API calls 15959->15962 15960 40bdcc 15960->15952 15962->15961 15963 40ebed 8 API calls 15963->15972 15966 40b6b6 lstrlenA 15966->15972 15967 4030b5 2 API calls 15967->15972 15968 40e819 11 API calls 15968->15972 15969 40b6ed lstrcpyA 16022 405ce1 15969->16022 15972->15952 15972->15957 15972->15960 15972->15963 15972->15966 15972->15967 15972->15968 15972->15969 15973 40b731 lstrlenA 15972->15973 15974 40b71f lstrcmpA 15972->15974 15975 40b772 GetTickCount 15972->15975 15976 40bd49 InterlockedIncrement 15972->15976 15979 40b7ce InterlockedIncrement 15972->15979 15980 40bc5b InterlockedIncrement 15972->15980 15983 40b912 GetTickCount 15972->15983 15984 40b826 InterlockedIncrement 15972->15984 15985 40b932 GetTickCount 15972->15985 15986 40bcdc closesocket 15972->15986 15988 405ce1 23 API calls 15972->15988 15989 4038f0 6 API calls 15972->15989 15990 40ab81 lstrcpynA InterlockedIncrement 15972->15990 15992 40a7c1 22 API calls 15972->15992 15994 40bba6 InterlockedIncrement 15972->15994 15996 40bc4c closesocket 15972->15996 15999 40ba71 wsprintfA 15972->15999 16001 40ef1e lstrlenA 15972->16001 16002 405ded 12 API calls 15972->16002 16003 40a688 GetTickCount 15972->16003 16004 403e10 15972->16004 16007 403e4f 15972->16007 16010 40384f 15972->16010 16030 40a7a3 inet_ntoa 15972->16030 16037 40abee 15972->16037 16049 401feb GetTickCount 15972->16049 16070 403cfb 15972->16070 16073 40b3c5 15972->16073 16104 40ab81 15972->16104 15973->15972 15974->15972 15974->15973 15975->15972 16116 40a628 15976->16116 16032 40acd7 15979->16032 15980->15972 15983->15972 15984->15975 15985->15972 15987 40bc6d InterlockedIncrement 15985->15987 15986->15972 15987->15972 15988->15972 15989->15972 15990->15972 15992->15972 15994->15972 15996->15972 16050 40a7c1 15999->16050 16001->15972 16002->15972 16003->15972 16005 4030fa 4 API calls 16004->16005 16006 403e1d 16005->16006 16006->15972 16008 4030fa 4 API calls 16007->16008 16009 403e5c 16008->16009 16009->15972 16011 4030fa 4 API calls 16010->16011 16013 403863 16011->16013 16012 4038b2 16012->15972 16013->16012 16014 4038b9 16013->16014 16015 403889 16013->16015 16125 4035f9 16014->16125 16119 403718 16015->16119 16020 4035f9 6 API calls 16020->16012 16021 403718 6 API calls 16021->16012 16023 405cf4 16022->16023 16024 405cec 16022->16024 16026 404bd1 4 API calls 16023->16026 16131 404bd1 GetTickCount 16024->16131 16027 405d02 16026->16027 16136 405472 16027->16136 16031 40a7b9 16030->16031 16031->15972 16033 40f315 14 API calls 16032->16033 16034 40aceb 16033->16034 16035 40acff 16034->16035 16036 40f315 14 API calls 16034->16036 16035->15972 16036->16035 16038 40abfb 16037->16038 16041 40ac65 16038->16041 16201 402f22 16038->16201 16040 40f315 14 API calls 16040->16041 16041->16040 16042 40ac8a 16041->16042 16043 40ac6f 16041->16043 16042->15972 16045 40ab81 2 API calls 16043->16045 16044 40ac23 16044->16041 16046 402684 2 API calls 16044->16046 16047 40ac81 16045->16047 16046->16044 16209 4038f0 16047->16209 16049->15972 16051 40a87d lstrlenA send 16050->16051 16052 40a7df 16050->16052 16053 40a899 16051->16053 16054 40a8bf 16051->16054 16052->16051 16058 40a7fa wsprintfA 16052->16058 16061 40a80a 16052->16061 16062 40a8f2 16052->16062 16055 40a8a5 wsprintfA 16053->16055 16063 40a89e 16053->16063 16056 40a8c4 send 16054->16056 16054->16062 16055->16063 16059 40a8d8 wsprintfA 16056->16059 16056->16062 16057 40a978 recv 16057->16062 16064 40a982 16057->16064 16058->16061 16059->16063 16060 40a9b0 wsprintfA 16060->16063 16061->16051 16062->16057 16062->16060 16062->16064 16063->15972 16064->16063 16065 4030b5 2 API calls 16064->16065 16066 40ab05 16065->16066 16067 40e819 11 API calls 16066->16067 16068 40ab17 16067->16068 16069 40a7a3 inet_ntoa 16068->16069 16069->16063 16071 4030fa 4 API calls 16070->16071 16072 403d0b 16071->16072 16072->15972 16074 405ce1 23 API calls 16073->16074 16075 40b3e6 16074->16075 16076 405ce1 23 API calls 16075->16076 16078 40b404 16076->16078 16077 40b440 16080 40ef7c 3 API calls 16077->16080 16078->16077 16079 40ef7c 3 API calls 16078->16079 16081 40b42b 16079->16081 16082 40b458 wsprintfA 16080->16082 16083 40ef7c 3 API calls 16081->16083 16084 40ef7c 3 API calls 16082->16084 16083->16077 16085 40b480 16084->16085 16086 40ef7c 3 API calls 16085->16086 16087 40b493 16086->16087 16088 40ef7c 3 API calls 16087->16088 16089 40b4bb 16088->16089 16223 40ad89 GetLocalTime SystemTimeToFileTime 16089->16223 16093 40b4cc 16094 40ef7c 3 API calls 16093->16094 16095 40b4dd 16094->16095 16096 40b211 7 API calls 16095->16096 16097 40b4ec 16096->16097 16098 40ef7c 3 API calls 16097->16098 16099 40b4fd 16098->16099 16100 40b211 7 API calls 16099->16100 16101 40b509 16100->16101 16102 40ef7c 3 API calls 16101->16102 16103 40b51a 16102->16103 16103->15972 16105 40ab8c 16104->16105 16107 40abe9 GetTickCount 16104->16107 16106 40aba8 lstrcpynA 16105->16106 16105->16107 16108 40abe1 InterlockedIncrement 16105->16108 16106->16105 16109 40a51d 16107->16109 16108->16105 16110 40a4c7 4 API calls 16109->16110 16111 40a52c 16110->16111 16112 40a542 GetTickCount 16111->16112 16114 40a539 GetTickCount 16111->16114 16112->16114 16115 40a56c 16114->16115 16115->15972 16117 40a4c7 4 API calls 16116->16117 16118 40a633 16117->16118 16118->15972 16120 40f04e 4 API calls 16119->16120 16122 40372a 16120->16122 16121 403847 16121->16012 16121->16021 16122->16121 16123 4037b3 GetCurrentThreadId 16122->16123 16123->16122 16124 4037c8 GetCurrentThreadId 16123->16124 16124->16122 16126 40f04e 4 API calls 16125->16126 16127 40360c 16126->16127 16128 4036da GetCurrentThreadId 16127->16128 16129 4036f1 16127->16129 16128->16129 16130 4036e5 GetCurrentThreadId 16128->16130 16129->16012 16129->16020 16130->16129 16132 404bff InterlockedExchange 16131->16132 16133 404c08 16132->16133 16134 404bec GetTickCount 16132->16134 16133->16023 16134->16133 16135 404bf7 Sleep 16134->16135 16135->16132 16157 404763 16136->16157 16138 40548a 16139 405b58 16138->16139 16149 40558d lstrcpynA 16138->16149 16150 405472 13 API calls 16138->16150 16151 405a9f lstrcpyA 16138->16151 16152 405935 lstrcpynA 16138->16152 16153 404ae6 8 API calls 16138->16153 16155 404ae6 8 API calls 16138->16155 16156 4058e7 lstrcpyA 16138->16156 16161 404ae6 16138->16161 16165 40ef7c lstrlenA lstrlenA lstrlenA 16138->16165 16167 404699 16139->16167 16142 404763 lstrlenA 16143 405b6e 16142->16143 16188 404f9f 16143->16188 16145 405b79 16145->15972 16147 405549 lstrlenA 16147->16138 16149->16138 16150->16138 16151->16138 16152->16138 16154 405643 LoadLibraryW 16153->16154 16154->16138 16155->16138 16156->16138 16158 40477a 16157->16158 16159 404859 16158->16159 16160 40480d lstrlenA 16158->16160 16159->16138 16160->16158 16162 404af3 16161->16162 16164 404b03 16161->16164 16163 40ebed 8 API calls 16162->16163 16163->16164 16164->16147 16166 40efb4 16165->16166 16166->16138 16193 4045b3 16167->16193 16170 4045b3 7 API calls 16171 4046c6 16170->16171 16172 4045b3 7 API calls 16171->16172 16173 4046d8 16172->16173 16174 4045b3 7 API calls 16173->16174 16175 4046ea 16174->16175 16176 4045b3 7 API calls 16175->16176 16177 4046ff 16176->16177 16178 4045b3 7 API calls 16177->16178 16179 404711 16178->16179 16180 4045b3 7 API calls 16179->16180 16181 404723 16180->16181 16182 40ef7c 3 API calls 16181->16182 16183 404735 16182->16183 16184 40ef7c 3 API calls 16183->16184 16185 40474a 16184->16185 16186 40ef7c 3 API calls 16185->16186 16187 40475c 16186->16187 16187->16142 16189 404fac 16188->16189 16192 404fb0 16188->16192 16189->16145 16190 404ffd 16190->16145 16191 404fd5 IsBadCodePtr 16191->16192 16192->16190 16192->16191 16194 4045c1 16193->16194 16196 4045c8 16193->16196 16195 40ebcc 4 API calls 16194->16195 16195->16196 16197 40ebcc 4 API calls 16196->16197 16199 4045e1 16196->16199 16197->16199 16198 404691 16198->16170 16199->16198 16200 40ef7c 3 API calls 16199->16200 16200->16199 16216 402d21 GetModuleHandleA 16201->16216 16204 402fcf GetProcessHeap HeapFree 16208 402f44 16204->16208 16205 402f4f 16207 402f6b GetProcessHeap HeapFree 16205->16207 16206 402f85 16206->16204 16206->16206 16207->16208 16208->16044 16210 403900 16209->16210 16212 403980 16209->16212 16211 4030fa 4 API calls 16210->16211 16215 40390a 16211->16215 16212->16042 16213 40391b GetCurrentThreadId 16213->16215 16214 403939 GetCurrentThreadId 16214->16215 16215->16212 16215->16213 16215->16214 16217 402d46 LoadLibraryA 16216->16217 16218 402d5b GetProcAddress 16216->16218 16217->16218 16220 402d54 16217->16220 16218->16220 16222 402d6b 16218->16222 16219 402d97 GetProcessHeap HeapAlloc 16219->16220 16219->16222 16220->16205 16220->16206 16220->16208 16221 402db5 lstrcpynA 16221->16222 16222->16219 16222->16220 16222->16221 16224 40adbf 16223->16224 16248 40ad08 gethostname 16224->16248 16227 4030b5 2 API calls 16228 40add3 16227->16228 16229 40a7a3 inet_ntoa 16228->16229 16231 40ade4 16228->16231 16229->16231 16230 40ae85 wsprintfA 16232 40ef7c 3 API calls 16230->16232 16231->16230 16233 40ae36 wsprintfA wsprintfA 16231->16233 16234 40aebb 16232->16234 16235 40ef7c 3 API calls 16233->16235 16236 40ef7c 3 API calls 16234->16236 16235->16231 16237 40aed2 16236->16237 16238 40b211 16237->16238 16239 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16238->16239 16240 40b2af GetLocalTime 16238->16240 16241 40b2d2 16239->16241 16240->16241 16242 40b2d9 SystemTimeToFileTime 16241->16242 16243 40b31c GetTimeZoneInformation 16241->16243 16244 40b2ec 16242->16244 16245 40b33a wsprintfA 16243->16245 16246 40b312 FileTimeToSystemTime 16244->16246 16245->16093 16246->16243 16249 40ad71 16248->16249 16253 40ad26 lstrlenA 16248->16253 16251 40ad85 16249->16251 16252 40ad79 lstrcpyA 16249->16252 16251->16227 16252->16251 16253->16249 16254 40ad68 lstrlenA 16253->16254 16254->16249 16256 40f428 14 API calls 16255->16256 16257 40198a 16256->16257 16258 401990 closesocket 16257->16258 16259 401998 16257->16259 16258->16259 16259->15836 16261 402d21 6 API calls 16260->16261 16262 402f01 16261->16262 16263 402f0f 16262->16263 16276 402df2 GetModuleHandleA 16262->16276 16265 402684 2 API calls 16263->16265 16267 402f1f 16263->16267 16266 402f1d 16265->16266 16266->15849 16267->15849 16275 401c80 16268->16275 16269 401d1c 16269->16269 16272 401d47 wsprintfA 16269->16272 16270 401cc2 wsprintfA 16271 402684 2 API calls 16270->16271 16271->16275 16274 402684 2 API calls 16272->16274 16273 401d79 16273->15860 16274->16273 16275->16269 16275->16270 16275->16273 16277 402e10 LoadLibraryA 16276->16277 16278 402e0b 16276->16278 16279 402e17 16277->16279 16278->16277 16278->16279 16280 402ef1 16279->16280 16281 402e28 GetProcAddress 16279->16281 16280->16263 16281->16280 16282 402e3e GetProcessHeap HeapAlloc 16281->16282 16283 402e62 16282->16283 16283->16280 16284 402ede GetProcessHeap HeapFree 16283->16284 16285 402e7f htons inet_addr 16283->16285 16286 402ea5 gethostbyname 16283->16286 16288 402ceb 16283->16288 16284->16280 16285->16283 16285->16286 16286->16283 16289 402cf2 16288->16289 16291 402d1c 16289->16291 16292 402d0e Sleep 16289->16292 16293 402a62 GetProcessHeap HeapAlloc 16289->16293 16291->16283 16292->16289 16292->16291 16294 402a92 16293->16294 16295 402a99 socket 16293->16295 16294->16289 16296 402cd3 GetProcessHeap HeapFree 16295->16296 16297 402ab4 16295->16297 16296->16294 16297->16296 16298 402abd 16297->16298 16299 402adb htons 16298->16299 16301 402b04 select 16298->16301 16302 402ca4 16298->16302 16303 402cb3 GetProcessHeap HeapFree closesocket 16298->16303 16304 402b3f recv 16298->16304 16305 402b66 htons 16298->16305 16306 402b87 htons 16298->16306 16309 402bf3 GetProcessHeap HeapAlloc 16298->16309 16310 402c17 htons 16298->16310 16312 402c4d GetProcessHeap HeapFree 16298->16312 16320 402923 16298->16320 16332 402904 16298->16332 16313 4026ff 16299->16313 16301->16298 16302->16303 16303->16294 16304->16298 16305->16298 16305->16302 16306->16298 16306->16302 16309->16298 16328 402871 16310->16328 16312->16298 16314 402717 16313->16314 16316 40271d 16313->16316 16315 40ebcc 4 API calls 16314->16315 16315->16316 16317 40272b GetTickCount htons 16316->16317 16318 4027cc htons htons sendto 16317->16318 16319 40278a 16317->16319 16318->16298 16319->16318 16321 402944 16320->16321 16323 40293d 16320->16323 16336 402816 htons 16321->16336 16323->16298 16324 402871 htons 16325 402950 16324->16325 16325->16323 16325->16324 16326 4029bd htons htons htons 16325->16326 16326->16323 16327 4029f6 GetProcessHeap HeapAlloc 16326->16327 16327->16323 16327->16325 16329 4028e3 16328->16329 16331 402889 16328->16331 16329->16298 16330 4028c3 htons 16330->16329 16330->16331 16331->16329 16331->16330 16333 402921 16332->16333 16334 402908 16332->16334 16333->16298 16335 402909 GetProcessHeap HeapFree 16334->16335 16335->16333 16335->16335 16337 40286b 16336->16337 16338 402836 16336->16338 16337->16325 16338->16337 16339 40285c htons 16338->16339 16339->16337 16339->16338 16341 406bc0 16340->16341 16342 406bbc 16340->16342 16343 40ebcc 4 API calls 16341->16343 16345 406bd4 16341->16345 16342->15879 16344 406be4 16343->16344 16344->16345 16346 406c07 CreateFileA 16344->16346 16347 406bfc 16344->16347 16345->15879 16348 406c34 WriteFile 16346->16348 16349 406c2a 16346->16349 16350 40ec2e codecvt 4 API calls 16347->16350 16352 406c49 CloseHandle DeleteFileA 16348->16352 16353 406c5a CloseHandle 16348->16353 16351 40ec2e codecvt 4 API calls 16349->16351 16350->16345 16351->16345 16352->16349 16354 40ec2e codecvt 4 API calls 16353->16354 16354->16345 14517 6a8528 14518 6a8537 14517->14518 14521 6a8cc8 14518->14521 14522 6a8ce3 14521->14522 14523 6a8cec CreateToolhelp32Snapshot 14522->14523 14524 6a8d08 Module32First 14522->14524 14523->14522 14523->14524 14525 6a8540 14524->14525 14526 6a8d17 14524->14526 14528 6a8987 14526->14528 14529 6a89b2 14528->14529 14530 6a89fb 14529->14530 14531 6a89c3 VirtualAlloc 14529->14531 14530->14530 14531->14530 14591 660920 TerminateProcess 14532 660005 14537 66092b GetPEB 14532->14537 14534 660030 14539 66003c 14534->14539 14538 660972 14537->14538 14538->14534 14540 660049 14539->14540 14554 660e0f SetErrorMode SetErrorMode 14540->14554 14545 660265 14546 6602ce VirtualProtect 14545->14546 14548 66030b 14546->14548 14547 660439 VirtualFree 14552 6604be 14547->14552 14553 6605f4 LoadLibraryA 14547->14553 14548->14547 14549 6604e3 LoadLibraryA 14549->14552 14551 6608c7 14552->14549 14552->14553 14553->14551 14555 660223 14554->14555 14556 660d90 14555->14556 14557 660dad 14556->14557 14558 660238 VirtualAlloc 14557->14558 14559 660dbb GetPEB 14557->14559 14558->14545 14559->14558 14560 407a95 RegOpenKeyExA 14561 407ac4 14560->14561 14562 407acb GetUserNameA 14560->14562 14563 407da7 RegCloseKey 14562->14563 14564 407aed LookupAccountNameA 14562->14564 14563->14561 14564->14563 14565 407b24 RegGetKeySecurity 14564->14565 14565->14563 14566 407b49 GetSecurityDescriptorOwner 14565->14566 14567 407b63 EqualSid 14566->14567 14568 407bb8 GetSecurityDescriptorDacl 14566->14568 14567->14568 14569 407b74 LocalAlloc 14567->14569 14570 407da6 14568->14570 14579 407bdc 14568->14579 14569->14568 14571 407b8a InitializeSecurityDescriptor 14569->14571 14570->14563 14572 407bb1 LocalFree 14571->14572 14573 407b96 SetSecurityDescriptorOwner 14571->14573 14572->14568 14573->14572 14575 407ba6 RegSetKeySecurity 14573->14575 14574 407bf8 GetAce 14574->14579 14575->14572 14576 407c1d EqualSid 14576->14579 14577 407c5f EqualSid 14577->14579 14578 407cd9 14578->14570 14581 407d5a LocalAlloc 14578->14581 14583 407cf2 RegOpenKeyExA 14578->14583 14579->14570 14579->14574 14579->14576 14579->14577 14579->14578 14580 407c3a DeleteAce 14579->14580 14580->14579 14581->14570 14582 407d70 InitializeSecurityDescriptor 14581->14582 14584 407d7c SetSecurityDescriptorDacl 14582->14584 14585 407d9f LocalFree 14582->14585 14583->14581 14588 407d0f 14583->14588 14584->14585 14586 407d8c RegSetKeySecurity 14584->14586 14585->14570 14586->14585 14587 407d9c 14586->14587 14587->14585 14589 407d43 RegSetValueExA 14588->14589 14589->14581 14590 407d54 14589->14590 14590->14581
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                  • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                  • API String ID: 2089075347-2824936573
                                                                                                  • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                  • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                  • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                  • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->268 276->275 278 407be7-407bf2 276->278 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->275 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 290 407cd9-407cdc 285->290 291 407c31-407c34 286->291 292 407c36-407c38 286->292 288 407c54-407c5e 287->288 289 407c5f-407c71 EqualSid 287->289 288->289 293 407c73-407c84 289->293 294 407c86 289->294 290->275 295 407ce2-407ce8 290->295 291->286 291->292 292->287 296 407c3a-407c4d DeleteAce 292->296 297 407c8b-407c8e 293->297 294->297 298 407d5a-407d6e LocalAlloc 295->298 299 407cea-407cf0 295->299 296->285 300 407c90-407c96 297->300 301 407c9d-407c9f 297->301 298->275 302 407d70-407d7a InitializeSecurityDescriptor 298->302 299->298 303 407cf2-407d0d RegOpenKeyExA 299->303 300->301 305 407ca1-407ca5 301->305 306 407ca7-407cc3 301->306 307 407d7c-407d8a SetSecurityDescriptorDacl 302->307 308 407d9f-407da0 LocalFree 302->308 303->298 304 407d0f-407d16 303->304 309 407d19-407d1e 304->309 305->283 305->306 306->283 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 311 407d20-407d52 call 402544 RegSetValueExA 309->311 310->308 312 407d9c 310->312 311->298 315 407d54 311->315 312->308 315->298
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 549 409326-409348 call 401910 GetVersionExA 552 409358-40935c 549->552 553 40934a-409356 549->553 554 409360-40937d GetModuleHandleA GetModuleFileNameA 552->554 553->554 555 409385-4093a2 554->555 556 40937f 554->556 557 4093a4-4093d7 call 402544 wsprintfA 555->557 558 4093d9-409412 call 402544 wsprintfA 555->558 556->555 563 409415-40942c call 40ee2a 557->563 558->563 566 4094a3-4094b3 call 406edd 563->566 567 40942e-409432 563->567 572 4094b9-4094f9 call 402544 RegOpenKeyExA 566->572 573 40962f-409632 566->573 567->566 568 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 567->568 568->566 583 409502-40952e call 402544 RegQueryValueExA 572->583 584 4094fb-409500 572->584 577 409634-409637 573->577 578 409639-40964a call 401820 577->578 579 40967b-409682 577->579 592 40964c-409662 578->592 593 40966d-409679 578->593 586 409683 call 4091eb 579->586 602 409530-409537 583->602 603 409539-409565 call 402544 RegQueryValueExA 583->603 588 40957a-40957f 584->588 596 409688-409690 586->596 597 409581-409584 588->597 598 40958a-40958d 588->598 600 409664-40966b 592->600 601 40962b-40962d 592->601 593->586 605 409692 596->605 606 409698-4096a0 596->606 597->577 597->598 598->579 599 409593-40959a 598->599 607 40961a-40961f 599->607 608 40959c-4095a1 599->608 600->601 612 4096a2-4096a9 601->612 609 40956e-409577 RegCloseKey 602->609 603->609 618 409567 603->618 605->606 606->612 616 409625 607->616 608->607 613 4095a3-4095c0 call 40f0e4 608->613 609->588 622 4095c2-4095db call 4018e0 613->622 623 40960c-409618 613->623 616->601 618->609 622->612 626 4095e1-4095f9 622->626 623->616 626->612 627 4095ff-409607 626->627 627->612
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: PromptOnSecureDesktop$runas
                                                                                                  • API String ID: 3696105349-2220793183
                                                                                                  • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                  • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 666 406a60-406a89 CreateFileA 667 406b8c-406ba1 GetLastError 666->667 668 406a8f-406ac3 GetDiskFreeSpaceA 666->668 671 406ba3-406ba6 667->671 669 406ac5-406adc call 40eb0e 668->669 670 406b1d-406b34 call 406987 668->670 669->670 678 406ade 669->678 676 406b56-406b63 FindCloseChangeNotification 670->676 677 406b36-406b54 GetLastError CloseHandle 670->677 680 406b65-406b7d GetLastError CloseHandle 676->680 681 406b86-406b8a 676->681 679 406b7f-406b80 DeleteFileA 677->679 682 406ae0-406ae5 678->682 683 406ae7-406afb call 40eca5 678->683 679->681 680->679 681->671 682->683 684 406afd-406aff 682->684 683->670 684->670 687 406b01 684->687 688 406b03-406b08 687->688 689 406b0a-406b17 call 40eca5 687->689 688->670 688->689 689->670
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1251348514-2980165447
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 821 66092b-660970 GetPEB 822 660972-660978 821->822 823 66098c-66098e 822->823 824 66097a-66098a call 660d35 822->824 823->822 825 660990 823->825 824->823 830 660992-660994 824->830 827 660996-660998 825->827 829 660a3b-660a3e 827->829 830->827 831 66099d-6609d3 830->831 832 6609dc-6609ee call 660d0c 831->832 835 6609d5-6609d8 832->835 836 6609f0-660a3a 832->836 835->832 836->829
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .$GetProcAddress.$l
                                                                                                  • API String ID: 0-2784972518
                                                                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                  • Instruction ID: 0767a01f73073ddf8465d6856b91ef3e7ecdbbdeaa762bea784f0377986859a6
                                                                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                  • Instruction Fuzzy Hash: 2F316CB6900609DFEB10CF99C880AEEBBF6FF48324F24515AD441A7351D771EA45CBA4

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 880 6a8cc8-6a8ce1 881 6a8ce3-6a8ce5 880->881 882 6a8cec-6a8cf8 CreateToolhelp32Snapshot 881->882 883 6a8ce7 881->883 884 6a8cfa-6a8d00 882->884 885 6a8d08-6a8d15 Module32First 882->885 883->882 884->885 890 6a8d02-6a8d06 884->890 886 6a8d1e-6a8d26 885->886 887 6a8d17-6a8d18 call 6a8987 885->887 891 6a8d1d 887->891 890->881 890->885 891->886
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006A8CF0
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 006A8D10
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, Offset: 00699000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_699000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: 3c9c70286becb1d7f0eaa0733f934713565bdd0023d67aac1300846b300d2d3d
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: 6BF062311007156FD7203BB99C8DAAA76E9BF5A725F140528E643925C0DF70EC454E61
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                    • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                    • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2559512979-0
                                                                                                  • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                  • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                  • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                  • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 335 407703-40770e RegEnumKeyA 329->335 336 407801 330->336 338 4074a2-4074b1 call 406cad 335->338 339 407714-40771d RegCloseKey 335->339 337 407804-407808 336->337 342 4074b7-4074cc call 40f1a5 338->342 343 4076ed-407700 338->343 339->336 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->335 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 363 4077ec-4077f7 RegCloseKey 359->363 360->360 362 407546-40754b 360->362 361->343 364 4076e4-4076e7 RegCloseKey 361->364 362->349 365 407551-40756b call 40ee95 362->365 363->337 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->363 416 4076dd 413->416 420 4076c1-4076c7 414->420 421 4076d8 414->421 416->361 420->421 422 4076c9-4076d2 420->422 421->416 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->411 436->435
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                  • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                  • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 438 40704c-407071 439 407073 438->439 440 407075-40707a 438->440 439->440 441 40707c 440->441 442 40707e-407083 440->442 441->442 443 407085 442->443 444 407087-40708c 442->444 443->444 445 407090-4070ca call 402544 RegOpenKeyExA 444->445 446 40708e 444->446 449 4070d0-4070f6 call 406dc2 445->449 450 4071b8-4071c8 call 40ee2a 445->450 446->445 456 40719b-4071a9 RegEnumValueA 449->456 455 4071cb-4071cf 450->455 457 4070fb-4070fd 456->457 458 4071af-4071b2 RegCloseKey 456->458 459 40716e-407194 457->459 460 4070ff-407102 457->460 458->450 459->456 460->459 461 407104-407107 460->461 461->459 462 407109-40710d 461->462 462->459 463 40710f-407133 call 402544 call 40eed1 462->463 468 4071d0-407203 call 402544 call 40ee95 call 40ee2a 463->468 469 407139-407145 call 406cad 463->469 484 407205-407212 RegCloseKey 468->484 485 407227-40722e 468->485 475 407147-40715c call 40f1a5 469->475 476 40715e-40716b call 40ee2a 469->476 475->468 475->476 476->459 488 407222-407225 484->488 489 407214-407221 call 40ef00 484->489 486 407230-407256 call 40ef00 call 40ed23 485->486 487 40725b-40728c call 402544 call 40ee95 call 40ee2a 485->487 486->487 500 407258 486->500 503 4072b8-4072cb call 40ed77 487->503 504 40728e-40729a RegCloseKey 487->504 488->455 489->488 500->487 511 4072dd-4072f4 call 40ed23 503->511 512 4072cd-4072d8 RegCloseKey 503->512 506 4072aa-4072b3 504->506 507 40729c-4072a9 call 40ef00 504->507 506->455 507->506 515 407301 511->515 516 4072f6-4072ff 511->516 512->455 517 407304-40730f call 406cad 515->517 516->517 520 407311-40731d RegCloseKey 517->520 521 407335-40735d call 406c96 517->521 523 40732d-407330 520->523 524 40731f-40732c call 40ef00 520->524 528 4073d5-4073e2 RegCloseKey 521->528 529 40735f-407365 521->529 523->506 524->523 531 4073f2-4073f7 528->531 532 4073e4-4073f1 call 40ef00 528->532 529->528 530 407367-407370 529->530 530->528 533 407372-40737c 530->533 532->531 535 40739d-4073a2 533->535 536 40737e-407395 GetFileAttributesExA 533->536 539 4073a4 535->539 540 4073a6-4073a9 535->540 536->535 538 407397 536->538 538->535 539->540 541 4073b9-4073bc 540->541 542 4073ab-4073b8 call 40ef00 540->542 543 4073cb-4073cd 541->543 544 4073be-4073ca call 40ef00 541->544 542->541 543->528 544->543
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                                  • RegEnumValueA.KERNELBASE(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                                  • RegCloseKey.KERNELBASE(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"$PromptOnSecureDesktop
                                                                                                  • API String ID: 4293430545-98143240
                                                                                                  • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                  • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 628 40675c-406778 629 406784-4067a2 CreateFileA 628->629 630 40677a-40677e SetFileAttributesA 628->630 631 4067a4-4067b2 CreateFileA 629->631 632 4067b5-4067b8 629->632 630->629 631->632 633 4067c5-4067c9 632->633 634 4067ba-4067bf SetFileAttributesA 632->634 635 406977-406986 633->635 636 4067cf-4067df GetFileSize 633->636 634->633 637 4067e5-4067e7 636->637 638 40696b 636->638 637->638 640 4067ed-40680b ReadFile 637->640 639 40696e-406971 FindCloseChangeNotification 638->639 639->635 640->638 641 406811-406824 SetFilePointer 640->641 641->638 642 40682a-406842 ReadFile 641->642 642->638 643 406848-406861 SetFilePointer 642->643 643->638 644 406867-406876 643->644 645 4068d5-4068df 644->645 646 406878-40688f ReadFile 644->646 645->639 647 4068e5-4068eb 645->647 648 406891-40689e 646->648 649 4068d2 646->649 650 4068f0-4068fe call 40ebcc 647->650 651 4068ed 647->651 652 4068a0-4068b5 648->652 653 4068b7-4068ba 648->653 649->645 650->638 660 406900-40690b SetFilePointer 650->660 651->650 654 4068bd-4068c3 652->654 653->654 656 4068c5 654->656 657 4068c8-4068ce 654->657 656->657 657->646 659 4068d0 657->659 659->645 661 40695a-406969 call 40ec2e 660->661 662 40690d-406920 ReadFile 660->662 661->639 662->661 664 406922-406958 662->664 664->639
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                  • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                                  • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400801100-0
                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 692 66003c-660047 693 66004c-660263 call 660a3f call 660e0f call 660d90 VirtualAlloc 692->693 694 660049 692->694 709 660265-660289 call 660a69 693->709 710 66028b-660292 693->710 694->693 715 6602ce-6603c2 VirtualProtect call 660cce call 660ce7 709->715 712 6602a1-6602b0 710->712 714 6602b2-6602cc 712->714 712->715 714->712 721 6603d1-6603e0 715->721 722 6603e2-660437 call 660ce7 721->722 723 660439-6604b8 VirtualFree 721->723 722->721 725 6605f4-6605fe 723->725 726 6604be-6604cd 723->726 729 660604-66060d 725->729 730 66077f-660789 725->730 728 6604d3-6604dd 726->728 728->725 734 6604e3-660505 LoadLibraryA 728->734 729->730 735 660613-660637 729->735 732 6607a6-6607b0 730->732 733 66078b-6607a3 730->733 736 6607b6-6607cb 732->736 737 66086e-6608be LoadLibraryA 732->737 733->732 738 660517-660520 734->738 739 660507-660515 734->739 740 66063e-660648 735->740 741 6607d2-6607d5 736->741 744 6608c7-6608f9 737->744 742 660526-660547 738->742 739->742 740->730 743 66064e-66065a 740->743 745 6607d7-6607e0 741->745 746 660824-660833 741->746 747 66054d-660550 742->747 743->730 748 660660-66066a 743->748 749 660902-66091d 744->749 750 6608fb-660901 744->750 751 6607e4-660822 745->751 752 6607e2 745->752 756 660839-66083c 746->756 753 660556-66056b 747->753 754 6605e0-6605ef 747->754 755 66067a-660689 748->755 750->749 751->741 752->746 760 66056f-66057a 753->760 761 66056d 753->761 754->728 757 660750-66077a 755->757 758 66068f-6606b2 755->758 756->737 759 66083e-660847 756->759 757->740 764 6606b4-6606ed 758->764 765 6606ef-6606fc 758->765 766 66084b-66086c 759->766 767 660849 759->767 762 66057c-660599 760->762 763 66059b-6605bb 760->763 761->754 775 6605bd-6605db 762->775 763->775 764->765 769 6606fe-660748 765->769 770 66074b 765->770 766->756 767->737 769->770 770->755 775->747
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0066024D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID: cess$kernel32.dll
                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction ID: 8728a758dab89e9ea64e30a78b4b1ed508de18543e59f78f2a777fecd39c5750
                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction Fuzzy Hash: 91526874A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E94DAB351DB30AE85DF14

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                  • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                    • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                    • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                    • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                    • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                    • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 4131120076-2980165447
                                                                                                  • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                  • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                  • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                  • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 791 404000-404008 792 40400b-40402a CreateFileA 791->792 793 404057 792->793 794 40402c-404035 GetLastError 792->794 797 404059-40405c 793->797 795 404052 794->795 796 404037-40403a 794->796 799 404054-404056 795->799 796->795 798 40403c-40403f 796->798 797->799 798->797 800 404041-404050 Sleep 798->800 800->792 800->795
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 408151869-2980165447
                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 801 406987-4069b7 802 4069e0 801->802 803 4069b9-4069be 801->803 804 4069e4-4069fd WriteFile 802->804 803->802 805 4069c0-4069d0 803->805 806 406a4d-406a51 804->806 807 4069ff-406a02 804->807 808 4069d2 805->808 809 4069d5-4069de 805->809 811 406a53-406a56 806->811 812 406a59 806->812 807->806 810 406a04-406a08 807->810 808->809 809->804 813 406a0a-406a0d 810->813 814 406a3c-406a3e 810->814 811->812 815 406a5b-406a5f 812->815 816 406a10-406a2e WriteFile 813->816 814->815 817 406a40-406a4b 816->817 818 406a30-406a33 816->818 817->815 818->817 819 406a35-406a3a 818->819 819->814 819->816
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                  • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID: ,k@
                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 838 4091eb-409208 839 409308 838->839 840 40920e-40921c call 40ed03 838->840 842 40930b-40930f 839->842 844 40921e-40922c call 40ed03 840->844 845 40923f-409249 840->845 844->845 852 40922e-409230 844->852 847 409250-409270 call 40ee08 845->847 848 40924b 845->848 853 409272-40927f 847->853 854 4092dd-4092e1 847->854 848->847 855 409233-409238 852->855 856 409281-409285 853->856 857 40929b-40929e 853->857 858 4092e3-4092e5 854->858 859 4092e7-4092e8 854->859 855->855 860 40923a-40923c 855->860 856->856 861 409287 856->861 863 4092a0 857->863 864 40928e-409293 857->864 858->859 862 4092ea-4092ef 858->862 859->854 860->845 861->857 867 4092f1-4092f6 Sleep 862->867 868 4092fc-409302 862->868 869 4092a8-4092ab 863->869 865 409295-409298 864->865 866 409289-40928c 864->866 865->869 870 40929a 865->870 866->864 866->870 867->868 868->839 868->840 871 4092a2-4092a5 869->871 872 4092ad-4092b0 869->872 870->857 873 4092b2 871->873 874 4092a7 871->874 872->873 875 4092bd 872->875 877 4092b5-4092b9 873->877 874->869 876 4092bf-4092db ShellExecuteA 875->876 876->854 879 409310-409324 876->879 877->877 878 4092bb 877->878 878->876 879->842
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                  • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-0
                                                                                                  • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                  • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                  • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                  • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 893 660e0f-660e24 SetErrorMode * 2 894 660e26 893->894 895 660e2b-660e2c 893->895 894->895
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000400,?,?,00660223,?,?), ref: 00660E19
                                                                                                  • SetErrorMode.KERNELBASE(00000000,?,?,00660223,?,?), ref: 00660E1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction ID: ee078584dca13e788e7d6e14266956c172b54066e7d8b192639a4a5066c8a46f
                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction Fuzzy Hash: 8CD0123154512877D7002A94DC09BCE7B1CDF05B62F008421FB0DD9180C771994046E5
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1823874839-0
                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                  APIs
                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00660929
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 560597551-0
                                                                                                  • Opcode ID: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                  • Instruction ID: 32c6b922947ea3cccd1969f265569fcdca6cd0b55213c4fffb902dc8cd283092
                                                                                                  • Opcode Fuzzy Hash: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                  • Instruction Fuzzy Hash: 2C9002A42C425031D860259C0C01F5501052741630F3507147130AE5D0C44156404215
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006A89D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, Offset: 00699000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_699000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 87c32f99373b55bc8bb18555913c2cc960032467c8aebc2f587017f437f5a456
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: 40113C79A00208EFDB01DF98C985E98BBF5AF08750F058095FA48AB362D771EE50DF90
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                  • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                  • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                  • wsprintfA.USER32 ref: 0040CD21
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                  • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                  • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                  • wsprintfA.USER32 ref: 0040D81F
                                                                                                    • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                  • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                  • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                  • API String ID: 562065436-3791576231
                                                                                                  • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                  • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                  • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                  • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                  • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                  • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                  • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                  • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                  • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                  • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                  • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                  • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                  • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                  • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                  • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                  • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                  • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                  • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2404124870-2980165447
                                                                                                  • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                  • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                  APIs
                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                  • String ID: *p@
                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                  • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 006665F6
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00666610
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00666631
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00666652
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction ID: 58496d262b479edd5b4c64d5037deb4cecab4d02171359dd27cfdd0b3fe75b3a
                                                                                                  • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction Fuzzy Hash: A61151B1600218BFDB219F65EC46F9B3FA9EB057A5F104024F909E7251D6B1DD408AA4
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                  • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                    • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                    • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3754425949-0
                                                                                                  • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                  • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                  • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                  • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                  • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                  • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                  • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282456140.0000000000699000.00000040.00000020.00020000.00000000.sdmp, Offset: 00699000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_699000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction ID: 74666f0a50859f4ef948d3acbf4f05affa6191c48b88f5caa30925c135decb86
                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction Fuzzy Hash: 581182727401009FD744DF55DC91FA673EBEB99320B298095ED04CB316EA75EC02CB60
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                  • Instruction ID: a60c24d993cbccf98a249165d32e4b252ecb079773f30f13a6df0b1f2fa8fb70
                                                                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                  • Instruction Fuzzy Hash: 1A018F76A006148FEB21CF64C804BEB33AAEF86316F4545B5D90A97281E774A9418B90
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32 ref: 00669E6D
                                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00669FE1
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 00669FF2
                                                                                                  • lstrcat.KERNEL32(?,0041070C), ref: 0066A004
                                                                                                  • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0066A054
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0066A09F
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0066A0D6
                                                                                                  • lstrcpy.KERNEL32 ref: 0066A12F
                                                                                                  • lstrlen.KERNEL32(00000022), ref: 0066A13C
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00669F13
                                                                                                    • Part of subcall function 00667029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00667081
                                                                                                    • Part of subcall function 00666F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\tdomrpcj,00667043), ref: 00666F4E
                                                                                                    • Part of subcall function 00666F30: GetProcAddress.KERNEL32(00000000), ref: 00666F55
                                                                                                    • Part of subcall function 00666F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00666F7B
                                                                                                    • Part of subcall function 00666F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00666F92
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0066A1A2
                                                                                                  • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0066A1C5
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0066A214
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0066A21B
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 0066A265
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0066A29F
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0066A2C5
                                                                                                  • lstrcat.KERNEL32(?,00000022), ref: 0066A2D9
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0066A2F4
                                                                                                  • wsprintfA.USER32 ref: 0066A31D
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0066A345
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 0066A364
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0066A387
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0066A398
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0066A1D1
                                                                                                    • Part of subcall function 00669966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0066999D
                                                                                                    • Part of subcall function 00669966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006699BD
                                                                                                    • Part of subcall function 00669966: RegCloseKey.ADVAPI32(?), ref: 006699C6
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0066A3DB
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0066A3E2
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0066A41D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                  • String ID: "$"$"$D$P$\
                                                                                                  • API String ID: 1653845638-2605685093
                                                                                                  • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction ID: b2e32097b6eed0c5c7a250a12976788a71f61ea7f00b6753b5b18bd1b4bb9b82
                                                                                                  • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction Fuzzy Hash: EFF140B1D40259AFDF11DBA0DC49EEF7BBDAB08304F0440AAF605F2241EB759A858F65
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00667D21
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00667D46
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00667D7D
                                                                                                  • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00667DA2
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00667DC0
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00667DD1
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00667DE5
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00667DF3
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00667E03
                                                                                                  • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00667E12
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00667E19
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00667E35
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                  • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction ID: 778723c59086282f8662c78a06a826dab6da125bf91467e2de9560d899d082a4
                                                                                                  • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction Fuzzy Hash: 5EA14D71900219AFDF11CFA0DD88FEFBBBAFB08304F148569E505E6250DB759A85CB64
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                  • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                  • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                  • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00667A96
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00667ACD
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00667ADF
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00667B01
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00667B1F
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00667B39
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00667B4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00667B58
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00667B68
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00667B77
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00667B7E
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00667B9A
                                                                                                  • GetAce.ADVAPI32(?,?,?), ref: 00667BCA
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00667BF1
                                                                                                  • DeleteAce.ADVAPI32(?,?), ref: 00667C0A
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00667C2C
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00667CB1
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00667CBF
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00667CD0
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00667CE0
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00667CEE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: ffd4ebc675c30115f94c7e0716bd1a9ac79a066a3083f0fcbf4d48eeea3a4e19
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: D1815D7190421AAFDB11CFA4DD84FEEBBB9FF08308F14806AE505E6250D7759A81CBA4
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: PromptOnSecureDesktop$localcfg
                                                                                                  • API String ID: 237177642-1678164370
                                                                                                  • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                  • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 835516345-270533642
                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0066865A
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0066867B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006686A8
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006686B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 237177642-3108538426
                                                                                                  • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction ID: 81982b53cf39649861357151e3bb50c1ec195a02240bde91fe3ae16bab15521a
                                                                                                  • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction Fuzzy Hash: 02C1A1B1940149BFEB11ABB4DD85EEF7BBEEB04300F14417AF604E3151EAB18E948B65
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00661601
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 006617D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $<$@$D
                                                                                                  • API String ID: 1628651668-1974347203
                                                                                                  • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction ID: a4ad17db9e77739de62b7c1c0bb78ce2c3cddaf328a82d91c93f4e14b3d469e6
                                                                                                  • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction Fuzzy Hash: B5F18EB15083419FD720CF64C888BABBBE6FB89304F148A2DF5969B390D7B49944CB56
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006676D9
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00667757
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0066778F
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 006678B4
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0066794E
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0066796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0066797E
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 006679AC
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00667A56
                                                                                                    • Part of subcall function 0066F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0066772A,?), ref: 0066F414
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006679F6
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00667A4D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                  • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction ID: 1de34e2329a893d3afa53b73489741aa7d402dea57914641cd9fee5fbe347a11
                                                                                                  • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction Fuzzy Hash: FDC1B371904209AFEB11DBA4EC45FEEBBBAEF45314F1001A5F504E6291EB71DE848B64
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00662CED
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00662D07
                                                                                                  • htons.WS2_32(00000000), ref: 00662D42
                                                                                                  • select.WS2_32 ref: 00662D8F
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00662DB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00662E62
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 127016686-0
                                                                                                  • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction ID: 3f636fdc852ad23f40d56c904dfcdc6c241f5c9d95ff225dc7ac9f8d7082dea2
                                                                                                  • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction Fuzzy Hash: 56610171504706ABC720AF60DC18BABBBF9FF88341F14482DF98497291D7B5DC808BA6
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                  • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?), ref: 006695A7
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006695D5
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 006695DC
                                                                                                  • wsprintfA.USER32 ref: 00669635
                                                                                                  • wsprintfA.USER32 ref: 00669673
                                                                                                  • wsprintfA.USER32 ref: 006696F4
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00669758
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0066978D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006697D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3696105349-2980165447
                                                                                                  • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction ID: 31fd223fac8b7d703e0b5703c5dc84e5432894e7735785270c59f2b1075624e4
                                                                                                  • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction Fuzzy Hash: D2A16DB190024CAFEB21DFA0DC45FDA3BAEEB05741F10402AFE15D6252E7B5D984CBA5
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-142018493
                                                                                                  • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                  • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 0066202D
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0066204F
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0066206A
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00662071
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00662082
                                                                                                  • GetTickCount.KERNEL32 ref: 00662230
                                                                                                    • Part of subcall function 00661E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00661E7C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                  • API String ID: 4207808166-1391650218
                                                                                                  • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction ID: 81af86ae65db25ba2b5866d7a0a686fe8e438fc2ce943b27c68422c297455782
                                                                                                  • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction Fuzzy Hash: 2F514CB05047446FE370AF758C86FA7BAEDEF45704F00091DF99682242D7B9A984C769
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                  • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00663068
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00663078
                                                                                                  • GetProcAddress.KERNEL32(00000000,00410408), ref: 00663095
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 006630B6
                                                                                                  • htons.WS2_32(00000035), ref: 006630EF
                                                                                                  • inet_addr.WS2_32(?), ref: 006630FA
                                                                                                  • gethostbyname.WS2_32(?), ref: 0066310D
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 0066314D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: iphlpapi.dll
                                                                                                  • API String ID: 2869546040-3565520932
                                                                                                  • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction ID: 79bca11c031034432ea7b72e3fd72f86eb94ea214118f08c21a4bb7800246e9d
                                                                                                  • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction Fuzzy Hash: DB31E871A00216ABDF119BB89C48AEEB7B9EF06360F148125F518E3390DB74DE81CB58
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                  • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                  • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                  • API String ID: 1082366364-2834986871
                                                                                                  • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                  • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2981417381-1403908072
                                                                                                  • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                  • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 006667C3
                                                                                                  • htonl.WS2_32(?), ref: 006667DF
                                                                                                  • htonl.WS2_32(?), ref: 006667EE
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006668F1
                                                                                                  • ExitProcess.KERNEL32 ref: 006669BC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                  • String ID: except_info$localcfg
                                                                                                  • API String ID: 1150517154-3605449297
                                                                                                  • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction ID: 94ca47d48c2bad0634afc6abe5a1036cfd5b4adfd8d33a4282eb00b3d798eb13
                                                                                                  • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction Fuzzy Hash: A6616E71A40208AFDF609FB4DC45FEA77E9FB08300F24816AFA6DD2161EA7599908F54
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0066CC84), ref: 0066F5B4
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0066F5CE
                                                                                                  • closesocket.WS2_32(00000000), ref: 0066F5DC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction ID: 6a6239aad773cea8e7e96eac311f1753ee9eb1d7b5f5f8c65c6125cc9c9ef771
                                                                                                  • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction Fuzzy Hash: E4315A72900118BBDB10DFA5EC89DEE7BBDEF89310F10456AF915E3150E7709A818BA4
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                  • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 00662FA1
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00662FB1
                                                                                                  • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00662FC8
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00663000
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00663007
                                                                                                  • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00663032
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: dnsapi.dll
                                                                                                  • API String ID: 1242400761-3175542204
                                                                                                  • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction ID: 5691fa5b1709ff007b2da1b8cd9cdf1043e7dbfc9e06302201c6129299429316
                                                                                                  • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction Fuzzy Hash: C021A17194062ABBCB219B54DC48AEFBBBDEF08B10F104421F901E7240D7B49E8587E4
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3609698214-2980165447
                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\tdomrpcj,00667043), ref: 00666F4E
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00666F55
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00666F7B
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00666F92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\tdomrpcj
                                                                                                  • API String ID: 1082366364-699424986
                                                                                                  • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction ID: d32d15f151e3f58eee8a145a48cb5f312811e2b934c17188a9e49a3bd78c3a5b
                                                                                                  • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction Fuzzy Hash: 382135617443407AF7225731FC89FFB2E4E8B52764F1840A9F404E6291DAE988D682BD
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                  • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                  • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?), ref: 006692E2
                                                                                                  • wsprintfA.USER32 ref: 00669350
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00669375
                                                                                                  • lstrlen.KERNEL32(?,?,00000000), ref: 00669389
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 00669394
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0066939B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                  • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction ID: eb205e0c727861bdbd2b778c7672c24e3eb4c7139d2076899a765917364647e9
                                                                                                  • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction Fuzzy Hash: 0F1196B57401147BE7606731EC0EFEF3A6EDBC8B10F00C069BB09E5191EEB54A4186B8
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00669A18
                                                                                                  • GetThreadContext.KERNEL32(?,?), ref: 00669A52
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00669A60
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00669A98
                                                                                                  • SetThreadContext.KERNEL32(?,00010002), ref: 00669AB5
                                                                                                  • ResumeThread.KERNEL32(?), ref: 00669AC2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction ID: c375d4a6672868193b650eac490c3ccba2b4f81beba545a58ecc7de05820b074
                                                                                                  • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction Fuzzy Hash: 4E2139B1A01229BBDF119BE1DC09EEFBBBDEF05750F404061BA19E1150EB758A84CBA4
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(004102D8), ref: 00661C18
                                                                                                  • LoadLibraryA.KERNEL32(004102C8), ref: 00661C26
                                                                                                  • GetProcessHeap.KERNEL32 ref: 00661C84
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00661C9D
                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00661CC1
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00661D02
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00661D0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID:
                                                                                                  • API String ID: 2324436984-0
                                                                                                  • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction ID: e53b48ed5cbca348d4018d702dbdbbb72ca81b0662a678150b0087641f8dbbc1
                                                                                                  • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction Fuzzy Hash: A7312F71D00219BFCB119FE4DC898FEBBBAEF46751B28447AE501A6210D7B54E80DB94
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1586453840-2980165447
                                                                                                  • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                  • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1371578007-2980165447
                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00666CE4
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00666D22
                                                                                                  • GetLastError.KERNEL32 ref: 00666DA7
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00666DB5
                                                                                                  • GetLastError.KERNEL32 ref: 00666DD6
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00666DE7
                                                                                                  • GetLastError.KERNEL32 ref: 00666DFD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873183294-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: 228b3929e8ffc678226dd27fcb8c5cc02f1e1d42815baf26300d35ea3e53211f
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 8C31E376A00289BFCB01DFA4ED44ADEBF7AEF48310F148069F251E3261D7709A558B65
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0066E50A,00000000,00000000,00000000,00020106,00000000,0066E50A,00000000,000000E4), ref: 0066E319
                                                                                                  • RegSetValueExA.ADVAPI32(0066E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0066E38E
                                                                                                  • RegDeleteValueA.ADVAPI32(0066E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Df), ref: 0066E3BF
                                                                                                  • RegCloseKey.ADVAPI32(0066E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Df,0066E50A), ref: 0066E3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID: PromptOnSecureDesktop$Df
                                                                                                  • API String ID: 2667537340-3201945593
                                                                                                  • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction ID: 169f67cff5ea37a9ae499a3a6577433e1f14ca5093cca6a7546f9e7d55eaa2ca
                                                                                                  • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction Fuzzy Hash: BD215E71A0021DBBDF209FA5EC89EDE7F7AEF08750F008025F904E7251E6728A54D7A0
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                  • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                  • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                  • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006693C6
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 006693CD
                                                                                                  • CharToOemA.USER32(?,?), ref: 006693DB
                                                                                                  • wsprintfA.USER32 ref: 00669410
                                                                                                    • Part of subcall function 006692CB: GetTempPathA.KERNEL32(00000400,?), ref: 006692E2
                                                                                                    • Part of subcall function 006692CB: wsprintfA.USER32 ref: 00669350
                                                                                                    • Part of subcall function 006692CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00669375
                                                                                                    • Part of subcall function 006692CB: lstrlen.KERNEL32(?,?,00000000), ref: 00669389
                                                                                                    • Part of subcall function 006692CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00669394
                                                                                                    • Part of subcall function 006692CB: CloseHandle.KERNEL32(00000000), ref: 0066939B
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00669448
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                  • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction ID: 9910b90b6367f4abfe71617e96204792d6e575e991532b4da8fb179073241cca
                                                                                                  • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction Fuzzy Hash: 960152F69001187BD761A7619D89EDF3B7CDB95701F0040A5BB49E2080DAB497C58F75
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen
                                                                                                  • String ID: $localcfg
                                                                                                  • API String ID: 1659193697-2018645984
                                                                                                  • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction ID: ddb51a8420117f7c612bbace961de00cb0d27515d18ef794e8b0abd84fb6472e
                                                                                                  • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction Fuzzy Hash: E8712A71A40304AADF219BD4DC86FEE376BAF00705F24406BF905B6291DA629DC48F6B
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                  • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                  APIs
                                                                                                    • Part of subcall function 0066DF6C: GetCurrentThreadId.KERNEL32 ref: 0066DFBA
                                                                                                  • lstrcmp.KERNEL32(00410178,00000000), ref: 0066E8FA
                                                                                                  • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00666128), ref: 0066E950
                                                                                                  • lstrcmp.KERNEL32(?,00000008), ref: 0066E989
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 2920362961-1846390581
                                                                                                  • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction ID: 0b3b51e6fa59a68ca416c0cae662813c9479cebb150d9403c685c13490e5e365
                                                                                                  • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction Fuzzy Hash: 5931AD396007059FDF718F25C884BA67BE6EF15320F108A2EE5568B651E372E881CB85
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction ID: 14decb02d8c5505932d7f9344425df5c9f9b7f1f41e55a00111b87fe4fe31ad6
                                                                                                  • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction Fuzzy Hash: 3F21607A108115FFDB109BB1FC49EDF3FAEDB49361B208525F502D1091EB72DA409678
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0066C6B4
                                                                                                  • InterlockedIncrement.KERNEL32(0066C74B), ref: 0066C715
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0066C747), ref: 0066C728
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0066C747,00413588,00668A77), ref: 0066C733
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1026198776-1857712256
                                                                                                  • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction ID: 691edaf1dd650219d12628b3c035f6f6442df12863b8cec30bd82deb1f0190a0
                                                                                                  • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction Fuzzy Hash: D2515CB1A01B418FD7648F69C9C562ABBEAFB48310B50693EE18BC7A90D774F840CB54
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 124786226-2980165447
                                                                                                  • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                  • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2667537340-2980165447
                                                                                                  • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                  • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 006671E1
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00667228
                                                                                                  • LocalFree.KERNEL32(?,?,?), ref: 00667286
                                                                                                  • wsprintfA.USER32 ref: 0066729D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2539190677-2343686810
                                                                                                  • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction ID: e65f08c9c4739e13c104b3c8409ec88137621b534e6b51037572088ac3b71cda
                                                                                                  • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction Fuzzy Hash: 48314972A04208BFDB01DFA8DC45ADA7BADEF04314F14C166F859DB201EA75DB488B94
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0066B51A
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066B529
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0066B548
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0066B590
                                                                                                  • wsprintfA.USER32 ref: 0066B61E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 4026320513-0
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: dd3e633e7f07ede494ec3737734c4c117356f632ddd0f16eff189d53fee1b422
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: F9510FB1D0021DEACF14DFD5D8895EEBBBABF48304F10816AF505A6150E7B94AC9CF98
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00666303
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 0066632A
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 006663B1
                                                                                                  • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00666405
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3498078134-0
                                                                                                  • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction ID: 13471e6aa62883ac40392bd3d5f4ff3e27beb4a9a3dc94e1d533131cea12017b
                                                                                                  • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction Fuzzy Hash: 4C414971A00209ABDB14CF58E884AA9B7BAEF04358F288169F815E7390EB71ED51CB50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                  • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: A$ A
                                                                                                  • API String ID: 3343386518-686259309
                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                    • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1128258776-0
                                                                                                  • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                  • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000001,Df,00000000,00000000,00000000), ref: 0066E470
                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 0066E484
                                                                                                    • Part of subcall function 0066E2FC: RegCreateKeyExA.ADVAPI32(80000001,0066E50A,00000000,00000000,00000000,00020106,00000000,0066E50A,00000000,000000E4), ref: 0066E319
                                                                                                    • Part of subcall function 0066E2FC: RegSetValueExA.ADVAPI32(0066E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0066E38E
                                                                                                    • Part of subcall function 0066E2FC: RegDeleteValueA.ADVAPI32(0066E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Df), ref: 0066E3BF
                                                                                                    • Part of subcall function 0066E2FC: RegCloseKey.ADVAPI32(0066E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Df,0066E50A), ref: 0066E3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                  • String ID: PromptOnSecureDesktop$Df
                                                                                                  • API String ID: 4151426672-3201945593
                                                                                                  • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction ID: f1681c6beff3d74b013ecbc33f9b388dceaec81ef50a8c3384688d869e6cb26f
                                                                                                  • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction Fuzzy Hash: E941C9B5D00218BBEB206B618C46FEB3F6EDF04724F148029F90994192E7B6DA50D6B5
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                  • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3683885500-2980165447
                                                                                                  • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                  • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                  • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                  • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                  APIs
                                                                                                    • Part of subcall function 0066DF6C: GetCurrentThreadId.KERNEL32 ref: 0066DFBA
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0066A6AC), ref: 0066E7BF
                                                                                                  • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0066A6AC), ref: 0066E7EA
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0066A6AC), ref: 0066E819
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1396056608-2980165447
                                                                                                  • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                  • Instruction ID: c8471230c25983de7120d0c34f37c8cc8fb91eab86e62f18d56e176b63d30d37
                                                                                                  • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                  • Instruction Fuzzy Hash: C721B5B1A403057AE36077619C4BFEB3E5DDB65B60F10002DBA09A51D3EAA6D95082B9
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006676D9
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0066796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0066797E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseEnumOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1332880857-2980165447
                                                                                                  • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                  • Instruction ID: bbc94fff2a6a476404641bfacdc446de13906be8a705f66060e96512de91faf1
                                                                                                  • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                  • Instruction Fuzzy Hash: 1011D370A04109AFDB118FA9DC45FEFBF7AEF51718F140165F515E6291E6B18D408B70
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                  • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                  • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 849931509-2980165447
                                                                                                  • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                  • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                  • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                  • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0066999D
                                                                                                  • RegDeleteValueA.ADVAPI32(?,00000000), ref: 006699BD
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 006699C6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 849931509-2980165447
                                                                                                  • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                  • Instruction ID: 2326a3b352e738297eeafe46f36a5903246aa5e91f74d357dcc55b6b27c2cf54
                                                                                                  • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                  • Instruction Fuzzy Hash: 58F096B2680208BBF7116B54EC07FDB3E2DDB95B14F104075FA05B5092F6E59E9082BD
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg$u6A
                                                                                                  • API String ID: 1594361348-1940331995
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: a68fc3cb8be201de011bbb769605022463cc106c705a68d8d8a1f39d77154a34
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 8BE0EC30604A129FDB509B28F848AD677A6AF8A370F058595F454D72A0C7749CC19654
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 006669E5
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 00666A26
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00666A3A
                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00666BD8
                                                                                                    • Part of subcall function 0066EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00661DCF,?), ref: 0066EEA8
                                                                                                    • Part of subcall function 0066EE95: HeapFree.KERNEL32(00000000), ref: 0066EEAF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3384756699-0
                                                                                                  • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction ID: 0a1bd94075e14704bcfa19d17a7152c9096e3a9293f3c89969ca6e211d10e1d0
                                                                                                  • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction Fuzzy Hash: DB71057190022DEFDB109FA4DC80AEEBBBAFB04354F1045AAF515E6290D7719E92DB60
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006641AB
                                                                                                  • GetLastError.KERNEL32 ref: 006641B5
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 006641C6
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006641D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: fc05d7d9da5152f0f7b05008f7911e11bf0537fdbdeb8fd88102a36312859833
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: 5C01487691110AAFDF01DF90ED84BEF7BADEB18355F008061F901E2150DB70DAA08BB6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0066421F
                                                                                                  • GetLastError.KERNEL32 ref: 00664229
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 0066423A
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0066424D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 2d533ac8c050fb6e96d9761aad33f0246169c5c75f6fc07521cee680f9b449a1
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: 8501A572511109ABDF01DF91ED84BEE7BADEB08355F108461F901E2150DB709A949BB6
                                                                                                  APIs
                                                                                                  • lstrcmp.KERNEL32(?,80000009), ref: 0066E066
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 1534048567-1846390581
                                                                                                  • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction ID: b92954bd96ff5169c5bb65884ae320878a5b9c186ee5dd554a5d460c2cb7c6f4
                                                                                                  • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction Fuzzy Hash: EBF06275200702DBCF20CF25D884AC2B7EAFB15321B54862BE154C3260D3B5B8A8CB51
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                    • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                    • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                    • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                    • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 4151426672-2980165447
                                                                                                  • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                  • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                  • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                  • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006683C6
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00668477
                                                                                                    • Part of subcall function 006669C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006669E5
                                                                                                    • Part of subcall function 006669C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00666A26
                                                                                                    • Part of subcall function 006669C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00666A3A
                                                                                                    • Part of subcall function 0066EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00661DCF,?), ref: 0066EEA8
                                                                                                    • Part of subcall function 0066EE95: HeapFree.KERNEL32(00000000), ref: 0066EEAF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 359188348-2980165447
                                                                                                  • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction ID: 6e9f06ce86ef29c51898ff394f2dc4572c3de09f52354295c41f6468efb53fd3
                                                                                                  • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction Fuzzy Hash: 654151B290010ABFEB20EBB09D81DFF77AEEB04344F14456AF504D7111EEB19E948B65
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0066E859,00000000,00020119,0066E859,PromptOnSecureDesktop), ref: 0066E64D
                                                                                                  • RegCloseKey.ADVAPI32(0066E859,?,?,?,?,000000C8,000000E4), ref: 0066E787
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 47109696-2980165447
                                                                                                  • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                  • Instruction ID: 94355f5050a684e590ea20a5b8555a9e6a1c0b3b79d1a7b098425495004fbe60
                                                                                                  • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                  • Instruction Fuzzy Hash: 7D4116B6D0021DBFDF11AF94DC81DEEBBBEFB14304F144466FA00A6261E3729A559B60
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0066AFFF
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0066B00D
                                                                                                    • Part of subcall function 0066AF6F: gethostname.WS2_32(?,00000080), ref: 0066AF83
                                                                                                    • Part of subcall function 0066AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0066AFE6
                                                                                                    • Part of subcall function 0066331C: gethostname.WS2_32(?,00000080), ref: 0066333F
                                                                                                    • Part of subcall function 0066331C: gethostbyname.WS2_32(?), ref: 00663349
                                                                                                    • Part of subcall function 0066AA0A: inet_ntoa.WS2_32(00000000), ref: 0066AA10
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %OUTLOOK_BND_
                                                                                                  • API String ID: 1981676241-3684217054
                                                                                                  • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction ID: 98d53fd2e5dc4fc06cf8079060840a99ca5a906feebc78aeede189d7678e5833
                                                                                                  • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction Fuzzy Hash: CE41427290024CABDB65EFA0DC46EEF3B6DFF08304F14442AF924D2152EB75D6958B58
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00669536
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0066955D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-3916222277
                                                                                                  • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction ID: 9eebb23deeafb8d171c7cb3ecd7f900100ed77ed5e32c969253d5199fdfd32a3
                                                                                                  • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction Fuzzy Hash: B64107718083846FEB378B68D88C7F63BEE9B42314F1441A5D883972A2DA744D82C771
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0066B9D9
                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 0066BA3A
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0066BA94
                                                                                                  • GetTickCount.KERNEL32 ref: 0066BB79
                                                                                                  • GetTickCount.KERNEL32 ref: 0066BB99
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0066BE15
                                                                                                  • closesocket.WS2_32(00000000), ref: 0066BEB4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 1869671989-2903620461
                                                                                                  • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction ID: 937eafa3d767a1c67085538634e53b5dc0f4784ca790ab59cd56185dc1823091
                                                                                                  • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction Fuzzy Hash: 2931AE71400248DFDF25DFA4DC85AED77BAEB48700F20406AFA24D6261EB72DA85CF54
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                  APIs
                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 006670BC
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006670F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2370142434-2343686810
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: eeddd860bfc52986996d3a462655bb065cca5bd454eaa99eefdb9b959557e502
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: 16110C7290411CEBDF11CFD4DC84ADEF7BEAB06715F1841A7E511E6190D6709B88DBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                  APIs
                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 224340156-2903620461
                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                  APIs
                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282132325.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1282132325.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                  • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                  APIs
                                                                                                    • Part of subcall function 00662F88: GetModuleHandleA.KERNEL32(?), ref: 00662FA1
                                                                                                    • Part of subcall function 00662F88: LoadLibraryA.KERNEL32(?), ref: 00662FB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006631DA
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 006631E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1282370867.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_660000_qkkcfptf.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction ID: abd0636b5eb799deabf3490d43bcb558cfb7df84812fd1610e083051198402cb
                                                                                                  • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction Fuzzy Hash: AB51AA3190025AAFCB019F64D8989EAB77AFF16304B1441A8EC9687311E732DB59CB94

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.1%
                                                                                                  Dynamic/Decrypted Code Coverage:29.7%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:1608
                                                                                                  Total number of Limit Nodes:14
                                                                                                  execution_graph 14508 409961 RegisterServiceCtrlHandlerA 14509 40997d 14508->14509 14516 4099cb 14508->14516 14518 409892 14509->14518 14511 40999a 14512 4099ba 14511->14512 14513 409892 SetServiceStatus 14511->14513 14514 409892 SetServiceStatus 14512->14514 14512->14516 14515 4099aa 14513->14515 14514->14516 14515->14512 14521 4098f2 14515->14521 14519 4098c2 SetServiceStatus 14518->14519 14519->14511 14522 4098f6 14521->14522 14524 409904 Sleep 14522->14524 14527 409917 14522->14527 14529 404280 CreateEventA 14522->14529 14524->14522 14526 409915 14524->14526 14525 409947 14525->14512 14526->14527 14527->14525 14556 40977c 14527->14556 14530 4042a5 14529->14530 14531 40429d 14529->14531 14570 403ecd 14530->14570 14531->14522 14533 4042b0 14574 404000 14533->14574 14536 4043c1 CloseHandle 14536->14531 14537 4042ce 14580 403f18 WriteFile 14537->14580 14542 4043ba CloseHandle 14542->14536 14543 404318 14544 403f18 4 API calls 14543->14544 14545 404331 14544->14545 14546 403f18 4 API calls 14545->14546 14547 40434a 14546->14547 14588 40ebcc GetProcessHeap HeapAlloc 14547->14588 14550 403f18 4 API calls 14551 404389 14550->14551 14591 40ec2e 14551->14591 14554 403f8c 4 API calls 14555 40439f CloseHandle CloseHandle 14554->14555 14555->14531 14620 40ee2a 14556->14620 14559 4097c2 14561 4097d4 Wow64GetThreadContext 14559->14561 14560 4097bb 14560->14525 14562 409801 14561->14562 14563 4097f5 14561->14563 14622 40637c 14562->14622 14564 4097f6 TerminateProcess 14563->14564 14564->14560 14566 409816 14566->14564 14567 40981e WriteProcessMemory 14566->14567 14567->14563 14568 40983b Wow64SetThreadContext 14567->14568 14568->14563 14569 409858 ResumeThread 14568->14569 14569->14560 14571 403ee2 14570->14571 14572 403edc 14570->14572 14571->14533 14596 406dc2 14572->14596 14575 40400b CreateFileA 14574->14575 14576 40402c GetLastError 14575->14576 14577 404052 14575->14577 14576->14577 14578 404037 14576->14578 14577->14531 14577->14536 14577->14537 14578->14577 14579 404041 Sleep 14578->14579 14579->14575 14579->14577 14581 403f4e GetLastError 14580->14581 14582 403f7c 14580->14582 14581->14582 14583 403f5b WaitForSingleObject GetOverlappedResult 14581->14583 14584 403f8c ReadFile 14582->14584 14583->14582 14585 403fc2 GetLastError 14584->14585 14587 403ff0 14584->14587 14586 403fcf WaitForSingleObject GetOverlappedResult 14585->14586 14585->14587 14586->14587 14587->14542 14587->14543 14614 40eb74 14588->14614 14592 40ec37 14591->14592 14593 40438f 14591->14593 14617 40eba0 14592->14617 14593->14554 14597 406dd7 14596->14597 14601 406e24 14596->14601 14602 406cc9 14597->14602 14599 406ddc 14600 406e02 GetVolumeInformationA 14599->14600 14599->14601 14600->14601 14601->14571 14603 406cdc GetModuleHandleA GetProcAddress 14602->14603 14604 406dbe 14602->14604 14605 406d12 GetSystemDirectoryA 14603->14605 14606 406cfd 14603->14606 14604->14599 14607 406d27 GetWindowsDirectoryA 14605->14607 14608 406d1e 14605->14608 14606->14605 14609 406d8b 14606->14609 14611 406d42 14607->14611 14608->14607 14608->14609 14609->14604 14612 40ef1e lstrlenA 14611->14612 14613 40ef32 14612->14613 14613->14609 14615 40eb7b GetProcessHeap HeapSize 14614->14615 14616 404350 14614->14616 14615->14616 14616->14550 14618 40eba7 GetProcessHeap HeapSize 14617->14618 14619 40ebbf GetProcessHeap HeapFree 14617->14619 14618->14619 14619->14593 14621 409794 CreateProcessA 14620->14621 14621->14559 14621->14560 14623 406386 14622->14623 14624 40638a GetModuleHandleA VirtualAlloc 14622->14624 14623->14566 14625 4063b6 14624->14625 14626 4063f5 14624->14626 14627 4063be VirtualAllocEx 14625->14627 14626->14566 14627->14626 14628 4063d6 14627->14628 14629 4063df WriteProcessMemory 14628->14629 14629->14626 14705 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14822 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14705->14822 14707 409a95 14708 409aa3 GetModuleHandleA GetModuleFileNameA 14707->14708 14714 40a3c7 14707->14714 14709 409ac4 14708->14709 14713 409afd GetCommandLineA 14709->14713 14710 40a41c CreateThread WSAStartup 14933 40e52e 14710->14933 15761 40405e CreateEventA 14710->15761 14711 40a406 DeleteFileA 14711->14714 14715 40a40d 14711->14715 14716 409b22 14713->14716 14714->14710 14714->14711 14714->14715 14718 40a3ed GetLastError 14714->14718 14715->14710 14725 409c0c 14716->14725 14732 409b47 14716->14732 14717 40a445 14952 40eaaf 14717->14952 14718->14715 14720 40a3f8 Sleep 14718->14720 14720->14711 14721 40a44d 14956 401d96 14721->14956 14723 40a457 15004 4080c9 14723->15004 14823 4096aa 14725->14823 14736 409b96 lstrlenA 14732->14736 14743 409b58 14732->14743 14733 40a1d2 14738 40a1e3 GetCommandLineA 14733->14738 14734 409c39 14737 40a167 GetModuleHandleA GetModuleFileNameA 14734->14737 14742 409c4b 14734->14742 14736->14743 14740 409c05 ExitProcess 14737->14740 14741 40a189 14737->14741 14766 40a205 14738->14766 14741->14740 14751 40a1b2 GetDriveTypeA 14741->14751 14742->14737 14745 404280 30 API calls 14742->14745 14743->14740 14746 409bd2 14743->14746 14748 409c5b 14745->14748 14835 40675c 14746->14835 14748->14737 14754 40675c 21 API calls 14748->14754 14751->14740 14753 40a1c5 14751->14753 14925 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14753->14925 14756 409c79 14754->14756 14756->14737 14761 409ca0 GetTempPathA 14756->14761 14762 409e3e 14756->14762 14758 409bff 14758->14740 14759 40a491 14760 40a49f GetTickCount 14759->14760 14763 40a4be Sleep 14759->14763 14769 40a4b7 GetTickCount 14759->14769 15050 40c913 14759->15050 14760->14759 14760->14763 14761->14762 14765 409cba 14761->14765 14773 409e6b GetEnvironmentVariableA 14762->14773 14774 409e04 14762->14774 14763->14759 14873 4099d2 lstrcpyA 14765->14873 14770 40a285 lstrlenA 14766->14770 14783 40a239 14766->14783 14768 40ec2e codecvt 4 API calls 14772 40a15d 14768->14772 14769->14763 14770->14783 14772->14737 14772->14740 14773->14774 14775 409e7d 14773->14775 14774->14768 14776 4099d2 16 API calls 14775->14776 14778 409e9d 14776->14778 14777 406dc2 6 API calls 14779 409d5f 14777->14779 14778->14774 14782 409eb0 lstrcpyA lstrlenA 14778->14782 14785 406cc9 5 API calls 14779->14785 14781 40a3c2 14786 4098f2 41 API calls 14781->14786 14784 409ef4 14782->14784 14831 406ec3 14783->14831 14787 406dc2 6 API calls 14784->14787 14790 409f03 14784->14790 14789 409d72 lstrcpyA lstrcatA lstrcatA 14785->14789 14786->14714 14787->14790 14788 40a39d StartServiceCtrlDispatcherA 14788->14781 14794 409cf6 14789->14794 14791 409f32 RegOpenKeyExA 14790->14791 14793 409f48 RegSetValueExA RegCloseKey 14791->14793 14797 409f70 14791->14797 14792 40a35f 14792->14781 14792->14788 14793->14797 14880 409326 14794->14880 14802 409f9d GetModuleHandleA GetModuleFileNameA 14797->14802 14798 409e0c DeleteFileA 14798->14762 14799 409dde GetFileAttributesExA 14799->14798 14800 409df7 14799->14800 14800->14774 14917 4096ff 14800->14917 14804 409fc2 14802->14804 14805 40a093 14802->14805 14804->14805 14811 409ff1 GetDriveTypeA 14804->14811 14806 40a103 CreateProcessA 14805->14806 14807 40a0a4 wsprintfA 14805->14807 14808 40a13a 14806->14808 14809 40a12a DeleteFileA 14806->14809 14923 402544 14807->14923 14808->14774 14815 4096ff 3 API calls 14808->14815 14809->14808 14811->14805 14813 40a00d 14811->14813 14812 40a0d3 lstrcatA 14814 40ee2a 14812->14814 14817 40a02d lstrcatA 14813->14817 14816 40a0ec lstrcatA 14814->14816 14815->14774 14816->14806 14818 40a046 14817->14818 14819 40a052 lstrcatA 14818->14819 14820 40a064 lstrcatA 14818->14820 14819->14820 14820->14805 14821 40a081 lstrcatA 14820->14821 14821->14805 14822->14707 14824 4096b9 14823->14824 15153 4073ff 14824->15153 14826 4096e2 14827 4096e9 14826->14827 14828 4096fa 14826->14828 15173 40704c 14827->15173 14828->14733 14828->14734 14830 4096f7 14830->14828 14832 406ecc 14831->14832 14834 406ed5 14831->14834 15198 406e36 GetUserNameW 14832->15198 14834->14792 14836 406784 CreateFileA 14835->14836 14837 40677a SetFileAttributesA 14835->14837 14838 4067a4 CreateFileA 14836->14838 14839 4067b5 14836->14839 14837->14836 14838->14839 14840 4067c5 14839->14840 14841 4067ba SetFileAttributesA 14839->14841 14842 406977 14840->14842 14843 4067cf GetFileSize 14840->14843 14841->14840 14842->14740 14860 406a60 CreateFileA 14842->14860 14844 4067e5 14843->14844 14858 406922 14843->14858 14846 4067ed ReadFile 14844->14846 14844->14858 14845 40696e CloseHandle 14845->14842 14847 406811 SetFilePointer 14846->14847 14846->14858 14848 40682a ReadFile 14847->14848 14847->14858 14849 406848 SetFilePointer 14848->14849 14848->14858 14852 406867 14849->14852 14849->14858 14850 4068d0 14850->14845 14853 40ebcc 4 API calls 14850->14853 14851 406878 ReadFile 14851->14850 14851->14852 14852->14850 14852->14851 14854 4068f8 14853->14854 14855 406900 SetFilePointer 14854->14855 14854->14858 14856 40695a 14855->14856 14857 40690d ReadFile 14855->14857 14859 40ec2e codecvt 4 API calls 14856->14859 14857->14856 14857->14858 14858->14845 14859->14858 14861 406b8c GetLastError 14860->14861 14862 406a8f GetDiskFreeSpaceA 14860->14862 14871 406b86 14861->14871 14863 406ac5 14862->14863 14872 406ad7 14862->14872 15201 40eb0e 14863->15201 14867 406b56 CloseHandle 14870 406b65 GetLastError CloseHandle 14867->14870 14867->14871 14868 406b36 GetLastError CloseHandle 14869 406b7f DeleteFileA 14868->14869 14869->14871 14870->14869 14871->14758 15205 406987 14872->15205 14874 4099eb 14873->14874 14875 409a2f lstrcatA 14874->14875 14876 40ee2a 14875->14876 14877 409a4b lstrcatA 14876->14877 14878 406a60 13 API calls 14877->14878 14879 409a60 14878->14879 14879->14762 14879->14777 14879->14794 15215 401910 14880->15215 14883 40934a GetModuleHandleA GetModuleFileNameA 14885 40937f 14883->14885 14886 4093a4 14885->14886 14887 4093d9 14885->14887 14889 4093c3 wsprintfA 14886->14889 14888 409401 wsprintfA 14887->14888 14891 409415 14888->14891 14889->14891 14890 4094a0 15217 406edd 14890->15217 14891->14890 14894 406cc9 5 API calls 14891->14894 14893 4094ac 14895 40962f 14893->14895 14896 4094e8 RegOpenKeyExA 14893->14896 14900 409439 14894->14900 14901 409646 14895->14901 15238 401820 14895->15238 14898 409502 14896->14898 14899 4094fb 14896->14899 14904 40951f RegQueryValueExA 14898->14904 14899->14895 14903 40958a 14899->14903 14905 40ef1e lstrlenA 14900->14905 14910 4095d6 14901->14910 15244 4091eb 14901->15244 14903->14901 14906 409593 14903->14906 14907 409530 14904->14907 14908 409539 14904->14908 14909 409462 14905->14909 14906->14910 15225 40f0e4 14906->15225 14911 40956e RegCloseKey 14907->14911 14912 409556 RegQueryValueExA 14908->14912 14913 40947e wsprintfA 14909->14913 14910->14798 14910->14799 14911->14899 14912->14907 14912->14911 14913->14890 14915 4095bb 14915->14910 15232 4018e0 14915->15232 14918 402544 14917->14918 14919 40972d RegOpenKeyExA 14918->14919 14920 409740 14919->14920 14921 409765 14919->14921 14922 40974f RegDeleteValueA RegCloseKey 14920->14922 14921->14774 14922->14921 14924 402554 14923->14924 14924->14812 14924->14924 14926 402544 14925->14926 14927 40919e wsprintfA 14926->14927 14928 4091bb 14927->14928 15283 409064 GetTempPathA 14928->15283 14931 4091d5 ShellExecuteA 14932 4091e7 14931->14932 14932->14758 15290 40dd05 GetTickCount 14933->15290 14935 40e538 15297 40dbcf 14935->15297 14937 40e544 14938 40e555 GetFileSize 14937->14938 14942 40e5b8 14937->14942 14939 40e5b1 CloseHandle 14938->14939 14940 40e566 14938->14940 14939->14942 15307 40db2e 14940->15307 15316 40e3ca RegOpenKeyExA 14942->15316 14944 40e576 ReadFile 14944->14939 14946 40e58d 14944->14946 15311 40e332 14946->15311 14949 40e5f2 14950 40e3ca 19 API calls 14949->14950 14951 40e629 14949->14951 14950->14951 14951->14717 14953 40eaba 14952->14953 14954 40eabe 14952->14954 14953->14721 14954->14953 14955 40dd05 6 API calls 14954->14955 14955->14953 14957 40ee2a 14956->14957 14958 401db4 GetVersionExA 14957->14958 14959 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14958->14959 14961 401e24 14959->14961 14962 401e16 GetCurrentProcess 14959->14962 15369 40e819 14961->15369 14962->14961 14964 401e3d 14965 40e819 11 API calls 14964->14965 14966 401e4e 14965->14966 14967 401e77 14966->14967 15376 40df70 14966->15376 15385 40ea84 14967->15385 14970 401e6c 14972 40df70 12 API calls 14970->14972 14972->14967 14973 40e819 11 API calls 14974 401e93 14973->14974 15389 40199c inet_addr LoadLibraryA 14974->15389 14977 40e819 11 API calls 14978 401eb9 14977->14978 14979 401ed8 14978->14979 14980 40f04e 4 API calls 14978->14980 14981 40e819 11 API calls 14979->14981 14982 401ec9 14980->14982 14983 401eee 14981->14983 14984 40ea84 30 API calls 14982->14984 14985 401f0a 14983->14985 15402 401b71 14983->15402 14984->14979 14987 40e819 11 API calls 14985->14987 14989 401f23 14987->14989 14988 401efd 14991 40ea84 30 API calls 14988->14991 14990 401f3f 14989->14990 15406 401bdf 14989->15406 14993 40e819 11 API calls 14990->14993 14991->14985 14995 401f5e 14993->14995 14997 401f77 14995->14997 14998 40ea84 30 API calls 14995->14998 14996 40ea84 30 API calls 14996->14990 15413 4030b5 14997->15413 14998->14997 15001 406ec3 2 API calls 15003 401f8e GetTickCount 15001->15003 15003->14723 15005 406ec3 2 API calls 15004->15005 15006 4080eb 15005->15006 15007 4080f9 15006->15007 15008 4080ef 15006->15008 15010 40704c 16 API calls 15007->15010 15461 407ee6 15008->15461 15012 408110 15010->15012 15011 408269 CreateThread 15029 405e6c 15011->15029 15790 40877e 15011->15790 15014 408156 RegOpenKeyExA 15012->15014 15015 4080f4 15012->15015 15013 40675c 21 API calls 15019 408244 15013->15019 15014->15015 15016 40816d RegQueryValueExA 15014->15016 15015->15011 15015->15013 15017 4081f7 15016->15017 15018 40818d 15016->15018 15020 40820d RegCloseKey 15017->15020 15022 40ec2e codecvt 4 API calls 15017->15022 15018->15017 15023 40ebcc 4 API calls 15018->15023 15019->15011 15021 40ec2e codecvt 4 API calls 15019->15021 15020->15015 15021->15011 15028 4081dd 15022->15028 15024 4081a0 15023->15024 15024->15020 15025 4081aa RegQueryValueExA 15024->15025 15025->15017 15026 4081c4 15025->15026 15027 40ebcc 4 API calls 15026->15027 15027->15028 15028->15020 15529 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15029->15529 15031 405e71 15530 40e654 15031->15530 15033 405ec1 15034 403132 15033->15034 15035 40df70 12 API calls 15034->15035 15036 40313b 15035->15036 15037 40c125 15036->15037 15541 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15037->15541 15039 40c12d 15040 40e654 13 API calls 15039->15040 15041 40c2bd 15040->15041 15042 40e654 13 API calls 15041->15042 15043 40c2c9 15042->15043 15044 40e654 13 API calls 15043->15044 15045 40a47a 15044->15045 15046 408db1 15045->15046 15047 408dbc 15046->15047 15048 40e654 13 API calls 15047->15048 15049 408dec Sleep 15048->15049 15049->14759 15051 40c92f 15050->15051 15052 40c93c 15051->15052 15542 40c517 15051->15542 15054 40ca2b 15052->15054 15055 40e819 11 API calls 15052->15055 15054->14759 15056 40c96a 15055->15056 15057 40e819 11 API calls 15056->15057 15058 40c97d 15057->15058 15059 40e819 11 API calls 15058->15059 15060 40c990 15059->15060 15061 40c9aa 15060->15061 15062 40ebcc 4 API calls 15060->15062 15061->15054 15559 402684 15061->15559 15062->15061 15067 40ca26 15566 40c8aa 15067->15566 15070 40ca44 15071 40ca4b closesocket 15070->15071 15072 40ca83 15070->15072 15071->15067 15073 40ea84 30 API calls 15072->15073 15074 40caac 15073->15074 15075 40f04e 4 API calls 15074->15075 15076 40cab2 15075->15076 15077 40ea84 30 API calls 15076->15077 15078 40caca 15077->15078 15079 40ea84 30 API calls 15078->15079 15080 40cad9 15079->15080 15574 40c65c 15080->15574 15083 40cb60 closesocket 15083->15054 15085 40dad2 closesocket 15086 40e318 23 API calls 15085->15086 15086->15054 15087 40df4c 20 API calls 15134 40cb70 15087->15134 15092 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15092->15134 15094 40e654 13 API calls 15094->15134 15099 40ea84 30 API calls 15099->15134 15100 40d569 closesocket Sleep 15621 40e318 15100->15621 15101 40d815 wsprintfA 15101->15134 15102 40cc1c GetTempPathA 15102->15134 15103 40c517 23 API calls 15103->15134 15105 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15105->15134 15106 407ead 6 API calls 15106->15134 15107 40e8a1 30 API calls 15107->15134 15108 40d582 ExitProcess 15109 40cfe3 GetSystemDirectoryA 15109->15134 15110 40cfad GetEnvironmentVariableA 15110->15134 15111 40675c 21 API calls 15111->15134 15112 40d027 GetSystemDirectoryA 15112->15134 15113 40d105 lstrcatA 15113->15134 15114 40ef1e lstrlenA 15114->15134 15115 40cc9f CreateFileA 15117 40ccc6 WriteFile 15115->15117 15115->15134 15116 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15116->15134 15119 40cdcc CloseHandle 15117->15119 15120 40cced CloseHandle 15117->15120 15118 40d15b CreateFileA 15121 40d182 WriteFile CloseHandle 15118->15121 15118->15134 15119->15134 15126 40cd2f 15120->15126 15121->15134 15122 40cd16 wsprintfA 15122->15126 15123 40d149 SetFileAttributesA 15123->15118 15124 40d1bf SetFileAttributesA 15124->15134 15125 40d36e GetEnvironmentVariableA 15125->15134 15126->15122 15603 407fcf 15126->15603 15127 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15127->15134 15128 40d22d GetEnvironmentVariableA 15128->15134 15129 40d3af lstrcatA 15131 40d3f2 CreateFileA 15129->15131 15129->15134 15131->15134 15135 40d415 WriteFile CloseHandle 15131->15135 15133 407fcf 64 API calls 15133->15134 15134->15085 15134->15087 15134->15092 15134->15094 15134->15099 15134->15100 15134->15101 15134->15102 15134->15103 15134->15105 15134->15106 15134->15107 15134->15109 15134->15110 15134->15111 15134->15112 15134->15113 15134->15114 15134->15115 15134->15116 15134->15118 15134->15123 15134->15124 15134->15125 15134->15127 15134->15128 15134->15129 15134->15131 15134->15133 15140 40d3e0 SetFileAttributesA 15134->15140 15141 40d26e lstrcatA 15134->15141 15143 40d4b1 CreateProcessA 15134->15143 15144 40d2b1 CreateFileA 15134->15144 15146 407ee6 64 API calls 15134->15146 15147 40d452 SetFileAttributesA 15134->15147 15150 40d29f SetFileAttributesA 15134->15150 15152 40d31d SetFileAttributesA 15134->15152 15582 40c75d 15134->15582 15594 407e2f 15134->15594 15616 407ead 15134->15616 15626 4031d0 15134->15626 15643 403c09 15134->15643 15653 403a00 15134->15653 15657 40e7b4 15134->15657 15660 40c06c 15134->15660 15666 406f5f GetUserNameA 15134->15666 15677 40e854 15134->15677 15687 407dd6 15134->15687 15135->15134 15136 40cd81 WaitForSingleObject CloseHandle CloseHandle 15138 40f04e 4 API calls 15136->15138 15137 40cda5 15139 407ee6 64 API calls 15137->15139 15138->15137 15142 40cdbd DeleteFileA 15139->15142 15140->15131 15141->15134 15141->15144 15142->15134 15143->15134 15145 40d4e8 CloseHandle CloseHandle 15143->15145 15144->15134 15148 40d2d8 WriteFile CloseHandle 15144->15148 15145->15134 15146->15134 15147->15134 15148->15134 15150->15144 15152->15134 15154 40741b 15153->15154 15155 406dc2 6 API calls 15154->15155 15156 40743f 15155->15156 15157 407469 RegOpenKeyExA 15156->15157 15159 4077f9 15157->15159 15162 407487 ___ascii_stricmp 15157->15162 15158 407703 RegEnumKeyA 15160 407714 RegCloseKey 15158->15160 15158->15162 15159->14826 15160->15159 15161 4074d2 RegOpenKeyExA 15161->15162 15162->15158 15162->15161 15163 40772c 15162->15163 15164 407521 RegQueryValueExA 15162->15164 15167 4076e4 RegCloseKey 15162->15167 15169 407769 15162->15169 15171 40f1a5 lstrlenA 15162->15171 15172 40777e GetFileAttributesExA 15162->15172 15165 407742 RegCloseKey 15163->15165 15166 40774b 15163->15166 15164->15162 15165->15166 15168 4077ec RegCloseKey 15166->15168 15167->15162 15168->15159 15170 4077e3 RegCloseKey 15169->15170 15170->15168 15171->15162 15172->15169 15174 407073 15173->15174 15175 4070b9 RegOpenKeyExA 15174->15175 15176 4070d0 15175->15176 15190 4071b8 15175->15190 15177 406dc2 6 API calls 15176->15177 15180 4070d5 15177->15180 15178 40719b RegEnumValueA 15179 4071af RegCloseKey 15178->15179 15178->15180 15179->15190 15180->15178 15182 4071d0 15180->15182 15196 40f1a5 lstrlenA 15180->15196 15183 407205 RegCloseKey 15182->15183 15184 407227 15182->15184 15183->15190 15185 4072b8 ___ascii_stricmp 15184->15185 15186 40728e RegCloseKey 15184->15186 15187 4072cd RegCloseKey 15185->15187 15188 4072dd 15185->15188 15186->15190 15187->15190 15189 407311 RegCloseKey 15188->15189 15192 407335 15188->15192 15189->15190 15190->14830 15191 4073d5 RegCloseKey 15193 4073e4 15191->15193 15192->15191 15194 40737e GetFileAttributesExA 15192->15194 15195 407397 15192->15195 15194->15195 15195->15191 15197 40f1c3 15196->15197 15197->15180 15199 406e97 15198->15199 15200 406e5f LookupAccountNameW 15198->15200 15199->14834 15200->15199 15202 40eb17 15201->15202 15203 40eb21 15201->15203 15211 40eae4 15202->15211 15203->14872 15207 4069b9 WriteFile 15205->15207 15208 406a3c 15207->15208 15210 4069ff 15207->15210 15208->14867 15208->14868 15209 406a10 WriteFile 15209->15208 15209->15210 15210->15208 15210->15209 15212 40eb02 GetProcAddress 15211->15212 15213 40eaed LoadLibraryA 15211->15213 15212->15203 15213->15212 15214 40eb01 15213->15214 15214->15203 15216 401924 GetVersionExA 15215->15216 15216->14883 15218 406f55 15217->15218 15219 406eef AllocateAndInitializeSid 15217->15219 15218->14893 15220 406f44 15219->15220 15221 406f1c CheckTokenMembership 15219->15221 15220->15218 15224 406e36 2 API calls 15220->15224 15222 406f3b FreeSid 15221->15222 15223 406f2e 15221->15223 15222->15220 15223->15222 15224->15218 15226 40f0f1 15225->15226 15227 40f0ed 15225->15227 15228 40f119 15226->15228 15229 40f0fa lstrlenA SysAllocStringByteLen 15226->15229 15227->14915 15231 40f11c MultiByteToWideChar 15228->15231 15230 40f117 15229->15230 15229->15231 15230->14915 15231->15230 15233 401820 17 API calls 15232->15233 15234 4018f2 15233->15234 15235 4018f9 15234->15235 15249 401280 15234->15249 15235->14910 15237 401908 15237->14910 15262 401000 15238->15262 15240 401839 15241 401851 GetCurrentProcess 15240->15241 15242 40183d 15240->15242 15243 401864 15241->15243 15242->14901 15243->14901 15245 409308 15244->15245 15247 40920e 15244->15247 15245->14910 15246 4092f1 Sleep 15246->15247 15247->15245 15247->15246 15247->15247 15248 4092bf ShellExecuteA 15247->15248 15248->15245 15248->15247 15252 4012e1 ShellExecuteExW 15249->15252 15251 4016f9 GetLastError 15253 401699 15251->15253 15252->15251 15255 4013a8 15252->15255 15253->15237 15254 401570 lstrlenW 15254->15255 15255->15253 15255->15254 15255->15255 15256 4015be GetStartupInfoW 15255->15256 15257 4015ff CreateProcessWithLogonW 15255->15257 15261 401668 CloseHandle 15255->15261 15256->15255 15258 4016bf GetLastError 15257->15258 15259 40163f WaitForSingleObject 15257->15259 15258->15253 15259->15255 15260 401659 CloseHandle 15259->15260 15260->15255 15261->15255 15263 40100d LoadLibraryA 15262->15263 15274 401023 15262->15274 15264 401021 15263->15264 15263->15274 15264->15240 15265 4010b5 GetProcAddress 15266 4010d1 GetProcAddress 15265->15266 15267 40127b 15265->15267 15266->15267 15268 4010f0 GetProcAddress 15266->15268 15267->15240 15268->15267 15269 401110 GetProcAddress 15268->15269 15269->15267 15270 401130 GetProcAddress 15269->15270 15270->15267 15271 40114f GetProcAddress 15270->15271 15271->15267 15272 40116f GetProcAddress 15271->15272 15272->15267 15273 40118f GetProcAddress 15272->15273 15273->15267 15275 4011ae GetProcAddress 15273->15275 15274->15265 15282 4010ae 15274->15282 15275->15267 15276 4011ce GetProcAddress 15275->15276 15276->15267 15277 4011ee GetProcAddress 15276->15277 15277->15267 15278 401209 GetProcAddress 15277->15278 15278->15267 15279 401225 GetProcAddress 15278->15279 15279->15267 15280 401241 GetProcAddress 15279->15280 15280->15267 15281 40125c GetProcAddress 15280->15281 15281->15267 15282->15240 15284 40908d 15283->15284 15285 4090e2 wsprintfA 15284->15285 15286 40ee2a 15285->15286 15287 4090fd CreateFileA 15286->15287 15288 40911a lstrlenA WriteFile CloseHandle 15287->15288 15289 40913f 15287->15289 15288->15289 15289->14931 15289->14932 15291 40dd41 InterlockedExchange 15290->15291 15292 40dd20 GetCurrentThreadId 15291->15292 15293 40dd4a 15291->15293 15294 40dd53 GetCurrentThreadId 15292->15294 15295 40dd2e GetTickCount 15292->15295 15293->15294 15294->14935 15295->15293 15296 40dd39 Sleep 15295->15296 15296->15291 15298 40dbf0 15297->15298 15330 40db67 GetEnvironmentVariableA 15298->15330 15300 40dc19 15301 40dcda 15300->15301 15302 40db67 3 API calls 15300->15302 15301->14937 15303 40dc5c 15302->15303 15303->15301 15304 40db67 3 API calls 15303->15304 15305 40dc9b 15304->15305 15305->15301 15306 40db67 3 API calls 15305->15306 15306->15301 15308 40db55 15307->15308 15309 40db3a 15307->15309 15308->14939 15308->14944 15334 40ebed 15309->15334 15343 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15311->15343 15313 40e3be 15313->14939 15314 40e342 15314->15313 15346 40de24 15314->15346 15317 40e528 15316->15317 15318 40e3f4 15316->15318 15317->14949 15319 40e434 RegQueryValueExA 15318->15319 15320 40e458 15319->15320 15321 40e51d RegCloseKey 15319->15321 15322 40e46e RegQueryValueExA 15320->15322 15321->15317 15322->15320 15323 40e488 15322->15323 15323->15321 15324 40db2e 8 API calls 15323->15324 15325 40e499 15324->15325 15325->15321 15326 40e4b9 RegQueryValueExA 15325->15326 15327 40e4e8 15325->15327 15326->15325 15326->15327 15327->15321 15328 40e332 14 API calls 15327->15328 15329 40e513 15328->15329 15329->15321 15331 40db89 lstrcpyA CreateFileA 15330->15331 15332 40dbca 15330->15332 15331->15300 15332->15300 15335 40ec01 15334->15335 15336 40ebf6 15334->15336 15338 40eba0 codecvt 2 API calls 15335->15338 15337 40ebcc 4 API calls 15336->15337 15340 40ebfe 15337->15340 15339 40ec0a GetProcessHeap HeapReAlloc 15338->15339 15341 40eb74 2 API calls 15339->15341 15340->15308 15342 40ec28 15341->15342 15342->15308 15357 40eb41 15343->15357 15347 40de3a 15346->15347 15352 40de4e 15347->15352 15361 40dd84 15347->15361 15350 40ebed 8 API calls 15355 40def6 15350->15355 15351 40de9e 15351->15350 15351->15352 15352->15314 15353 40de76 15365 40ddcf 15353->15365 15355->15352 15356 40ddcf lstrcmpA 15355->15356 15356->15352 15358 40eb54 15357->15358 15359 40eb4a 15357->15359 15358->15314 15360 40eae4 2 API calls 15359->15360 15360->15358 15362 40ddc5 15361->15362 15363 40dd96 15361->15363 15362->15351 15362->15353 15363->15362 15364 40ddad lstrcmpiA 15363->15364 15364->15362 15364->15363 15366 40dddd 15365->15366 15368 40de20 15365->15368 15367 40ddfa lstrcmpA 15366->15367 15366->15368 15367->15366 15368->15352 15370 40dd05 6 API calls 15369->15370 15371 40e821 15370->15371 15372 40dd84 lstrcmpiA 15371->15372 15373 40e82c 15372->15373 15374 40e844 15373->15374 15417 402480 15373->15417 15374->14964 15377 40dd05 6 API calls 15376->15377 15378 40df7c 15377->15378 15379 40dd84 lstrcmpiA 15378->15379 15383 40df89 15379->15383 15380 40dfc4 15380->14970 15381 40ddcf lstrcmpA 15381->15383 15382 40ec2e codecvt 4 API calls 15382->15383 15383->15380 15383->15381 15383->15382 15384 40dd84 lstrcmpiA 15383->15384 15384->15383 15386 40ea98 15385->15386 15426 40e8a1 15386->15426 15388 401e84 15388->14973 15390 4019d5 GetProcAddress GetProcAddress GetProcAddress 15389->15390 15391 4019ce 15389->15391 15392 401ab3 FreeLibrary 15390->15392 15393 401a04 15390->15393 15391->14977 15392->15391 15393->15392 15394 401a14 GetProcessHeap 15393->15394 15394->15391 15396 401a2e HeapAlloc 15394->15396 15396->15391 15397 401a42 15396->15397 15398 401a52 HeapReAlloc 15397->15398 15400 401a62 15397->15400 15398->15400 15399 401aa1 FreeLibrary 15399->15391 15400->15399 15401 401a96 HeapFree 15400->15401 15401->15399 15454 401ac3 LoadLibraryA 15402->15454 15405 401bcf 15405->14988 15407 401ac3 12 API calls 15406->15407 15408 401c09 15407->15408 15409 401c0d GetComputerNameA 15408->15409 15412 401c41 15408->15412 15410 401c45 GetVolumeInformationA 15409->15410 15411 401c1f 15409->15411 15410->15412 15411->15410 15411->15412 15412->14996 15414 40ee2a 15413->15414 15415 4030d0 gethostname gethostbyname 15414->15415 15416 401f82 15415->15416 15416->15001 15416->15003 15420 402419 lstrlenA 15417->15420 15419 402491 15419->15374 15421 40243d lstrlenA 15420->15421 15425 402474 15420->15425 15422 402464 lstrlenA 15421->15422 15423 40244e lstrcmpiA 15421->15423 15422->15421 15422->15425 15423->15422 15424 40245c 15423->15424 15424->15422 15424->15425 15425->15419 15427 40dd05 6 API calls 15426->15427 15428 40e8b4 15427->15428 15429 40dd84 lstrcmpiA 15428->15429 15430 40e8c0 15429->15430 15431 40e90a 15430->15431 15432 40e8c8 lstrcpynA 15430->15432 15433 402419 4 API calls 15431->15433 15442 40ea27 15431->15442 15434 40e8f5 15432->15434 15435 40e926 lstrlenA lstrlenA 15433->15435 15447 40df4c 15434->15447 15436 40e96a 15435->15436 15437 40e94c lstrlenA 15435->15437 15441 40ebcc 4 API calls 15436->15441 15436->15442 15437->15436 15439 40e901 15440 40dd84 lstrcmpiA 15439->15440 15440->15431 15443 40e98f 15441->15443 15442->15388 15443->15442 15444 40df4c 20 API calls 15443->15444 15445 40ea1e 15444->15445 15446 40ec2e codecvt 4 API calls 15445->15446 15446->15442 15448 40dd05 6 API calls 15447->15448 15449 40df51 15448->15449 15450 40f04e 4 API calls 15449->15450 15451 40df58 15450->15451 15452 40de24 10 API calls 15451->15452 15453 40df63 15452->15453 15453->15439 15455 401ae2 GetProcAddress 15454->15455 15460 401b68 GetComputerNameA GetVolumeInformationA 15454->15460 15456 401af5 15455->15456 15455->15460 15457 40ebed 8 API calls 15456->15457 15458 401b29 15456->15458 15457->15456 15458->15458 15459 40ec2e codecvt 4 API calls 15458->15459 15458->15460 15459->15460 15460->15405 15462 406ec3 2 API calls 15461->15462 15463 407ef4 15462->15463 15464 4073ff 17 API calls 15463->15464 15473 407fc9 15463->15473 15465 407f16 15464->15465 15465->15473 15474 407809 GetUserNameA 15465->15474 15467 407f63 15468 40ef1e lstrlenA 15467->15468 15467->15473 15469 407fa6 15468->15469 15470 40ef1e lstrlenA 15469->15470 15471 407fb7 15470->15471 15498 407a95 RegOpenKeyExA 15471->15498 15473->15015 15475 40783d LookupAccountNameA 15474->15475 15480 407a8d 15474->15480 15476 407874 GetLengthSid GetFileSecurityA 15475->15476 15475->15480 15477 4078a8 GetSecurityDescriptorOwner 15476->15477 15476->15480 15478 4078c5 EqualSid 15477->15478 15479 40791d GetSecurityDescriptorDacl 15477->15479 15478->15479 15481 4078dc LocalAlloc 15478->15481 15479->15480 15492 407941 15479->15492 15480->15467 15481->15479 15482 4078ef InitializeSecurityDescriptor 15481->15482 15484 407916 LocalFree 15482->15484 15485 4078fb SetSecurityDescriptorOwner 15482->15485 15483 40795b GetAce 15483->15492 15484->15479 15485->15484 15486 40790b SetFileSecurityA 15485->15486 15486->15484 15487 407980 EqualSid 15487->15492 15488 407a3d 15488->15480 15491 407a43 LocalAlloc 15488->15491 15489 4079be EqualSid 15489->15492 15490 40799d DeleteAce 15490->15492 15491->15480 15493 407a56 InitializeSecurityDescriptor 15491->15493 15492->15480 15492->15483 15492->15487 15492->15488 15492->15489 15492->15490 15494 407a62 SetSecurityDescriptorDacl 15493->15494 15495 407a86 LocalFree 15493->15495 15494->15495 15496 407a73 SetFileSecurityA 15494->15496 15495->15480 15496->15495 15497 407a83 15496->15497 15497->15495 15499 407ac4 15498->15499 15500 407acb GetUserNameA 15498->15500 15499->15473 15501 407da7 RegCloseKey 15500->15501 15502 407aed LookupAccountNameA 15500->15502 15501->15499 15502->15501 15503 407b24 RegGetKeySecurity 15502->15503 15503->15501 15504 407b49 GetSecurityDescriptorOwner 15503->15504 15505 407b63 EqualSid 15504->15505 15506 407bb8 GetSecurityDescriptorDacl 15504->15506 15505->15506 15507 407b74 LocalAlloc 15505->15507 15508 407da6 15506->15508 15513 407bdc 15506->15513 15507->15506 15509 407b8a InitializeSecurityDescriptor 15507->15509 15508->15501 15511 407bb1 LocalFree 15509->15511 15512 407b96 SetSecurityDescriptorOwner 15509->15512 15510 407bf8 GetAce 15510->15513 15511->15506 15512->15511 15514 407ba6 RegSetKeySecurity 15512->15514 15513->15508 15513->15510 15515 407c1d EqualSid 15513->15515 15516 407c5f EqualSid 15513->15516 15517 407cd9 15513->15517 15518 407c3a DeleteAce 15513->15518 15514->15511 15515->15513 15516->15513 15517->15508 15519 407d5a LocalAlloc 15517->15519 15520 407cf2 RegOpenKeyExA 15517->15520 15518->15513 15519->15508 15521 407d70 InitializeSecurityDescriptor 15519->15521 15520->15519 15526 407d0f 15520->15526 15522 407d7c SetSecurityDescriptorDacl 15521->15522 15523 407d9f LocalFree 15521->15523 15522->15523 15524 407d8c RegSetKeySecurity 15522->15524 15523->15508 15524->15523 15525 407d9c 15524->15525 15525->15523 15527 407d43 RegSetValueExA 15526->15527 15527->15519 15528 407d54 15527->15528 15528->15519 15529->15031 15531 40dd05 6 API calls 15530->15531 15534 40e65f 15531->15534 15532 40e6a5 15533 40ebcc 4 API calls 15532->15533 15539 40e6f5 15532->15539 15536 40e6b0 15533->15536 15534->15532 15535 40e68c lstrcmpA 15534->15535 15535->15534 15537 40e6b7 15536->15537 15538 40e6e0 lstrcpynA 15536->15538 15536->15539 15537->15033 15538->15539 15539->15537 15540 40e71d lstrcmpA 15539->15540 15540->15539 15541->15039 15543 40c525 15542->15543 15544 40c532 15542->15544 15543->15544 15546 40ec2e codecvt 4 API calls 15543->15546 15545 40c548 15544->15545 15694 40e7ff 15544->15694 15548 40e7ff lstrcmpiA 15545->15548 15556 40c54f 15545->15556 15546->15544 15549 40c615 15548->15549 15550 40ebcc 4 API calls 15549->15550 15549->15556 15550->15556 15551 40c5d1 15554 40ebcc 4 API calls 15551->15554 15553 40e819 11 API calls 15555 40c5b7 15553->15555 15554->15556 15557 40f04e 4 API calls 15555->15557 15556->15052 15558 40c5bf 15557->15558 15558->15545 15558->15551 15560 402692 inet_addr 15559->15560 15561 40268e 15559->15561 15560->15561 15562 40269e gethostbyname 15560->15562 15563 40f428 15561->15563 15562->15561 15697 40f315 15563->15697 15568 40c8d2 15566->15568 15567 40c907 15567->15054 15568->15567 15569 40c517 23 API calls 15568->15569 15569->15567 15570 40f43e 15571 40f473 recv 15570->15571 15572 40f47c 15571->15572 15573 40f458 15571->15573 15572->15070 15573->15571 15573->15572 15575 40c670 15574->15575 15576 40c67d 15574->15576 15577 40ebcc 4 API calls 15575->15577 15578 40ebcc 4 API calls 15576->15578 15580 40c699 15576->15580 15577->15576 15578->15580 15579 40c6f3 15579->15083 15579->15134 15580->15579 15581 40c73c send 15580->15581 15581->15579 15583 40c770 15582->15583 15584 40c77d 15582->15584 15586 40ebcc 4 API calls 15583->15586 15585 40c799 15584->15585 15587 40ebcc 4 API calls 15584->15587 15588 40c7b5 15585->15588 15589 40ebcc 4 API calls 15585->15589 15586->15584 15587->15585 15590 40f43e recv 15588->15590 15589->15588 15591 40c7cb 15590->15591 15592 40f43e recv 15591->15592 15593 40c7d3 15591->15593 15592->15593 15593->15134 15710 407db7 15594->15710 15597 407e70 15598 407e96 15597->15598 15601 40f04e 4 API calls 15597->15601 15598->15134 15599 40f04e 4 API calls 15600 407e4c 15599->15600 15600->15597 15602 40f04e 4 API calls 15600->15602 15601->15598 15602->15597 15604 406ec3 2 API calls 15603->15604 15605 407fdd 15604->15605 15606 4080c2 CreateProcessA 15605->15606 15607 4073ff 17 API calls 15605->15607 15606->15136 15606->15137 15608 407fff 15607->15608 15608->15606 15609 407809 21 API calls 15608->15609 15610 40804d 15609->15610 15610->15606 15611 40ef1e lstrlenA 15610->15611 15612 40809e 15611->15612 15613 40ef1e lstrlenA 15612->15613 15614 4080af 15613->15614 15615 407a95 24 API calls 15614->15615 15615->15606 15617 407db7 2 API calls 15616->15617 15618 407eb8 15617->15618 15619 40f04e 4 API calls 15618->15619 15620 407ece DeleteFileA 15619->15620 15620->15134 15622 40dd05 6 API calls 15621->15622 15623 40e31d 15622->15623 15714 40e177 15623->15714 15625 40e326 15625->15108 15627 4031f3 15626->15627 15637 4031ec 15626->15637 15628 40ebcc 4 API calls 15627->15628 15641 4031fc 15628->15641 15629 40344b 15630 403459 15629->15630 15631 40349d 15629->15631 15632 40f04e 4 API calls 15630->15632 15633 40ec2e codecvt 4 API calls 15631->15633 15634 40345f 15632->15634 15633->15637 15635 4030fa 4 API calls 15634->15635 15635->15637 15636 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15636->15641 15637->15134 15638 40344d 15639 40ec2e codecvt 4 API calls 15638->15639 15639->15629 15641->15629 15641->15636 15641->15637 15641->15638 15642 403141 lstrcmpiA 15641->15642 15740 4030fa GetTickCount 15641->15740 15642->15641 15644 4030fa 4 API calls 15643->15644 15645 403c1a 15644->15645 15646 403ce6 15645->15646 15745 403a72 15645->15745 15646->15134 15649 403a72 9 API calls 15651 403c5e 15649->15651 15650 403a72 9 API calls 15650->15651 15651->15646 15651->15650 15652 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15651->15652 15652->15651 15654 403a10 15653->15654 15655 4030fa 4 API calls 15654->15655 15656 403a1a 15655->15656 15656->15134 15658 40dd05 6 API calls 15657->15658 15659 40e7be 15658->15659 15659->15134 15661 40c105 15660->15661 15662 40c07e wsprintfA 15660->15662 15661->15134 15754 40bfce GetTickCount wsprintfA 15662->15754 15664 40c0ef 15755 40bfce GetTickCount wsprintfA 15664->15755 15667 407047 15666->15667 15668 406f88 15666->15668 15667->15134 15668->15668 15669 406f94 LookupAccountNameA 15668->15669 15670 407025 15669->15670 15671 406fcb 15669->15671 15672 406edd 5 API calls 15670->15672 15673 406fdb ConvertSidToStringSidA 15671->15673 15674 40702a wsprintfA 15672->15674 15673->15670 15675 406ff1 15673->15675 15674->15667 15676 407013 LocalFree 15675->15676 15676->15670 15678 40dd05 6 API calls 15677->15678 15679 40e85c 15678->15679 15680 40dd84 lstrcmpiA 15679->15680 15681 40e867 15680->15681 15682 40e885 lstrcpyA 15681->15682 15756 4024a5 15681->15756 15759 40dd69 15682->15759 15688 407db7 2 API calls 15687->15688 15689 407de1 15688->15689 15690 407e16 15689->15690 15691 40f04e 4 API calls 15689->15691 15690->15134 15692 407df2 15691->15692 15692->15690 15693 40f04e 4 API calls 15692->15693 15693->15690 15695 40dd84 lstrcmpiA 15694->15695 15696 40c58e 15695->15696 15696->15545 15696->15551 15696->15553 15698 40ca1d 15697->15698 15699 40f33b 15697->15699 15698->15067 15698->15570 15700 40f347 htons socket 15699->15700 15701 40f382 ioctlsocket 15700->15701 15702 40f374 closesocket 15700->15702 15703 40f3aa connect select 15701->15703 15704 40f39d 15701->15704 15702->15698 15703->15698 15706 40f3f2 __WSAFDIsSet 15703->15706 15705 40f39f closesocket 15704->15705 15705->15698 15706->15705 15707 40f403 ioctlsocket 15706->15707 15709 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15707->15709 15709->15698 15711 407dc8 InterlockedExchange 15710->15711 15712 407dc0 Sleep 15711->15712 15713 407dd4 15711->15713 15712->15711 15713->15597 15713->15599 15715 40e184 15714->15715 15716 40e2e4 15715->15716 15717 40e223 15715->15717 15730 40dfe2 15715->15730 15716->15625 15717->15716 15719 40dfe2 8 API calls 15717->15719 15723 40e23c 15719->15723 15720 40e1be 15720->15717 15721 40dbcf 3 API calls 15720->15721 15724 40e1d6 15721->15724 15722 40e21a CloseHandle 15722->15717 15723->15716 15734 40e095 RegCreateKeyExA 15723->15734 15724->15717 15724->15722 15725 40e1f9 WriteFile 15724->15725 15725->15722 15727 40e213 15725->15727 15727->15722 15728 40e2a3 15728->15716 15729 40e095 4 API calls 15728->15729 15729->15716 15731 40dffc 15730->15731 15733 40e024 15730->15733 15732 40db2e 8 API calls 15731->15732 15731->15733 15732->15733 15733->15720 15735 40e172 15734->15735 15737 40e0c0 15734->15737 15735->15728 15736 40e13d 15738 40e14e RegDeleteValueA RegCloseKey 15736->15738 15737->15736 15739 40e115 RegSetValueExA 15737->15739 15738->15735 15739->15736 15739->15737 15741 403122 InterlockedExchange 15740->15741 15742 40312e 15741->15742 15743 40310f GetTickCount 15741->15743 15742->15641 15743->15742 15744 40311a Sleep 15743->15744 15744->15741 15746 40f04e 4 API calls 15745->15746 15753 403a83 15746->15753 15747 403ac1 15747->15646 15747->15649 15748 403be6 15751 40ec2e codecvt 4 API calls 15748->15751 15749 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15750 403bc0 15749->15750 15750->15748 15750->15749 15751->15747 15752 403b66 lstrlenA 15752->15747 15752->15753 15753->15747 15753->15750 15753->15752 15754->15664 15755->15661 15757 402419 4 API calls 15756->15757 15758 4024b6 15757->15758 15758->15682 15760 40dd79 lstrlenA 15759->15760 15760->15134 15762 404084 15761->15762 15763 40407d 15761->15763 15764 403ecd 6 API calls 15762->15764 15765 40408f 15764->15765 15766 404000 3 API calls 15765->15766 15768 404095 15766->15768 15767 404130 15769 403ecd 6 API calls 15767->15769 15768->15767 15773 403f18 4 API calls 15768->15773 15770 404159 CreateNamedPipeA 15769->15770 15771 404167 Sleep 15770->15771 15772 404188 ConnectNamedPipe 15770->15772 15771->15767 15774 404176 CloseHandle 15771->15774 15776 404195 GetLastError 15772->15776 15785 4041ab 15772->15785 15775 4040da 15773->15775 15774->15772 15777 403f8c 4 API calls 15775->15777 15778 40425e DisconnectNamedPipe 15776->15778 15776->15785 15779 4040ec 15777->15779 15778->15772 15780 404127 CloseHandle 15779->15780 15781 404101 15779->15781 15780->15767 15783 403f18 4 API calls 15781->15783 15782 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15782->15785 15784 40411c ExitProcess 15783->15784 15785->15772 15785->15778 15785->15782 15786 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15785->15786 15787 40426a CloseHandle CloseHandle 15785->15787 15786->15785 15788 40e318 23 API calls 15787->15788 15789 40427b 15788->15789 15789->15789 15791 408791 15790->15791 15795 40879f 15790->15795 15792 40f04e 4 API calls 15791->15792 15792->15795 15793 40f04e 4 API calls 15796 4087bc 15793->15796 15794 40e819 11 API calls 15797 4087d7 15794->15797 15795->15793 15795->15796 15796->15794 15810 408803 15797->15810 15812 4026b2 gethostbyaddr 15797->15812 15800 4087eb 15802 40e8a1 30 API calls 15800->15802 15800->15810 15802->15810 15805 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15805->15810 15806 40e819 11 API calls 15806->15810 15807 4088a0 Sleep 15807->15810 15809 4026b2 2 API calls 15809->15810 15810->15805 15810->15806 15810->15807 15810->15809 15811 40e8a1 30 API calls 15810->15811 15817 408cee 15810->15817 15825 40c4d6 15810->15825 15828 40c4e2 15810->15828 15831 402011 15810->15831 15866 408328 15810->15866 15811->15810 15813 4026fb 15812->15813 15814 4026cd 15812->15814 15813->15800 15815 4026e1 inet_ntoa 15814->15815 15816 4026de 15814->15816 15815->15816 15816->15800 15818 408d02 GetTickCount 15817->15818 15819 408dae 15817->15819 15818->15819 15823 408d19 15818->15823 15819->15810 15820 408da1 GetTickCount 15820->15819 15823->15820 15824 408d89 15823->15824 15918 40a677 15823->15918 15921 40a688 15823->15921 15824->15820 15929 40c2dc 15825->15929 15829 40c2dc 142 API calls 15828->15829 15830 40c4ec 15829->15830 15830->15810 15832 402020 15831->15832 15833 40202e 15831->15833 15834 40f04e 4 API calls 15832->15834 15835 40f04e 4 API calls 15833->15835 15838 40204b 15833->15838 15834->15833 15835->15838 15836 40206e GetTickCount 15837 4020db GetTickCount 15836->15837 15848 402090 15836->15848 15841 402132 GetTickCount GetTickCount 15837->15841 15850 4020e7 15837->15850 15838->15836 15839 40f04e 4 API calls 15838->15839 15842 402068 15839->15842 15840 4020d4 GetTickCount 15840->15837 15843 40f04e 4 API calls 15841->15843 15842->15836 15846 402159 15843->15846 15844 40212b GetTickCount 15844->15841 15845 402684 2 API calls 15845->15848 15849 4021b4 15846->15849 15852 40e854 13 API calls 15846->15852 15848->15840 15848->15845 15855 4020ce 15848->15855 16258 401978 15848->16258 15851 40f04e 4 API calls 15849->15851 15850->15844 15857 401978 15 API calls 15850->15857 15858 402125 15850->15858 16263 402ef8 15850->16263 15854 4021d1 15851->15854 15856 40218e 15852->15856 15859 4021f2 15854->15859 15862 40ea84 30 API calls 15854->15862 15855->15840 15860 40e819 11 API calls 15856->15860 15857->15850 15858->15844 15859->15810 15861 40219c 15860->15861 15861->15849 16271 401c5f 15861->16271 15863 4021ec 15862->15863 15864 40f04e 4 API calls 15863->15864 15864->15859 15867 407dd6 6 API calls 15866->15867 15868 40833c 15867->15868 15869 406ec3 2 API calls 15868->15869 15893 408340 15868->15893 15870 40834f 15869->15870 15871 40835c 15870->15871 15873 40846b 15870->15873 15872 4073ff 17 API calls 15871->15872 15895 408373 15872->15895 15878 4084a7 RegOpenKeyExA 15873->15878 15891 408450 15873->15891 15874 4085df 15875 408626 GetTempPathA 15874->15875 15882 408762 15874->15882 15894 408638 15874->15894 15875->15894 15876 40675c 21 API calls 15876->15874 15880 4084c0 RegQueryValueExA 15878->15880 15881 40852f 15878->15881 15879 4086ad 15879->15882 15885 407e2f 6 API calls 15879->15885 15883 408521 RegCloseKey 15880->15883 15884 4084dd 15880->15884 15886 408564 RegOpenKeyExA 15881->15886 15898 4085a5 15881->15898 15890 40ec2e codecvt 4 API calls 15882->15890 15882->15893 15883->15881 15884->15883 15888 40ebcc 4 API calls 15884->15888 15899 4086bb 15885->15899 15887 408573 RegSetValueExA RegCloseKey 15886->15887 15886->15898 15887->15898 15892 4084f0 15888->15892 15889 40875b DeleteFileA 15889->15882 15890->15893 15891->15874 15891->15876 15892->15883 15897 4084f8 RegQueryValueExA 15892->15897 15893->15810 16343 406ba7 IsBadCodePtr 15894->16343 15895->15891 15895->15893 15900 4083ea RegOpenKeyExA 15895->15900 15897->15883 15901 408515 15897->15901 15898->15891 15902 40ec2e codecvt 4 API calls 15898->15902 15899->15889 15905 4086e0 lstrcpyA lstrlenA 15899->15905 15900->15891 15903 4083fd RegQueryValueExA 15900->15903 15904 40ec2e codecvt 4 API calls 15901->15904 15902->15891 15906 40842d RegSetValueExA 15903->15906 15907 40841e 15903->15907 15909 40851d 15904->15909 15910 407fcf 64 API calls 15905->15910 15908 408447 RegCloseKey 15906->15908 15907->15906 15907->15908 15908->15891 15909->15883 15911 408719 CreateProcessA 15910->15911 15912 40873d CloseHandle CloseHandle 15911->15912 15913 40874f 15911->15913 15912->15882 15914 407ee6 64 API calls 15913->15914 15915 408754 15914->15915 15916 407ead 6 API calls 15915->15916 15917 40875a 15916->15917 15917->15889 15924 40a63d 15918->15924 15920 40a685 15920->15823 15922 40a63d GetTickCount 15921->15922 15923 40a696 15922->15923 15923->15823 15925 40a645 15924->15925 15926 40a64d 15924->15926 15925->15920 15927 40a66e 15926->15927 15928 40a65e GetTickCount 15926->15928 15927->15920 15928->15927 15945 40a4c7 GetTickCount 15929->15945 15932 40c300 GetTickCount 15934 40c337 15932->15934 15933 40c326 15933->15934 15935 40c32b GetTickCount 15933->15935 15939 40c363 GetTickCount 15934->15939 15944 40c45e 15934->15944 15935->15934 15936 40c4d2 15936->15810 15937 40c4ab InterlockedIncrement CreateThread 15937->15936 15938 40c4cb CloseHandle 15937->15938 15950 40b535 15937->15950 15938->15936 15940 40c373 15939->15940 15939->15944 15941 40c378 GetTickCount 15940->15941 15942 40c37f 15940->15942 15941->15942 15943 40c43b GetTickCount 15942->15943 15943->15944 15944->15936 15944->15937 15946 40a4f7 InterlockedExchange 15945->15946 15947 40a500 15946->15947 15948 40a4e4 GetTickCount 15946->15948 15947->15932 15947->15933 15947->15944 15948->15947 15949 40a4ef Sleep 15948->15949 15949->15946 15951 40b566 15950->15951 15952 40ebcc 4 API calls 15951->15952 15953 40b587 15952->15953 15954 40ebcc 4 API calls 15953->15954 16004 40b590 15954->16004 15955 40bdcd InterlockedDecrement 15956 40bde2 15955->15956 15958 40ec2e codecvt 4 API calls 15956->15958 15959 40bdea 15958->15959 15961 40ec2e codecvt 4 API calls 15959->15961 15960 40bdb7 Sleep 15960->16004 15962 40bdf2 15961->15962 15964 40be05 15962->15964 15965 40ec2e codecvt 4 API calls 15962->15965 15963 40bdcc 15963->15955 15965->15964 15966 40ebed 8 API calls 15966->16004 15969 40b6b6 lstrlenA 15969->16004 15970 4030b5 2 API calls 15970->16004 15971 40e819 11 API calls 15971->16004 15972 40b6ed lstrcpyA 16025 405ce1 15972->16025 15975 40b731 lstrlenA 15975->16004 15976 40b71f lstrcmpA 15976->15975 15976->16004 15977 40b772 GetTickCount 15977->16004 15978 40bd49 InterlockedIncrement 16119 40a628 15978->16119 15981 40b7ce InterlockedIncrement 16035 40acd7 15981->16035 15982 4038f0 6 API calls 15982->16004 15983 40bc5b InterlockedIncrement 15983->16004 15986 40b912 GetTickCount 15986->16004 15987 40b826 InterlockedIncrement 15987->15977 15988 40b932 GetTickCount 15990 40bc6d InterlockedIncrement 15988->15990 15988->16004 15989 40bcdc closesocket 15989->16004 15990->16004 15991 405ce1 23 API calls 15991->16004 15994 40bba6 InterlockedIncrement 15994->16004 15996 40bc4c closesocket 15996->16004 15999 40ba71 wsprintfA 16053 40a7c1 15999->16053 16001 40ab81 lstrcpynA InterlockedIncrement 16001->16004 16002 40a7c1 22 API calls 16002->16004 16003 40ef1e lstrlenA 16003->16004 16004->15955 16004->15960 16004->15963 16004->15966 16004->15969 16004->15970 16004->15971 16004->15972 16004->15975 16004->15976 16004->15977 16004->15978 16004->15981 16004->15982 16004->15983 16004->15986 16004->15987 16004->15988 16004->15989 16004->15991 16004->15994 16004->15996 16004->15999 16004->16001 16004->16002 16004->16003 16005 405ded 12 API calls 16004->16005 16006 40a688 GetTickCount 16004->16006 16007 403e10 16004->16007 16010 403e4f 16004->16010 16013 40384f 16004->16013 16033 40a7a3 inet_ntoa 16004->16033 16040 40abee 16004->16040 16052 401feb GetTickCount 16004->16052 16073 403cfb 16004->16073 16076 40b3c5 16004->16076 16107 40ab81 16004->16107 16005->16004 16006->16004 16008 4030fa 4 API calls 16007->16008 16009 403e1d 16008->16009 16009->16004 16011 4030fa 4 API calls 16010->16011 16012 403e5c 16011->16012 16012->16004 16014 4030fa 4 API calls 16013->16014 16016 403863 16014->16016 16015 4038b2 16015->16004 16016->16015 16017 4038b9 16016->16017 16018 403889 16016->16018 16128 4035f9 16017->16128 16122 403718 16018->16122 16023 403718 6 API calls 16023->16015 16024 4035f9 6 API calls 16024->16015 16026 405cf4 16025->16026 16027 405cec 16025->16027 16029 404bd1 4 API calls 16026->16029 16134 404bd1 GetTickCount 16027->16134 16030 405d02 16029->16030 16139 405472 16030->16139 16034 40a7b9 16033->16034 16034->16004 16036 40f315 14 API calls 16035->16036 16037 40aceb 16036->16037 16038 40acff 16037->16038 16039 40f315 14 API calls 16037->16039 16038->16004 16039->16038 16041 40abfb 16040->16041 16044 40ac65 16041->16044 16204 402f22 16041->16204 16043 40f315 14 API calls 16043->16044 16044->16043 16045 40ac6f 16044->16045 16046 40ac8a 16044->16046 16048 40ab81 2 API calls 16045->16048 16046->16004 16047 40ac23 16047->16044 16050 402684 2 API calls 16047->16050 16049 40ac81 16048->16049 16212 4038f0 16049->16212 16050->16047 16052->16004 16054 40a87d lstrlenA send 16053->16054 16055 40a7df 16053->16055 16056 40a899 16054->16056 16057 40a8bf 16054->16057 16055->16054 16061 40a7fa wsprintfA 16055->16061 16064 40a80a 16055->16064 16065 40a8f2 16055->16065 16058 40a8a5 wsprintfA 16056->16058 16066 40a89e 16056->16066 16059 40a8c4 send 16057->16059 16057->16065 16058->16066 16062 40a8d8 wsprintfA 16059->16062 16059->16065 16060 40a978 recv 16060->16065 16067 40a982 16060->16067 16061->16064 16062->16066 16063 40a9b0 wsprintfA 16063->16066 16064->16054 16065->16060 16065->16063 16065->16067 16066->16004 16067->16066 16068 4030b5 2 API calls 16067->16068 16069 40ab05 16068->16069 16070 40e819 11 API calls 16069->16070 16071 40ab17 16070->16071 16072 40a7a3 inet_ntoa 16071->16072 16072->16066 16074 4030fa 4 API calls 16073->16074 16075 403d0b 16074->16075 16075->16004 16077 405ce1 23 API calls 16076->16077 16078 40b3e6 16077->16078 16079 405ce1 23 API calls 16078->16079 16081 40b404 16079->16081 16080 40b440 16083 40ef7c 3 API calls 16080->16083 16081->16080 16082 40ef7c 3 API calls 16081->16082 16084 40b42b 16082->16084 16085 40b458 wsprintfA 16083->16085 16086 40ef7c 3 API calls 16084->16086 16087 40ef7c 3 API calls 16085->16087 16086->16080 16088 40b480 16087->16088 16089 40ef7c 3 API calls 16088->16089 16090 40b493 16089->16090 16091 40ef7c 3 API calls 16090->16091 16092 40b4bb 16091->16092 16226 40ad89 GetLocalTime SystemTimeToFileTime 16092->16226 16096 40b4cc 16097 40ef7c 3 API calls 16096->16097 16098 40b4dd 16097->16098 16099 40b211 7 API calls 16098->16099 16100 40b4ec 16099->16100 16101 40ef7c 3 API calls 16100->16101 16102 40b4fd 16101->16102 16103 40b211 7 API calls 16102->16103 16104 40b509 16103->16104 16105 40ef7c 3 API calls 16104->16105 16106 40b51a 16105->16106 16106->16004 16108 40ab8c 16107->16108 16110 40abe9 GetTickCount 16107->16110 16109 40aba8 lstrcpynA 16108->16109 16108->16110 16111 40abe1 InterlockedIncrement 16108->16111 16109->16108 16112 40a51d 16110->16112 16111->16108 16113 40a4c7 4 API calls 16112->16113 16114 40a52c 16113->16114 16115 40a542 GetTickCount 16114->16115 16117 40a539 GetTickCount 16114->16117 16115->16117 16118 40a56c 16117->16118 16118->16004 16120 40a4c7 4 API calls 16119->16120 16121 40a633 16120->16121 16121->16004 16123 40f04e 4 API calls 16122->16123 16124 40372a 16123->16124 16125 403847 16124->16125 16126 4037b3 GetCurrentThreadId 16124->16126 16125->16015 16125->16023 16126->16124 16127 4037c8 GetCurrentThreadId 16126->16127 16127->16124 16129 40f04e 4 API calls 16128->16129 16130 40360c 16129->16130 16131 4036da GetCurrentThreadId 16130->16131 16132 4036f1 16130->16132 16131->16132 16133 4036e5 GetCurrentThreadId 16131->16133 16132->16015 16132->16024 16133->16132 16135 404bff InterlockedExchange 16134->16135 16136 404c08 16135->16136 16137 404bec GetTickCount 16135->16137 16136->16026 16137->16136 16138 404bf7 Sleep 16137->16138 16138->16135 16160 404763 16139->16160 16141 405b58 16170 404699 16141->16170 16144 404763 lstrlenA 16145 405b6e 16144->16145 16191 404f9f 16145->16191 16147 405b79 16147->16004 16149 405549 lstrlenA 16158 40548a 16149->16158 16151 40558d lstrcpynA 16151->16158 16152 405a9f lstrcpyA 16152->16158 16153 405935 lstrcpynA 16153->16158 16154 404ae6 8 API calls 16155 405643 LoadLibraryW 16154->16155 16155->16158 16156 405472 13 API calls 16156->16158 16157 4058e7 lstrcpyA 16157->16158 16158->16141 16158->16151 16158->16152 16158->16153 16158->16154 16158->16156 16158->16157 16159 404ae6 8 API calls 16158->16159 16164 404ae6 16158->16164 16168 40ef7c lstrlenA lstrlenA lstrlenA 16158->16168 16159->16158 16161 40477a 16160->16161 16162 404859 16161->16162 16163 40480d lstrlenA 16161->16163 16162->16158 16163->16161 16165 404af3 16164->16165 16167 404b03 16164->16167 16166 40ebed 8 API calls 16165->16166 16166->16167 16167->16149 16169 40efb4 16168->16169 16169->16158 16196 4045b3 16170->16196 16173 4045b3 7 API calls 16174 4046c6 16173->16174 16175 4045b3 7 API calls 16174->16175 16176 4046d8 16175->16176 16177 4045b3 7 API calls 16176->16177 16178 4046ea 16177->16178 16179 4045b3 7 API calls 16178->16179 16180 4046ff 16179->16180 16181 4045b3 7 API calls 16180->16181 16182 404711 16181->16182 16183 4045b3 7 API calls 16182->16183 16184 404723 16183->16184 16185 40ef7c 3 API calls 16184->16185 16186 404735 16185->16186 16187 40ef7c 3 API calls 16186->16187 16188 40474a 16187->16188 16189 40ef7c 3 API calls 16188->16189 16190 40475c 16189->16190 16190->16144 16192 404fac 16191->16192 16195 404fb0 16191->16195 16192->16147 16193 404ffd 16193->16147 16194 404fd5 IsBadCodePtr 16194->16195 16195->16193 16195->16194 16197 4045c1 16196->16197 16199 4045c8 16196->16199 16198 40ebcc 4 API calls 16197->16198 16198->16199 16200 40ebcc 4 API calls 16199->16200 16202 4045e1 16199->16202 16200->16202 16201 404691 16201->16173 16202->16201 16203 40ef7c 3 API calls 16202->16203 16203->16202 16219 402d21 GetModuleHandleA 16204->16219 16207 402f44 16207->16047 16208 402fcf GetProcessHeap HeapFree 16208->16207 16209 402f4f 16211 402f6b GetProcessHeap HeapFree 16209->16211 16210 402f85 16210->16208 16210->16210 16211->16207 16213 403900 16212->16213 16214 403980 16212->16214 16215 4030fa 4 API calls 16213->16215 16214->16046 16218 40390a 16215->16218 16216 40391b GetCurrentThreadId 16216->16218 16217 403939 GetCurrentThreadId 16217->16218 16218->16214 16218->16216 16218->16217 16220 402d46 LoadLibraryA 16219->16220 16221 402d5b GetProcAddress 16219->16221 16220->16221 16223 402d54 16220->16223 16221->16223 16225 402d6b 16221->16225 16222 402d97 GetProcessHeap HeapAlloc 16222->16223 16222->16225 16223->16207 16223->16209 16223->16210 16224 402db5 lstrcpynA 16224->16225 16225->16222 16225->16223 16225->16224 16227 40adbf 16226->16227 16251 40ad08 gethostname 16227->16251 16230 4030b5 2 API calls 16231 40add3 16230->16231 16232 40a7a3 inet_ntoa 16231->16232 16234 40ade4 16231->16234 16232->16234 16233 40ae85 wsprintfA 16235 40ef7c 3 API calls 16233->16235 16234->16233 16236 40ae36 wsprintfA wsprintfA 16234->16236 16237 40aebb 16235->16237 16238 40ef7c 3 API calls 16236->16238 16239 40ef7c 3 API calls 16237->16239 16238->16234 16240 40aed2 16239->16240 16241 40b211 16240->16241 16242 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16241->16242 16243 40b2af GetLocalTime 16241->16243 16244 40b2d2 16242->16244 16243->16244 16245 40b2d9 SystemTimeToFileTime 16244->16245 16246 40b31c GetTimeZoneInformation 16244->16246 16247 40b2ec 16245->16247 16248 40b33a wsprintfA 16246->16248 16249 40b312 FileTimeToSystemTime 16247->16249 16248->16096 16249->16246 16252 40ad71 16251->16252 16256 40ad26 lstrlenA 16251->16256 16253 40ad85 16252->16253 16254 40ad79 lstrcpyA 16252->16254 16253->16230 16254->16253 16256->16252 16257 40ad68 lstrlenA 16256->16257 16257->16252 16259 40f428 14 API calls 16258->16259 16260 40198a 16259->16260 16261 401990 closesocket 16260->16261 16262 401998 16260->16262 16261->16262 16262->15848 16264 402d21 6 API calls 16263->16264 16265 402f01 16264->16265 16269 402f0f 16265->16269 16279 402df2 GetModuleHandleA 16265->16279 16267 402684 2 API calls 16268 402f1d 16267->16268 16268->15850 16269->16267 16270 402f1f 16269->16270 16270->15850 16272 401c80 16271->16272 16273 401d1c 16272->16273 16274 401cc2 wsprintfA 16272->16274 16277 401d79 16272->16277 16273->16273 16276 401d47 wsprintfA 16273->16276 16275 402684 2 API calls 16274->16275 16275->16272 16278 402684 2 API calls 16276->16278 16277->15849 16278->16277 16280 402e10 LoadLibraryA 16279->16280 16281 402e0b 16279->16281 16283 402e17 16280->16283 16281->16280 16281->16283 16282 402ef1 16282->16269 16283->16282 16284 402e28 GetProcAddress 16283->16284 16284->16282 16285 402e3e GetProcessHeap HeapAlloc 16284->16285 16287 402e62 16285->16287 16286 402ede GetProcessHeap HeapFree 16286->16282 16287->16282 16287->16286 16288 402e7f htons inet_addr 16287->16288 16289 402ea5 gethostbyname 16287->16289 16291 402ceb 16287->16291 16288->16287 16288->16289 16289->16287 16293 402cf2 16291->16293 16294 402d1c 16293->16294 16295 402d0e Sleep 16293->16295 16296 402a62 GetProcessHeap HeapAlloc 16293->16296 16294->16287 16295->16293 16295->16294 16297 402a92 16296->16297 16298 402a99 socket 16296->16298 16297->16293 16299 402cd3 GetProcessHeap HeapFree 16298->16299 16300 402ab4 16298->16300 16299->16297 16300->16299 16314 402abd 16300->16314 16301 402adb htons 16316 4026ff 16301->16316 16303 402b04 select 16303->16314 16304 402ca4 16305 402cb3 GetProcessHeap HeapFree closesocket 16304->16305 16305->16297 16306 402b3f recv 16306->16314 16307 402b66 htons 16307->16304 16307->16314 16308 402b87 htons 16308->16304 16308->16314 16311 402bf3 GetProcessHeap HeapAlloc 16311->16314 16312 402c17 htons 16331 402871 16312->16331 16314->16301 16314->16303 16314->16304 16314->16305 16314->16306 16314->16307 16314->16308 16314->16311 16314->16312 16315 402c4d GetProcessHeap HeapFree 16314->16315 16323 402923 16314->16323 16335 402904 16314->16335 16315->16314 16317 40271d 16316->16317 16318 402717 16316->16318 16320 40272b GetTickCount htons 16317->16320 16319 40ebcc 4 API calls 16318->16319 16319->16317 16321 4027cc htons htons sendto 16320->16321 16322 40278a 16320->16322 16321->16314 16322->16321 16324 402944 16323->16324 16326 40293d 16323->16326 16339 402816 htons 16324->16339 16326->16314 16327 402871 htons 16330 402950 16327->16330 16328 4029bd htons htons htons 16328->16326 16329 4029f6 GetProcessHeap HeapAlloc 16328->16329 16329->16326 16329->16330 16330->16326 16330->16327 16330->16328 16332 4028e3 16331->16332 16334 402889 16331->16334 16332->16314 16333 4028c3 htons 16333->16332 16333->16334 16334->16332 16334->16333 16336 402921 16335->16336 16337 402908 16335->16337 16336->16314 16338 402909 GetProcessHeap HeapFree 16337->16338 16338->16336 16338->16338 16340 40286b 16339->16340 16341 402836 16339->16341 16340->16330 16341->16340 16342 40285c htons 16341->16342 16342->16340 16342->16341 16344 406bbc 16343->16344 16345 406bc0 16343->16345 16344->15879 16346 40ebcc 4 API calls 16345->16346 16353 406bd4 16345->16353 16347 406be4 16346->16347 16348 406c07 CreateFileA 16347->16348 16349 406bfc 16347->16349 16347->16353 16351 406c34 WriteFile 16348->16351 16352 406c2a 16348->16352 16350 40ec2e codecvt 4 API calls 16349->16350 16350->16353 16355 406c49 CloseHandle DeleteFileA 16351->16355 16356 406c5a CloseHandle 16351->16356 16354 40ec2e codecvt 4 API calls 16352->16354 16353->15879 16354->16353 16355->16352 16357 40ec2e codecvt 4 API calls 16356->16357 16357->16353 14689 770920 TerminateProcess 14630 770005 14635 77092b GetPEB 14630->14635 14632 770030 14637 77003c 14632->14637 14636 770972 14635->14636 14636->14632 14638 770049 14637->14638 14652 770e0f SetErrorMode SetErrorMode 14638->14652 14643 770265 14644 7702ce VirtualProtect 14643->14644 14646 77030b 14644->14646 14645 770439 VirtualFree 14649 7704be 14645->14649 14651 7705f4 LoadLibraryA 14645->14651 14646->14645 14647 7704e3 LoadLibraryA 14647->14649 14649->14647 14649->14651 14650 7708c7 14651->14650 14653 770223 14652->14653 14654 770d90 14653->14654 14655 770dad 14654->14655 14656 770dbb GetPEB 14655->14656 14657 770238 VirtualAlloc 14655->14657 14656->14657 14657->14643 14690 a01f18 14691 a01f27 14690->14691 14694 a026b8 14691->14694 14699 a026d3 14694->14699 14695 a026dc CreateToolhelp32Snapshot 14696 a026f8 Module32First 14695->14696 14695->14699 14697 a02707 14696->14697 14700 a01f30 14696->14700 14701 a02377 14697->14701 14699->14695 14699->14696 14702 a023a2 14701->14702 14703 a023b3 VirtualAlloc 14702->14703 14704 a023eb 14702->14704 14703->14704 14658 407a95 RegOpenKeyExA 14659 407ac4 14658->14659 14660 407acb GetUserNameA 14658->14660 14661 407da7 RegCloseKey 14660->14661 14662 407aed LookupAccountNameA 14660->14662 14661->14659 14662->14661 14663 407b24 RegGetKeySecurity 14662->14663 14663->14661 14664 407b49 GetSecurityDescriptorOwner 14663->14664 14665 407b63 EqualSid 14664->14665 14666 407bb8 GetSecurityDescriptorDacl 14664->14666 14665->14666 14667 407b74 LocalAlloc 14665->14667 14668 407da6 14666->14668 14673 407bdc 14666->14673 14667->14666 14669 407b8a InitializeSecurityDescriptor 14667->14669 14668->14661 14671 407bb1 LocalFree 14669->14671 14672 407b96 SetSecurityDescriptorOwner 14669->14672 14670 407bf8 GetAce 14670->14673 14671->14666 14672->14671 14674 407ba6 RegSetKeySecurity 14672->14674 14673->14668 14673->14670 14675 407c1d EqualSid 14673->14675 14676 407c5f EqualSid 14673->14676 14677 407cd9 14673->14677 14678 407c3a DeleteAce 14673->14678 14674->14671 14675->14673 14676->14673 14677->14668 14679 407d5a LocalAlloc 14677->14679 14680 407cf2 RegOpenKeyExA 14677->14680 14678->14673 14679->14668 14681 407d70 InitializeSecurityDescriptor 14679->14681 14680->14679 14686 407d0f 14680->14686 14682 407d7c SetSecurityDescriptorDacl 14681->14682 14683 407d9f LocalFree 14681->14683 14682->14683 14684 407d8c RegSetKeySecurity 14682->14684 14683->14668 14684->14683 14685 407d9c 14684->14685 14685->14683 14687 407d43 RegSetValueExA 14686->14687 14687->14679 14688 407d54 14687->14688 14688->14679
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                  • DeleteFileA.KERNEL32(C:\Users\user\Desktop\qkkcfptf.exe), ref: 0040A407
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\qkkcfptf.exe$C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$D$P$\$tdomrpcj
                                                                                                  • API String ID: 2089075347-485439064
                                                                                                  • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                  • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                  • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                  • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 538 40637c-406384 539 406386-406389 538->539 540 40638a-4063b4 GetModuleHandleA VirtualAlloc 538->540 541 4063f5-4063f7 540->541 542 4063b6-4063d4 call 40ee08 VirtualAllocEx 540->542 544 40640b-40640f 541->544 542->541 546 4063d6-4063f3 call 4062b7 WriteProcessMemory 542->546 546->541 549 4063f9-40640a 546->549 549->544
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                  • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->268 276->275 278 407be7-407bf2 276->278 280 407bb1-407bb2 LocalFree 277->280 281 407b96-407ba4 SetSecurityDescriptorOwner 277->281 278->275 279 407bf8-407c08 GetAce 278->279 282 407cc6 279->282 283 407c0e-407c1b 279->283 280->273 281->280 284 407ba6-407bab RegSetKeySecurity 281->284 285 407cc9-407cd3 282->285 286 407c1d-407c2f EqualSid 283->286 287 407c4f-407c52 283->287 284->280 285->279 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->275 293 407ce2-407ce8 288->293 289->286 289->290 290->287 294 407c3a-407c4d DeleteAce 290->294 291->292 295 407c73-407c84 292->295 296 407c86 292->296 297 407d5a-407d6e LocalAlloc 293->297 298 407cea-407cf0 293->298 294->285 299 407c8b-407c8e 295->299 296->299 297->275 303 407d70-407d7a InitializeSecurityDescriptor 297->303 298->297 300 407cf2-407d0d RegOpenKeyExA 298->300 301 407c90-407c96 299->301 302 407c9d-407c9f 299->302 300->297 304 407d0f-407d16 300->304 301->302 305 407ca1-407ca5 302->305 306 407ca7-407cc3 302->306 307 407d7c-407d8a SetSecurityDescriptorDacl 303->307 308 407d9f-407da0 LocalFree 303->308 309 407d19-407d1e 304->309 305->282 305->306 306->282 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 312 407d20-407d52 call 402544 RegSetValueExA 309->312 310->308 311 407d9c 310->311 311->308 312->297 315 407d54 312->315 315->297
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$D
                                                                                                  • API String ID: 2976863881-2638929953
                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 335 407703-40770e RegEnumKeyA 329->335 336 407801 330->336 337 4074a2-4074b1 call 406cad 335->337 338 407714-40771d RegCloseKey 335->338 339 407804-407808 336->339 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->336 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->335 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 357 407536-40753c 348->357 358 4076df-4076e2 349->358 359 407742-407745 RegCloseKey 350->359 360 40774b-40774e 350->360 361 40753f-407544 357->361 358->343 362 4076e4-4076e7 RegCloseKey 358->362 359->360 364 4077ec-4077f7 RegCloseKey 360->364 361->361 363 407546-40754b 361->363 362->343 363->349 365 407551-40756b call 40ee95 363->365 364->339 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 383 4075dc 382->383 384 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->384 383->384 394 407626-40762b 384->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->364 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->358 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 433 4077e0-4077e2 431->433 434 4077de 431->434 432->431 433->411 434->433
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                  • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 438 77003c-770047 439 77004c-770263 call 770a3f call 770e0f call 770d90 VirtualAlloc 438->439 440 770049 438->440 455 770265-770289 call 770a69 439->455 456 77028b-770292 439->456 440->439 461 7702ce-7703c2 VirtualProtect call 770cce call 770ce7 455->461 458 7702a1-7702b0 456->458 460 7702b2-7702cc 458->460 458->461 460->458 467 7703d1-7703e0 461->467 468 7703e2-770437 call 770ce7 467->468 469 770439-7704b8 VirtualFree 467->469 468->467 471 7705f4-7705fe 469->471 472 7704be-7704cd 469->472 475 770604-77060d 471->475 476 77077f-770789 471->476 474 7704d3-7704dd 472->474 474->471 480 7704e3-770505 LoadLibraryA 474->480 475->476 481 770613-770637 475->481 478 7707a6-7707b0 476->478 479 77078b-7707a3 476->479 482 7707b6-7707cb 478->482 483 77086e-7708be LoadLibraryA 478->483 479->478 484 770517-770520 480->484 485 770507-770515 480->485 486 77063e-770648 481->486 487 7707d2-7707d5 482->487 490 7708c7-7708f9 483->490 488 770526-770547 484->488 485->488 486->476 489 77064e-77065a 486->489 491 7707d7-7707e0 487->491 492 770824-770833 487->492 493 77054d-770550 488->493 489->476 494 770660-77066a 489->494 495 770902-77091d 490->495 496 7708fb-770901 490->496 497 7707e4-770822 491->497 498 7707e2 491->498 502 770839-77083c 492->502 499 770556-77056b 493->499 500 7705e0-7705ef 493->500 501 77067a-770689 494->501 496->495 497->487 498->492 503 77056f-77057a 499->503 504 77056d 499->504 500->474 505 770750-77077a 501->505 506 77068f-7706b2 501->506 502->483 507 77083e-770847 502->507 509 77057c-770599 503->509 510 77059b-7705bb 503->510 504->500 505->486 511 7706b4-7706ed 506->511 512 7706ef-7706fc 506->512 513 77084b-77086c 507->513 514 770849 507->514 521 7705bd-7705db 509->521 510->521 511->512 515 7706fe-770748 512->515 516 77074b 512->516 513->502 514->483 515->516 516->501 521->493
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0077024D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID: cess$kernel32.dll
                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction ID: eb967b8dd150540dfe34656cd18d3c8926ccd1c5aeb965a026e86d844c862aa8
                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction Fuzzy Hash: 34526874A00229DFDB64CF68C985BA8BBB1BF09304F1480D9E90DAB351DB34AE95DF54

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 522 40977c-4097b9 call 40ee2a CreateProcessA 525 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 522->525 526 4097bb-4097bd 522->526 530 409801-40981c call 40637c 525->530 531 4097f5 525->531 528 409864-409866 526->528 532 4097f6-4097ff TerminateProcess 530->532 535 40981e-409839 WriteProcessMemory 530->535 531->532 532->526 535->531 536 40983b-409856 Wow64SetThreadContext 535->536 536->531 537 409858-409863 ResumeThread 536->537 537->528
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                  • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                  • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2098669666-2746444292
                                                                                                  • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                  • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 550 404000-404008 551 40400b-40402a CreateFileA 550->551 552 404057 551->552 553 40402c-404035 GetLastError 551->553 554 404059-40405c 552->554 555 404052 553->555 556 404037-40403a 553->556 558 404054-404056 554->558 555->558 556->555 557 40403c-40403f 556->557 557->554 559 404041-404050 Sleep 557->559 559->551 559->555
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 408151869-0
                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 578 406e36-406e5d GetUserNameW 579 406ebe-406ec2 578->579 580 406e5f-406e95 LookupAccountNameW 578->580 580->579 581 406e97-406e9b 580->581 582 406ebb-406ebd 581->582 583 406e9d-406ea3 581->583 582->579 583->582 584 406ea5-406eaa 583->584 585 406eb7-406eb9 584->585 586 406eac-406eb0 584->586 585->579 586->582 587 406eb2-406eb5 586->587 587->582 587->585
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 2370142434-0
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 588 a026b8-a026d1 589 a026d3-a026d5 588->589 590 a026d7 589->590 591 a026dc-a026e8 CreateToolhelp32Snapshot 589->591 590->591 592 a026f8-a02705 Module32First 591->592 593 a026ea-a026f0 591->593 594 a02707-a02708 call a02377 592->594 595 a0270e-a02716 592->595 593->592 598 a026f2-a026f6 593->598 599 a0270d 594->599 598->589 598->592 599->595
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A026E0
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 00A02700
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286235546.00000000009F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 009F2000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_9f2000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: 3858b1a7535dcc821b34fdbc26af3ffddfc2bbd9f8d3685dfe5621076fb7d805
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: 21F062315007186BDB203BB9A88DB6A76E8EF49724F100569E652964C0DB71E8454B61

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 601 770e0f-770e24 SetErrorMode * 2 602 770e26 601->602 603 770e2b-770e2c 601->603 602->603
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000400,?,?,00770223,?,?), ref: 00770E19
                                                                                                  • SetErrorMode.KERNELBASE(00000000,?,?,00770223,?,?), ref: 00770E1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction ID: f2e617ca39dc8991cb6ac2ca656cf8dc3aa0cf64d11947b8883ade7833503f58
                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction Fuzzy Hash: 16D01231145128B7DB003A94DC09BCD7B1CDF09BA2F008411FB0DD9080C7B4994046E5

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 604 406dc2-406dd5 605 406e33-406e35 604->605 606 406dd7-406df1 call 406cc9 call 40ef00 604->606 611 406df4-406df9 606->611 611->611 612 406dfb-406e00 611->612 613 406e02-406e22 GetVolumeInformationA 612->613 614 406e24 612->614 613->614 615 406e2e 613->615 614->615 615->605
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1823874839-0
                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 616 409892-4098c0 617 4098c2-4098c5 616->617 618 4098d9 616->618 617->618 619 4098c7-4098d7 617->619 620 4098e0-4098f1 SetServiceStatus 618->620 619->620
                                                                                                  APIs
                                                                                                  • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ServiceStatus
                                                                                                  • String ID:
                                                                                                  • API String ID: 3969395364-0
                                                                                                  • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                  • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                  • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                  • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 621 770920-770929 TerminateProcess
                                                                                                  APIs
                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00770929
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 560597551-0
                                                                                                  • Opcode ID: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                  • Instruction ID: 32c6b922947ea3cccd1969f265569fcdca6cd0b55213c4fffb902dc8cd283092
                                                                                                  • Opcode Fuzzy Hash: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                  • Instruction Fuzzy Hash: 2C9002A42C425031D860259C0C01F5501052741630F3507147130AE5D0C44156404215

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 622 a02377-a023b1 call a0268a 625 a023b3-a023e6 VirtualAlloc call a02404 622->625 626 a023ff 622->626 628 a023eb-a023fd 625->628 626->626 628->626
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A023C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286235546.00000000009F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 009F2000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_9f2000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 61a23810a1b4e7b1078aab94dfd1ca4640a0dc5dd7628011b754555959d93f45
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: 2D113F79A00208EFDB01DF98C989E98BBF5EF08350F058094F9489B362D771EA50DF80
                                                                                                  APIs
                                                                                                    • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                  • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3100162736-0
                                                                                                  • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                  • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                  • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                  • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 007765F6
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00776610
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00776631
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00776652
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction ID: 826209737b753dc832981653273453de62ed20454bd0d825e6a4a065336a96dd
                                                                                                  • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction Fuzzy Hash: 211173B1600218BFDB219F65DC4AF9B3FA8EB057E5F108024F908E7255D7B5DD109AB4
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32 ref: 00779E6D
                                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00779FE1
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 00779FF2
                                                                                                  • lstrcat.KERNEL32(?,0041070C), ref: 0077A004
                                                                                                  • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0077A054
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0077A09F
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0077A0D6
                                                                                                  • lstrcpy.KERNEL32 ref: 0077A12F
                                                                                                  • lstrlen.KERNEL32(00000022), ref: 0077A13C
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00779F13
                                                                                                    • Part of subcall function 00777029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00777081
                                                                                                    • Part of subcall function 00776F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\tdomrpcj,00777043), ref: 00776F4E
                                                                                                    • Part of subcall function 00776F30: GetProcAddress.KERNEL32(00000000), ref: 00776F55
                                                                                                    • Part of subcall function 00776F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00776F7B
                                                                                                    • Part of subcall function 00776F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00776F92
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0077A1A2
                                                                                                  • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0077A1C5
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0077A214
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0077A21B
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 0077A265
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0077A29F
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0077A2C5
                                                                                                  • lstrcat.KERNEL32(?,00000022), ref: 0077A2D9
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0077A2F4
                                                                                                  • wsprintfA.USER32 ref: 0077A31D
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0077A345
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 0077A364
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0077A387
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0077A398
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0077A1D1
                                                                                                    • Part of subcall function 00779966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0077999D
                                                                                                    • Part of subcall function 00779966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007799BD
                                                                                                    • Part of subcall function 00779966: RegCloseKey.ADVAPI32(?), ref: 007799C6
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0077A3DB
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0077A3E2
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0077A41D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                  • String ID: "$"$"$D$P$\
                                                                                                  • API String ID: 1653845638-2605685093
                                                                                                  • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction ID: aa3141979343131c3b5eb88b30a3bea44c52ab0108e18662fb00509823062475
                                                                                                  • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction Fuzzy Hash: E0F130B1D40259FEEF11DBA08C49EEF7BBCAB48344F0484A5E609E2141E7798A85CF65
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00777D21
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00777D46
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777D7D
                                                                                                  • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00777DA2
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00777DC0
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00777DD1
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777DE5
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777DF3
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00777E03
                                                                                                  • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00777E12
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00777E19
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00777E35
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$D
                                                                                                  • API String ID: 2976863881-2638929953
                                                                                                  • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction ID: 257c08014dce105198e6c41c35a75377b5f05d6f7a39559e6bf31107c496b516
                                                                                                  • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction Fuzzy Hash: 9AA14E71900219AFDF11CFA0DD88FEEBBB9FB08340F148469E519E6150DB798A85CB65
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                  • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                  • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                  • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00777A96
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777ACD
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00777ADF
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00777B01
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00777B1F
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00777B39
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777B4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777B58
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00777B68
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00777B77
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00777B7E
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00777B9A
                                                                                                  • GetAce.ADVAPI32(?,?,?), ref: 00777BCA
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00777BF1
                                                                                                  • DeleteAce.ADVAPI32(?,?), ref: 00777C0A
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00777C2C
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777CB1
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777CBF
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00777CD0
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00777CE0
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00777CEE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: 1359a93c46f67dcf9840065ed5c5057464e23708e9806f6fce1ca0317ab3bca1
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: A4814E72904219AFDF16CFA4DD44FEEBBBCAF0C344F14806AE609E6150D7799A41CBA4
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$localcfg
                                                                                                  • API String ID: 237177642-432336059
                                                                                                  • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                  • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                  • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                  • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                  • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 835516345-270533642
                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0077865A
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0077867B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007786A8
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007786B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: "$C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
                                                                                                  • API String ID: 237177642-2016731374
                                                                                                  • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction ID: 5ab90ee3a93bb8f2fef9294b4a96147a93fd21a12a15538752bb79cc20a13d07
                                                                                                  • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction Fuzzy Hash: 94C1A471940208FEEF519BA4DD89EFF7B7CEB04380F148075F609E6051EB784A948B66
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                  • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00771601
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 007717D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $<$@$D
                                                                                                  • API String ID: 1628651668-1974347203
                                                                                                  • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction ID: e1da89a9720393104528e03c2913b2c74ebb27c84b9d04d073332ecc01837526
                                                                                                  • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction Fuzzy Hash: 4DF180B15083819FDB20CF68C888BABB7E4FB89344F50892DF69997290D778D944CF56
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007776D9
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00777757
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0077778F
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 007778B4
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0077794E
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0077796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0077797E
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 007779AC
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00777A56
                                                                                                    • Part of subcall function 0077F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0077772A,?), ref: 0077F414
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007779F6
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00777A4D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction ID: da00ace4fd4b70f1a5eb9dbb91bce4e42d63660ae5c6047bf1d2540c68067fdd
                                                                                                  • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction Fuzzy Hash: CBC1B371904209EFEF15DBA4DC49FEE7BB9EF45390F1080A5F508E6191EB789A84CB60
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                                  • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"
                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                  • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                  • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00772CED
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00772D07
                                                                                                  • htons.WS2_32(00000000), ref: 00772D42
                                                                                                  • select.WS2_32 ref: 00772D8F
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00772DB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00772E62
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 127016686-0
                                                                                                  • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction ID: 8db6e1779cf8785bc4062d1f940373a84a740298f299048c872a867d5b214723
                                                                                                  • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction Fuzzy Hash: E161E471504305AFCB209F64DC0CB6BBBF8FB48791F148819F9AC97152D7B9D8828BA5
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                  • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                  • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                                  • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                                  • CloseHandle.KERNEL32(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2622201749-0
                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: runas
                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                  • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                  • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 0077202D
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0077204F
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0077206A
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00772071
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00772082
                                                                                                  • GetTickCount.KERNEL32 ref: 00772230
                                                                                                    • Part of subcall function 00771E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00771E7C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                  • API String ID: 4207808166-1391650218
                                                                                                  • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction ID: c31f1bc74410f2b08661f2d85c19bbd7d30d1a15da9536fc07bf303803c94f0b
                                                                                                  • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction Fuzzy Hash: E851D570500348AFE730AF658C8AF677AECFB44784F40892DF99E82143D6BDA944C765
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                  • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2404124870-0
                                                                                                  • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                  • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00773068
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00773078
                                                                                                  • GetProcAddress.KERNEL32(00000000,00410408), ref: 00773095
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007730B6
                                                                                                  • htons.WS2_32(00000035), ref: 007730EF
                                                                                                  • inet_addr.WS2_32(?), ref: 007730FA
                                                                                                  • gethostbyname.WS2_32(?), ref: 0077310D
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 0077314D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: iphlpapi.dll
                                                                                                  • API String ID: 2869546040-3565520932
                                                                                                  • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction ID: f4eca0bd814e8dcdeeba99fa8212fd549da60b0e1e424dfcf0573a2da01babad
                                                                                                  • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction Fuzzy Hash: 0E318731B0060AABDF119BB89C48AAE7778AF047A1F54C125E51CE7290DB78DE41DB54
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?), ref: 007795A7
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007795D5
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 007795DC
                                                                                                  • wsprintfA.USER32 ref: 00779635
                                                                                                  • wsprintfA.USER32 ref: 00779673
                                                                                                  • wsprintfA.USER32 ref: 007796F4
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00779758
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0077978D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007797D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID:
                                                                                                  • API String ID: 3696105349-0
                                                                                                  • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction ID: dbf737d5b8b309f009f61b9136445fc7bf9b61a7f6102b01cd6e5d2df684d9fc
                                                                                                  • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction Fuzzy Hash: F9A16FB1901208EFEF25DFA4CC45FDA3BACEB05781F108026FA1996152E779D984CBA5
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                  • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                  • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                  • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                  • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188212458-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007767C3
                                                                                                  • htonl.WS2_32(?), ref: 007767DF
                                                                                                  • htonl.WS2_32(?), ref: 007767EE
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007768F1
                                                                                                  • ExitProcess.KERNEL32 ref: 007769BC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                  • String ID: except_info$localcfg
                                                                                                  • API String ID: 1150517154-3605449297
                                                                                                  • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction ID: 3b071b62396c4dd01147634692be2b3b918ae8c070e3e3dbdbc5081c41704860
                                                                                                  • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction Fuzzy Hash: 64614071940208EFDF609FA4DC45FEA77E9FB08300F148069FA5DD2161DA7599948F54
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0077CC84), ref: 0077F5B4
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0077F5CE
                                                                                                  • closesocket.WS2_32(00000000), ref: 0077F5DC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction ID: 2130cd02c8687465b3ce74a1b2361191e0f265ac2d194b003cb3f6234eb4da25
                                                                                                  • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction Fuzzy Hash: 3C316C72900118ABDB10DFA9DD89DEF7BBCEF88350F108576F919E3150E7749A818BA4
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                  • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 00772FA1
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00772FB1
                                                                                                  • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00772FC8
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00773000
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00773007
                                                                                                  • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00773032
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: dnsapi.dll
                                                                                                  • API String ID: 1242400761-3175542204
                                                                                                  • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction ID: c3ac9e14c5d7cf3868173d33bf62decd1fd7d3e227205144027db8ac820c4efb
                                                                                                  • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction Fuzzy Hash: AE219271900229BBCF219B64DC48DAEBBB9EF08B90F108421F909E7141D7B89EC1D7D4
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                  • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                  • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00779A18
                                                                                                  • GetThreadContext.KERNEL32(?,?), ref: 00779A52
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00779A60
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00779A98
                                                                                                  • SetThreadContext.KERNEL32(?,00010002), ref: 00779AB5
                                                                                                  • ResumeThread.KERNEL32(?), ref: 00779AC2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction ID: 07103a66c7c2ca6f7ebf0672288caa3dd543a15af4a1cecfc0b829ce08cf95b2
                                                                                                  • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction Fuzzy Hash: 60213BB1A02219BBDF11DBA1DC09EEF7BBCEF05790F408061FA19E5150E7798A44CBA4
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(004102D8), ref: 00771C18
                                                                                                  • LoadLibraryA.KERNEL32(004102C8), ref: 00771C26
                                                                                                  • GetProcessHeap.KERNEL32 ref: 00771C84
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00771C9D
                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00771CC1
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00771D02
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00771D0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID:
                                                                                                  • API String ID: 2324436984-0
                                                                                                  • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction ID: 0fb669a1ebe6ad571c1a12244d310c7ded1a1b0214e4d56ab833aa0f22bc7dfe
                                                                                                  • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction Fuzzy Hash: FF314332E00219BFCF219FE8DC888FEBBB9EB45751B65847AE505A2110D7B94D80DB64
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00776CE4
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00776D22
                                                                                                  • GetLastError.KERNEL32 ref: 00776DA7
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00776DB5
                                                                                                  • GetLastError.KERNEL32 ref: 00776DD6
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00776DE7
                                                                                                  • GetLastError.KERNEL32 ref: 00776DFD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873183294-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: 57c00d9eba75bdd619f900ec181eec399ba67ed62ff144be809d2d6ba455e8e2
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 4F31EE76A00649BFCF21AFA49D48ADE7F79EB48380F14C075E219E3211D7748A858B61
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\tdomrpcj,00777043), ref: 00776F4E
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00776F55
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00776F7B
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00776F92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$\\.\pipe\tdomrpcj
                                                                                                  • API String ID: 1082366364-284805760
                                                                                                  • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction ID: 94a374d11bf80002d7bace51df95d5b1aa943ae6d9475a8fd27e91799c029012
                                                                                                  • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction Fuzzy Hash: 92210421744340B9FB225331AD8DFFB2E5C8B527A0F18C0A5F508A5182DADD88D6C2AD
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen
                                                                                                  • String ID: $localcfg
                                                                                                  • API String ID: 1659193697-2018645984
                                                                                                  • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction ID: dca6af621412f2becaa032310603d3d20f616e54509fccb7107ddea365ddb3f9
                                                                                                  • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction Fuzzy Hash: A5711972B00304BAFF318B54DC86FEE37699B813C5F24C466F90CA60A1DA6D9D848767
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                  • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                  APIs
                                                                                                    • Part of subcall function 0077DF6C: GetCurrentThreadId.KERNEL32 ref: 0077DFBA
                                                                                                  • lstrcmp.KERNEL32(00410178,00000000), ref: 0077E8FA
                                                                                                  • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00776128), ref: 0077E950
                                                                                                  • lstrcmp.KERNEL32(?,00000008), ref: 0077E989
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 2920362961-1846390581
                                                                                                  • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction ID: db3f7d9b3e1db57f1c2b64144296912afa41be0f2f84422f9043911f79305342
                                                                                                  • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction Fuzzy Hash: 75318F32604705DBDF718F24C884BA67BE8EB197A4F10C9AAE65987551D378F880CB92
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction ID: 286359c28aba6acab100507eaac5b7b71ff94d6a473f674f8446e7a316aac26a
                                                                                                  • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction Fuzzy Hash: 36216D76104615FFDF109B70EC49EEF3FADEB483A0B20C465F50AD1095EBB89A009674
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                  • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                  • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?), ref: 007792E2
                                                                                                  • wsprintfA.USER32 ref: 00779350
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00779375
                                                                                                  • lstrlen.KERNEL32(?,?,00000000), ref: 00779389
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 00779394
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0077939B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction ID: 1ebf825d199486d4941955450386bbfc00b58bdfb044f13fc147bc98d9dfbfa2
                                                                                                  • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction Fuzzy Hash: 821184B1740114BBEB606B31ED0EFEF3A6DDBC8B50F00C065FB09E5091EAB84A5186A4
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0077C6B4
                                                                                                  • InterlockedIncrement.KERNEL32(0077C74B), ref: 0077C715
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0077C747), ref: 0077C728
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0077C747,00413588,00778A77), ref: 0077C733
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1026198776-1857712256
                                                                                                  • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction ID: 3467bdd1cf6da529de6ae3c9b930f5bd9e3eaf9b402b1dae93de2f1c9d4c7540
                                                                                                  • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction Fuzzy Hash: 56514CB1A01B418FDB258F29C5C552ABBE9FB4C340B60993EE18BC7A90D779F8408B50
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
                                                                                                  • API String ID: 124786226-541925129
                                                                                                  • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                  • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0077E50A,00000000,00000000,00000000,00020106,00000000,0077E50A,00000000,000000E4), ref: 0077E319
                                                                                                  • RegSetValueExA.ADVAPI32(0077E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0077E38E
                                                                                                  • RegDeleteValueA.ADVAPI32(0077E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw), ref: 0077E3BF
                                                                                                  • RegCloseKey.ADVAPI32(0077E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw,0077E50A), ref: 0077E3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID: Dw
                                                                                                  • API String ID: 2667537340-3192257026
                                                                                                  • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction ID: 97ba917be264961d4311b1b65abaf7195d0e3157e6851e21a3d70bc03237ca25
                                                                                                  • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction Fuzzy Hash: 32215C71A0021DBBDF209FA4EC89EEE7F79EF08790F108061F908E7151E2758A54D7A0
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 007771E1
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777228
                                                                                                  • LocalFree.KERNEL32(?,?,?), ref: 00777286
                                                                                                  • wsprintfA.USER32 ref: 0077729D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2539190677-2343686810
                                                                                                  • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction ID: 48583f42aea7806cb621d0c20bb0839618128c36e356d2c140f9f6805c271316
                                                                                                  • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction Fuzzy Hash: 65310B72A04208BBDF01DFA4DC49ADA7BBCEF04354F14C066F959DB111EA79D648CB94
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586453840-0
                                                                                                  • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                  • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0077B51A
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077B529
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0077B548
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0077B590
                                                                                                  • wsprintfA.USER32 ref: 0077B61E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 4026320513-0
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 5076087b4746f9a5ea043ff05fb56aa87900fd567641dac44029b74b135a1e34
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: 045120B1D0021DAACF14DFD5D8895EEBBB9BF48344F10816AF505B6150E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID:
                                                                                                  • API String ID: 1371578007-0
                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00776303
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 0077632A
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 007763B1
                                                                                                  • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00776405
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3498078134-0
                                                                                                  • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction ID: ce15ed90ddcd5f5bc45346a63d6b34466a1c9b377af38269e5abb482da36079b
                                                                                                  • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction Fuzzy Hash: 7B414DB1A00A05EFDF14CF58C884AA9B7B4FF04394F24C569E919D7294E779EE40DB50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                  • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: A$ A
                                                                                                  • API String ID: 3343386518-686259309
                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                    • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1802437671-0
                                                                                                  • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                  • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                  • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                  • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007793C6
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 007793CD
                                                                                                  • CharToOemA.USER32(?,?), ref: 007793DB
                                                                                                  • wsprintfA.USER32 ref: 00779410
                                                                                                    • Part of subcall function 007792CB: GetTempPathA.KERNEL32(00000400,?), ref: 007792E2
                                                                                                    • Part of subcall function 007792CB: wsprintfA.USER32 ref: 00779350
                                                                                                    • Part of subcall function 007792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00779375
                                                                                                    • Part of subcall function 007792CB: lstrlen.KERNEL32(?,?,00000000), ref: 00779389
                                                                                                    • Part of subcall function 007792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00779394
                                                                                                    • Part of subcall function 007792CB: CloseHandle.KERNEL32(00000000), ref: 0077939B
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00779448
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction ID: e7d752bb4363c5557ad58e3d42a6887c9e3fff722c00b78a9428164ff77f04cb
                                                                                                  • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction Fuzzy Hash: A80152F6900158BBDB21A7619D4DEDF377CDB95701F0040A1BB49E2081DAB896C5CF75
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                  APIs
                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                  • String ID: *p@
                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg$u6A
                                                                                                  • API String ID: 1594361348-1940331995
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 5b80bd6e8cfc52b57163f43040b874cf2ff6d6412c07448dc84df1a4e4567c7a
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: D8E08C306041118FCB008B28F848AC537A4AF0A370F04C580F068D31A1C738DD829A41
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 007769E5
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 00776A26
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00776A3A
                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00776BD8
                                                                                                    • Part of subcall function 0077EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00771DCF,?), ref: 0077EEA8
                                                                                                    • Part of subcall function 0077EE95: HeapFree.KERNEL32(00000000), ref: 0077EEAF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3384756699-0
                                                                                                  • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction ID: 06ca6df95259339e926cc1c9add2b69cfc259b4dd5aa7b6177a3b6677d107590
                                                                                                  • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction Fuzzy Hash: 0C7139B190061DEFDF10DFA4CC809EEBBB9FB04354F20856AE519E61A0D7349E92DB50
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID:
                                                                                                  • API String ID: 2667537340-0
                                                                                                  • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                  • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007741AB
                                                                                                  • GetLastError.KERNEL32 ref: 007741B5
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 007741C6
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007741D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 9a3e86cddacf04a0a94edc49ee59af072c76ba5ffae56337fe6d120d1d140458
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: 9D01297651111EABDF01EF90ED84BEE3B6CEB18396F408061F905E2050D7749A908BB9
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0077421F
                                                                                                  • GetLastError.KERNEL32 ref: 00774229
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 0077423A
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0077424D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: e45734ea573cae997385bb26b763945fb040c55589f3617fc9734aa778915558
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: FF01E572511109ABDF01DF90ED84BEE7BACFB08395F108061F905E2451D7749A648BB6
                                                                                                  APIs
                                                                                                  • lstrcmp.KERNEL32(?,80000009), ref: 0077E066
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 1534048567-1846390581
                                                                                                  • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction ID: ead20b8a5319a4ecf1d0ae7758f23ffdc056fdfe9cd8f5bf3c1be7ae61fd8c3d
                                                                                                  • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction Fuzzy Hash: F7F062312007029BCF20CF25D884A92B7E9FB09361B64C6BAE158C3060D3B8A898CB51
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000001,Dw,00000000,00000000,00000000), ref: 0077E470
                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 0077E484
                                                                                                    • Part of subcall function 0077E2FC: RegCreateKeyExA.ADVAPI32(80000001,0077E50A,00000000,00000000,00000000,00020106,00000000,0077E50A,00000000,000000E4), ref: 0077E319
                                                                                                    • Part of subcall function 0077E2FC: RegSetValueExA.ADVAPI32(0077E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0077E38E
                                                                                                    • Part of subcall function 0077E2FC: RegDeleteValueA.ADVAPI32(0077E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw), ref: 0077E3BF
                                                                                                    • Part of subcall function 0077E2FC: RegCloseKey.ADVAPI32(0077E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw,0077E50A), ref: 0077E3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                  • String ID: Dw
                                                                                                  • API String ID: 4151426672-3192257026
                                                                                                  • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction ID: 22efb760203f1044cf21e815a5498de4a002aee10b3c6a57903d8fdd31b76466
                                                                                                  • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction Fuzzy Hash: 7E41DB72900208FAEF205B558C4AFEB3B6CEB087A4F14C075FA1D94192E7B98A50D6B4
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007783C6
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00778477
                                                                                                    • Part of subcall function 007769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007769E5
                                                                                                    • Part of subcall function 007769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00776A26
                                                                                                    • Part of subcall function 007769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00776A3A
                                                                                                    • Part of subcall function 0077EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00771DCF,?), ref: 0077EEA8
                                                                                                    • Part of subcall function 0077EE95: HeapFree.KERNEL32(00000000), ref: 0077EEAF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
                                                                                                  • API String ID: 359188348-541925129
                                                                                                  • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction ID: d7f35b4f97e88883d6d2441e7ec2bb46ffdc84e8742d7693809167ce98db5aca
                                                                                                  • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction Fuzzy Hash: 0D4183B1940149BEEF50EFA0DD89DFF776CEB04390F1484B6F508D6011FAB85A548B65
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0077AFFF
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0077B00D
                                                                                                    • Part of subcall function 0077AF6F: gethostname.WS2_32(?,00000080), ref: 0077AF83
                                                                                                    • Part of subcall function 0077AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0077AFE6
                                                                                                    • Part of subcall function 0077331C: gethostname.WS2_32(?,00000080), ref: 0077333F
                                                                                                    • Part of subcall function 0077331C: gethostbyname.WS2_32(?), ref: 00773349
                                                                                                    • Part of subcall function 0077AA0A: inet_ntoa.WS2_32(00000000), ref: 0077AA10
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %OUTLOOK_BND_
                                                                                                  • API String ID: 1981676241-3684217054
                                                                                                  • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction ID: 520da1a00bc306dd47a385fa6212dff457f06be2c28d35dacae3bd5f15301fad
                                                                                                  • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction Fuzzy Hash: A141F17290024CABDF25AFA0DC45EEE376CFB08344F148426F91992152EA79D654DB54
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00779536
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0077955D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-3916222277
                                                                                                  • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction ID: 03ae43c9e96d20f23e6ec651422747a6da23ace37cd668aa017389d889b7f81f
                                                                                                  • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction Fuzzy Hash: EA4129718053A46EEF378B68D88D7F63BA49B02394F28C1E5D28E971E2E67C4D81C711
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                  • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID: ,k@
                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0077B9D9
                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 0077BA3A
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0077BA94
                                                                                                  • GetTickCount.KERNEL32 ref: 0077BB79
                                                                                                  • GetTickCount.KERNEL32 ref: 0077BB99
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0077BE15
                                                                                                  • closesocket.WS2_32(00000000), ref: 0077BEB4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 1869671989-2903620461
                                                                                                  • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction ID: 9e8e2d36e46b9463db373f701c2d4b96abd50dd58ff78f3b5aab9fd2bbc48b00
                                                                                                  • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction Fuzzy Hash: B4318D71500248EFDF25DFA4DC88BED77B8EB48740F208056FA2882261EB78DA85CF10
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                  APIs
                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 007770BC
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007770F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2370142434-2343686810
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: 5b40a8d353439d6efb3b1e8ce01ea50cb2591e74f29bfb183622d901dcbc54e2
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: 72116172A0411CEBDF15CFD4DC84ADEB7BCAB44341F5481A6E505E6090E7749B88CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                  APIs
                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 224340156-2903620461
                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                  • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                  APIs
                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1285747031.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_400000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                  • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                  APIs
                                                                                                    • Part of subcall function 00772F88: GetModuleHandleA.KERNEL32(?), ref: 00772FA1
                                                                                                    • Part of subcall function 00772F88: LoadLibraryA.KERNEL32(?), ref: 00772FB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007731DA
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 007731E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1286069406.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_770000_lsremmuy.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction ID: b7fa0d012235ad62a46887ac8f287b9b76d164b8bc47d25cc6c189af4f621862
                                                                                                  • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction Fuzzy Hash: 4151CA3190020AEFCF019F64D8889FAB775FF15345F248568ECAAC7212E736DA19CB90

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:15%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0.7%
                                                                                                  Total number of Nodes:1806
                                                                                                  Total number of Limit Nodes:18
                                                                                                  execution_graph 8060 2c65b84 IsBadWritePtr 8061 2c65b99 8060->8061 8062 2c65b9d 8060->8062 8063 2c64bd1 4 API calls 8062->8063 8064 2c65bcc 8063->8064 8065 2c65472 18 API calls 8064->8065 8066 2c65be5 8065->8066 8067 2c6f304 8070 2c6f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8067->8070 8069 2c6f312 8070->8069 8071 2c65c05 IsBadWritePtr 8072 2c65c24 IsBadWritePtr 8071->8072 8079 2c65ca6 8071->8079 8074 2c65c32 8072->8074 8072->8079 8073 2c65c82 8076 2c64bd1 4 API calls 8073->8076 8074->8073 8075 2c64bd1 4 API calls 8074->8075 8075->8073 8077 2c65c90 8076->8077 8078 2c65472 18 API calls 8077->8078 8078->8079 8080 2c6f483 WSAStartup 7913 2c65e4d 7918 2c65048 7913->7918 7919 2c64bd1 4 API calls 7918->7919 7920 2c65056 7919->7920 7921 2c6ec2e codecvt 4 API calls 7920->7921 7922 2c6508b 7920->7922 7921->7922 8081 2c65e0d 8084 2c650dc 8081->8084 8083 2c65e20 8085 2c64bd1 4 API calls 8084->8085 8086 2c650f2 8085->8086 8087 2c64ae6 8 API calls 8086->8087 8088 2c650ff 8087->8088 8089 2c65130 8088->8089 8090 2c64ae6 8 API calls 8088->8090 8094 2c64ae6 8 API calls 8088->8094 8091 2c64ae6 8 API calls 8089->8091 8092 2c65110 lstrcmpA 8090->8092 8093 2c65138 8091->8093 8092->8088 8092->8089 8095 2c6516e 8093->8095 8096 2c64ae6 8 API calls 8093->8096 8126 2c6513e 8093->8126 8094->8088 8097 2c64ae6 8 API calls 8095->8097 8095->8126 8098 2c6515e 8096->8098 8099 2c651b6 8097->8099 8098->8095 8101 2c64ae6 8 API calls 8098->8101 8127 2c64a3d 8099->8127 8101->8095 8103 2c64ae6 8 API calls 8104 2c651c7 8103->8104 8105 2c64ae6 8 API calls 8104->8105 8106 2c651d7 8105->8106 8107 2c64ae6 8 API calls 8106->8107 8108 2c651e7 8107->8108 8109 2c64ae6 8 API calls 8108->8109 8108->8126 8110 2c65219 8109->8110 8111 2c64ae6 8 API calls 8110->8111 8112 2c65227 8111->8112 8113 2c64ae6 8 API calls 8112->8113 8114 2c6524f lstrcpyA 8113->8114 8115 2c64ae6 8 API calls 8114->8115 8118 2c65263 8115->8118 8116 2c64ae6 8 API calls 8117 2c65315 8116->8117 8119 2c64ae6 8 API calls 8117->8119 8118->8116 8120 2c65323 8119->8120 8121 2c64ae6 8 API calls 8120->8121 8123 2c65331 8121->8123 8122 2c64ae6 8 API calls 8122->8123 8123->8122 8124 2c64ae6 8 API calls 8123->8124 8123->8126 8125 2c65351 lstrcmpA 8124->8125 8125->8123 8125->8126 8126->8083 8128 2c64a53 8127->8128 8129 2c64a4a 8127->8129 8131 2c6ebed 8 API calls 8128->8131 8134 2c64a78 8128->8134 8130 2c6ebed 8 API calls 8129->8130 8130->8128 8131->8134 8132 2c64a8e 8135 2c6ec2e codecvt 4 API calls 8132->8135 8137 2c64a9b 8132->8137 8133 2c64aa3 8136 2c6ebed 8 API calls 8133->8136 8133->8137 8134->8132 8134->8133 8135->8137 8136->8137 8137->8103 8138 2c64c0d 8139 2c64ae6 8 API calls 8138->8139 8140 2c64c17 8139->8140 7923 2c6444a 7924 2c64458 7923->7924 7925 2c6446a 7924->7925 7927 2c61940 7924->7927 7928 2c6ec2e codecvt 4 API calls 7927->7928 7929 2c61949 7928->7929 7929->7925 7930 2c6e749 7931 2c6dd05 6 API calls 7930->7931 7932 2c6e751 7931->7932 7933 2c6e781 lstrcmpA 7932->7933 7934 2c6e799 7932->7934 7933->7932 8154 2c68314 8155 2c6675c 21 API calls 8154->8155 8156 2c68324 8155->8156 7935 2c643d2 7936 2c643e0 7935->7936 7937 2c643ef 7936->7937 7938 2c61940 4 API calls 7936->7938 7938->7937 8157 2c64e92 GetTickCount 8158 2c64ec0 InterlockedExchange 8157->8158 8159 2c64ead GetTickCount 8158->8159 8160 2c64ec9 8158->8160 8159->8160 8161 2c64eb8 Sleep 8159->8161 8161->8158 7939 2c64ed3 7944 2c64c9a 7939->7944 7945 2c64cd8 7944->7945 7947 2c64ca9 7944->7947 7946 2c6ec2e codecvt 4 API calls 7946->7945 7947->7946 7948 2c65453 7953 2c6543a 7948->7953 7954 2c65048 8 API calls 7953->7954 7955 2c6544b 7954->7955 8162 2c65d93 IsBadWritePtr 8163 2c65da8 8162->8163 8165 2c65ddc 8162->8165 8163->8165 8166 2c65389 8163->8166 8167 2c64bd1 4 API calls 8166->8167 8168 2c653a5 8167->8168 8169 2c64ae6 8 API calls 8168->8169 8172 2c653ad 8169->8172 8170 2c65407 8170->8165 8171 2c64ae6 8 API calls 8171->8172 8172->8170 8172->8171 7956 2c68c51 7957 2c68c86 7956->7957 7959 2c68c5d 7956->7959 7958 2c68c8b lstrcmpA 7957->7958 7969 2c68c7b 7957->7969 7960 2c68c9e 7958->7960 7958->7969 7961 2c68c6e 7959->7961 7962 2c68c7d 7959->7962 7963 2c68cad 7960->7963 7966 2c6ec2e codecvt 4 API calls 7960->7966 7970 2c68be7 7961->7970 7978 2c68bb3 7962->7978 7968 2c6ebcc 4 API calls 7963->7968 7963->7969 7966->7963 7968->7969 7971 2c68bf2 7970->7971 7972 2c68c2a 7970->7972 7973 2c68bb3 6 API calls 7971->7973 7972->7969 7974 2c68bf8 7973->7974 7982 2c66410 7974->7982 7976 2c68c01 7976->7972 7997 2c66246 7976->7997 7979 2c68bbc 7978->7979 7981 2c68be4 7978->7981 7980 2c66246 6 API calls 7979->7980 7979->7981 7980->7981 7983 2c66421 7982->7983 7984 2c6641e 7982->7984 7985 2c6643a 7983->7985 7986 2c6643e VirtualAlloc 7983->7986 7984->7976 7985->7976 7987 2c66472 7986->7987 7988 2c6645b VirtualAlloc 7986->7988 7989 2c6ebcc 4 API calls 7987->7989 7988->7987 7996 2c664fb 7988->7996 7990 2c66479 7989->7990 7990->7996 8007 2c66069 7990->8007 7993 2c664da 7994 2c66246 6 API calls 7993->7994 7993->7996 7994->7996 7996->7976 7998 2c662b3 7997->7998 8000 2c66252 7997->8000 7998->7972 7999 2c66297 8002 2c662a0 VirtualFree 7999->8002 8003 2c662ad 7999->8003 8000->7999 8001 2c6628f 8000->8001 8004 2c66281 FreeLibrary 8000->8004 8005 2c6ec2e codecvt 4 API calls 8001->8005 8002->8003 8006 2c6ec2e codecvt 4 API calls 8003->8006 8004->8000 8005->7999 8006->7998 8008 2c66090 IsBadReadPtr 8007->8008 8009 2c66089 8007->8009 8008->8009 8014 2c660aa 8008->8014 8009->7993 8017 2c65f3f 8009->8017 8010 2c660c0 LoadLibraryA 8010->8009 8010->8014 8011 2c6ebcc 4 API calls 8011->8014 8012 2c6ebed 8 API calls 8012->8014 8013 2c66191 IsBadReadPtr 8013->8009 8013->8014 8014->8009 8014->8010 8014->8011 8014->8012 8014->8013 8015 2c66155 GetProcAddress 8014->8015 8016 2c66141 GetProcAddress 8014->8016 8015->8014 8016->8014 8018 2c65fe6 8017->8018 8020 2c65f61 8017->8020 8018->7993 8019 2c65fbf VirtualProtect 8019->8018 8019->8020 8020->8018 8020->8019 8173 2c66511 wsprintfA IsBadReadPtr 8174 2c6674e 8173->8174 8175 2c6656a htonl htonl wsprintfA wsprintfA 8173->8175 8176 2c6e318 23 API calls 8174->8176 8179 2c665f3 8175->8179 8177 2c66753 ExitProcess 8176->8177 8178 2c6668a GetCurrentProcess StackWalk64 8178->8179 8180 2c666a0 wsprintfA 8178->8180 8179->8178 8179->8180 8182 2c66652 wsprintfA 8179->8182 8181 2c666ba 8180->8181 8183 2c66712 wsprintfA 8181->8183 8184 2c666ed wsprintfA 8181->8184 8185 2c666da wsprintfA 8181->8185 8182->8179 8186 2c6e8a1 30 API calls 8183->8186 8184->8181 8185->8184 8187 2c66739 8186->8187 8188 2c6e318 23 API calls 8187->8188 8189 2c66741 8188->8189 8021 2c6195b 8022 2c61971 8021->8022 8023 2c6196b 8021->8023 8024 2c6ec2e codecvt 4 API calls 8023->8024 8024->8022 8190 2c65099 8191 2c64bd1 4 API calls 8190->8191 8192 2c650a2 8191->8192 8193 2c635a5 8194 2c630fa 4 API calls 8193->8194 8196 2c635b3 8194->8196 8195 2c635ea 8196->8195 8200 2c6355d 8196->8200 8198 2c635da 8198->8195 8199 2c6355d 4 API calls 8198->8199 8199->8195 8201 2c6f04e 4 API calls 8200->8201 8202 2c6356a 8201->8202 8202->8198 8029 2c64960 8030 2c6496d 8029->8030 8032 2c6497d 8029->8032 8031 2c6ebed 8 API calls 8030->8031 8031->8032 8033 2c64861 IsBadWritePtr 8034 2c64876 8033->8034 8035 2c69961 RegisterServiceCtrlHandlerA 8036 2c6997d 8035->8036 8043 2c699cb 8035->8043 8045 2c69892 8036->8045 8038 2c6999a 8039 2c699ba 8038->8039 8040 2c69892 SetServiceStatus 8038->8040 8041 2c69892 SetServiceStatus 8039->8041 8039->8043 8042 2c699aa 8040->8042 8041->8043 8042->8039 8044 2c698f2 41 API calls 8042->8044 8044->8039 8046 2c698c2 SetServiceStatus 8045->8046 8046->8038 8203 2c65e21 8204 2c65e36 8203->8204 8205 2c65e29 8203->8205 8206 2c650dc 17 API calls 8205->8206 8206->8204 6140 2c69a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6256 2c6ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6140->6256 6142 2c69a95 6143 2c69aa3 GetModuleHandleA GetModuleFileNameA 6142->6143 6150 2c6a3cc 6142->6150 6156 2c69ac4 6143->6156 6144 2c6a41c CreateThread WSAStartup 6257 2c6e52e 6144->6257 7332 2c6405e CreateEventA 6144->7332 6146 2c69afd GetCommandLineA 6157 2c69b22 6146->6157 6147 2c6a406 DeleteFileA 6149 2c6a40d 6147->6149 6147->6150 6148 2c6a445 6276 2c6eaaf 6148->6276 6149->6144 6150->6144 6150->6147 6150->6149 6152 2c6a3ed GetLastError 6150->6152 6152->6149 6154 2c6a3f8 Sleep 6152->6154 6153 2c6a44d 6280 2c61d96 6153->6280 6154->6147 6156->6146 6160 2c69c0c 6157->6160 6167 2c69b47 6157->6167 6158 2c6a457 6328 2c680c9 6158->6328 6520 2c696aa 6160->6520 6171 2c69b96 lstrlenA 6167->6171 6174 2c69b58 6167->6174 6168 2c6a1d2 6175 2c6a1e3 GetCommandLineA 6168->6175 6169 2c69c39 6172 2c6a167 GetModuleHandleA GetModuleFileNameA 6169->6172 6526 2c64280 CreateEventA 6169->6526 6171->6174 6173 2c69c05 ExitProcess 6172->6173 6177 2c6a189 6172->6177 6174->6173 6479 2c6675c 6174->6479 6200 2c6a205 6175->6200 6177->6173 6183 2c6a1b2 GetDriveTypeA 6177->6183 6183->6173 6186 2c6a1c5 6183->6186 6627 2c69145 GetModuleHandleA GetModuleFileNameA CharToOemA 6186->6627 6187 2c6675c 21 API calls 6189 2c69c79 6187->6189 6189->6172 6196 2c69ca0 GetTempPathA 6189->6196 6197 2c69e3e 6189->6197 6190 2c69bff 6190->6173 6192 2c6a491 6193 2c6a49f GetTickCount 6192->6193 6194 2c6a4be Sleep 6192->6194 6199 2c6a4b7 GetTickCount 6192->6199 6375 2c6c913 6192->6375 6193->6192 6193->6194 6194->6192 6196->6197 6198 2c69cba 6196->6198 6203 2c69e6b GetEnvironmentVariableA 6197->6203 6208 2c69e04 6197->6208 6552 2c699d2 lstrcpyA 6198->6552 6199->6194 6204 2c6a285 lstrlenA 6200->6204 6217 2c6a239 6200->6217 6207 2c69e7d 6203->6207 6203->6208 6204->6217 6209 2c699d2 16 API calls 6207->6209 6622 2c6ec2e 6208->6622 6210 2c69e9d 6209->6210 6210->6208 6216 2c69eb0 lstrcpyA lstrlenA 6210->6216 6212 2c69cf6 6575 2c69326 6212->6575 6214 2c69d5f 6566 2c66cc9 6214->6566 6215 2c6a3c2 6639 2c698f2 6215->6639 6220 2c69ef4 6216->6220 6635 2c66ec3 6217->6635 6224 2c66dc2 6 API calls 6220->6224 6225 2c69f03 6220->6225 6221 2c6a39d StartServiceCtrlDispatcherA 6221->6215 6222 2c69d72 lstrcpyA lstrcatA lstrcatA 6222->6212 6223 2c6a3c7 6223->6150 6224->6225 6226 2c69f32 RegOpenKeyExA 6225->6226 6227 2c69f48 RegSetValueExA RegCloseKey 6226->6227 6231 2c69f70 6226->6231 6227->6231 6229 2c6a35f 6229->6215 6229->6221 6236 2c69f9d GetModuleHandleA GetModuleFileNameA 6231->6236 6232 2c69e0c DeleteFileA 6232->6197 6233 2c69dde GetFileAttributesExA 6233->6232 6235 2c69df7 6233->6235 6235->6208 6612 2c696ff 6235->6612 6238 2c69fc2 6236->6238 6239 2c6a093 6236->6239 6238->6239 6244 2c69ff1 GetDriveTypeA 6238->6244 6240 2c6a103 CreateProcessA 6239->6240 6243 2c6a0a4 wsprintfA 6239->6243 6241 2c6a13a 6240->6241 6242 2c6a12a DeleteFileA 6240->6242 6241->6208 6248 2c696ff 3 API calls 6241->6248 6242->6241 6618 2c62544 6243->6618 6244->6239 6246 2c6a00d 6244->6246 6251 2c6a02d lstrcatA 6246->6251 6248->6208 6252 2c6a046 6251->6252 6253 2c6a064 lstrcatA 6252->6253 6254 2c6a052 lstrcatA 6252->6254 6253->6239 6255 2c6a081 lstrcatA 6253->6255 6254->6253 6255->6239 6256->6142 6646 2c6dd05 GetTickCount 6257->6646 6259 2c6e538 6654 2c6dbcf 6259->6654 6261 2c6e544 6262 2c6e555 GetFileSize 6261->6262 6266 2c6e5b8 6261->6266 6263 2c6e566 6262->6263 6264 2c6e5b1 CloseHandle 6262->6264 6678 2c6db2e 6263->6678 6264->6266 6664 2c6e3ca RegOpenKeyExA 6266->6664 6268 2c6e576 ReadFile 6268->6264 6270 2c6e58d 6268->6270 6682 2c6e332 6270->6682 6272 2c6e5f2 6274 2c6e3ca 19 API calls 6272->6274 6275 2c6e629 6272->6275 6274->6275 6275->6148 6277 2c6eabe 6276->6277 6279 2c6eaba 6276->6279 6278 2c6dd05 6 API calls 6277->6278 6277->6279 6278->6279 6279->6153 6281 2c6ee2a 6280->6281 6282 2c61db4 GetVersionExA 6281->6282 6283 2c61dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6282->6283 6285 2c61e16 GetCurrentProcess 6283->6285 6286 2c61e24 6283->6286 6285->6286 6740 2c6e819 6286->6740 6288 2c61e3d 6289 2c6e819 11 API calls 6288->6289 6290 2c61e4e 6289->6290 6297 2c61e77 6290->6297 6781 2c6df70 6290->6781 6293 2c61e6c 6295 2c6df70 12 API calls 6293->6295 6295->6297 6296 2c6e819 11 API calls 6298 2c61e93 6296->6298 6747 2c6ea84 6297->6747 6751 2c6199c inet_addr LoadLibraryA 6298->6751 6301 2c6e819 11 API calls 6302 2c61eb9 6301->6302 6303 2c61ed8 6302->6303 6304 2c6f04e 4 API calls 6302->6304 6305 2c6e819 11 API calls 6303->6305 6306 2c61ec9 6304->6306 6307 2c61eee 6305->6307 6308 2c6ea84 30 API calls 6306->6308 6309 2c61f0a 6307->6309 6765 2c61b71 6307->6765 6308->6303 6311 2c6e819 11 API calls 6309->6311 6313 2c61f23 6311->6313 6312 2c61efd 6314 2c6ea84 30 API calls 6312->6314 6315 2c61f3f 6313->6315 6769 2c61bdf 6313->6769 6314->6309 6317 2c6e819 11 API calls 6315->6317 6319 2c61f5e 6317->6319 6321 2c61f77 6319->6321 6322 2c6ea84 30 API calls 6319->6322 6320 2c6ea84 30 API calls 6320->6315 6777 2c630b5 6321->6777 6322->6321 6325 2c66ec3 2 API calls 6327 2c61f8e GetTickCount 6325->6327 6327->6158 6329 2c66ec3 2 API calls 6328->6329 6330 2c680eb 6329->6330 6331 2c680ef 6330->6331 6332 2c680f9 6330->6332 6835 2c67ee6 6331->6835 6848 2c6704c 6332->6848 6335 2c680f4 6337 2c6675c 21 API calls 6335->6337 6347 2c68269 CreateThread 6335->6347 6336 2c68110 6336->6335 6338 2c68156 RegOpenKeyExA 6336->6338 6343 2c68244 6337->6343 6339 2c68216 6338->6339 6340 2c6816d RegQueryValueExA 6338->6340 6339->6335 6341 2c681f7 6340->6341 6342 2c6818d 6340->6342 6344 2c6820d RegCloseKey 6341->6344 6346 2c6ec2e codecvt 4 API calls 6341->6346 6342->6341 6348 2c6ebcc 4 API calls 6342->6348 6345 2c6ec2e codecvt 4 API calls 6343->6345 6343->6347 6344->6339 6345->6347 6353 2c681dd 6346->6353 6354 2c65e6c 6347->6354 7310 2c6877e 6347->7310 6349 2c681a0 6348->6349 6349->6344 6350 2c681aa RegQueryValueExA 6349->6350 6350->6341 6351 2c681c4 6350->6351 6352 2c6ebcc 4 API calls 6351->6352 6352->6353 6353->6344 6950 2c6ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6354->6950 6356 2c65e71 6951 2c6e654 6356->6951 6358 2c65ec1 6359 2c63132 6358->6359 6360 2c6df70 12 API calls 6359->6360 6361 2c6313b 6360->6361 6362 2c6c125 6361->6362 6962 2c6ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6362->6962 6364 2c6c12d 6365 2c6e654 13 API calls 6364->6365 6366 2c6c2bd 6365->6366 6367 2c6e654 13 API calls 6366->6367 6368 2c6c2c9 6367->6368 6369 2c6e654 13 API calls 6368->6369 6370 2c6a47a 6369->6370 6371 2c68db1 6370->6371 6372 2c68dbc 6371->6372 6373 2c6e654 13 API calls 6372->6373 6374 2c68dec Sleep 6373->6374 6374->6192 6376 2c6c92f 6375->6376 6377 2c6c93c 6376->6377 6974 2c6c517 6376->6974 6379 2c6ca2b 6377->6379 6380 2c6e819 11 API calls 6377->6380 6379->6192 6381 2c6c96a 6380->6381 6382 2c6e819 11 API calls 6381->6382 6383 2c6c97d 6382->6383 6384 2c6e819 11 API calls 6383->6384 6385 2c6c990 6384->6385 6386 2c6c9aa 6385->6386 6387 2c6ebcc 4 API calls 6385->6387 6386->6379 6963 2c62684 6386->6963 6387->6386 6392 2c6ca26 6991 2c6c8aa 6392->6991 6395 2c6ca44 6396 2c6ca4b closesocket 6395->6396 6397 2c6ca83 6395->6397 6396->6392 6398 2c6ea84 30 API calls 6397->6398 6399 2c6caac 6398->6399 6400 2c6f04e 4 API calls 6399->6400 6401 2c6cab2 6400->6401 6402 2c6ea84 30 API calls 6401->6402 6403 2c6caca 6402->6403 6404 2c6ea84 30 API calls 6403->6404 6405 2c6cad9 6404->6405 6995 2c6c65c 6405->6995 6408 2c6cb60 closesocket 6408->6379 6410 2c6dad2 closesocket 6411 2c6e318 23 API calls 6410->6411 6412 2c6dae0 6411->6412 6412->6379 6413 2c6df4c 20 API calls 6425 2c6cb70 6413->6425 6418 2c6e654 13 API calls 6418->6425 6422 2c6f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6422->6425 6425->6410 6425->6413 6425->6418 6425->6422 6426 2c6c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6425->6426 6427 2c6d815 wsprintfA 6425->6427 6428 2c6cc1c GetTempPathA 6425->6428 6429 2c6ea84 30 API calls 6425->6429 6430 2c6d569 closesocket Sleep 6425->6430 6432 2c67ead 6 API calls 6425->6432 6433 2c6c517 23 API calls 6425->6433 6435 2c6e8a1 30 API calls 6425->6435 6436 2c6ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6425->6436 6437 2c6cfe3 GetSystemDirectoryA 6425->6437 6438 2c6675c 21 API calls 6425->6438 6439 2c6d027 GetSystemDirectoryA 6425->6439 6440 2c6cfad GetEnvironmentVariableA 6425->6440 6441 2c6d105 lstrcatA 6425->6441 6442 2c6ef1e lstrlenA 6425->6442 6443 2c6cc9f CreateFileA 6425->6443 6444 2c6d15b CreateFileA 6425->6444 6450 2c6d149 SetFileAttributesA 6425->6450 6451 2c6d36e GetEnvironmentVariableA 6425->6451 6452 2c6d1bf SetFileAttributesA 6425->6452 6453 2c68e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6425->6453 6455 2c6d22d GetEnvironmentVariableA 6425->6455 6457 2c6d3af lstrcatA 6425->6457 6459 2c67fcf 64 API calls 6425->6459 6460 2c6d3f2 CreateFileA 6425->6460 6466 2c6d26e lstrcatA 6425->6466 6468 2c6d4b1 CreateProcessA 6425->6468 6469 2c6d3e0 SetFileAttributesA 6425->6469 6470 2c6d2b1 CreateFileA 6425->6470 6472 2c6d452 SetFileAttributesA 6425->6472 6474 2c67ee6 64 API calls 6425->6474 6475 2c6d29f SetFileAttributesA 6425->6475 6478 2c6d31d SetFileAttributesA 6425->6478 7003 2c6c75d 6425->7003 7015 2c67e2f 6425->7015 7037 2c67ead 6425->7037 7047 2c631d0 6425->7047 7064 2c63c09 6425->7064 7074 2c63a00 6425->7074 7078 2c6e7b4 6425->7078 7081 2c6c06c 6425->7081 7087 2c66f5f GetUserNameA 6425->7087 7098 2c6e854 6425->7098 7108 2c67dd6 6425->7108 6426->6425 6427->6425 6428->6425 6429->6425 7042 2c6e318 6430->7042 6432->6425 6433->6425 6434 2c6d582 ExitProcess 6435->6425 6436->6425 6437->6425 6438->6425 6439->6425 6440->6425 6441->6425 6442->6425 6443->6425 6445 2c6ccc6 WriteFile 6443->6445 6444->6425 6448 2c6d182 WriteFile CloseHandle 6444->6448 6446 2c6cdcc CloseHandle 6445->6446 6447 2c6cced CloseHandle 6445->6447 6446->6425 6454 2c6cd2f 6447->6454 6448->6425 6449 2c6cd16 wsprintfA 6449->6454 6450->6444 6451->6425 6452->6425 6453->6425 6454->6449 7024 2c67fcf 6454->7024 6455->6425 6457->6425 6457->6460 6459->6425 6460->6425 6461 2c6d415 WriteFile CloseHandle 6460->6461 6461->6425 6462 2c6cd81 WaitForSingleObject CloseHandle CloseHandle 6464 2c6f04e 4 API calls 6462->6464 6463 2c6cda5 6465 2c67ee6 64 API calls 6463->6465 6464->6463 6467 2c6cdbd DeleteFileA 6465->6467 6466->6425 6466->6470 6467->6425 6468->6425 6471 2c6d4e8 CloseHandle CloseHandle 6468->6471 6469->6460 6470->6425 6473 2c6d2d8 WriteFile CloseHandle 6470->6473 6471->6425 6472->6425 6473->6425 6474->6425 6475->6470 6478->6425 6480 2c66784 CreateFileA 6479->6480 6481 2c6677a SetFileAttributesA 6479->6481 6482 2c667a4 CreateFileA 6480->6482 6483 2c667b5 6480->6483 6481->6480 6482->6483 6484 2c667c5 6483->6484 6485 2c667ba SetFileAttributesA 6483->6485 6486 2c66977 6484->6486 6487 2c667cf GetFileSize 6484->6487 6485->6484 6486->6173 6507 2c66a60 CreateFileA 6486->6507 6488 2c667e5 6487->6488 6506 2c66965 6487->6506 6490 2c667ed ReadFile 6488->6490 6488->6506 6489 2c6696e FindCloseChangeNotification 6489->6486 6491 2c66811 SetFilePointer 6490->6491 6490->6506 6492 2c6682a ReadFile 6491->6492 6491->6506 6493 2c66848 SetFilePointer 6492->6493 6492->6506 6494 2c66867 6493->6494 6493->6506 6495 2c66878 ReadFile 6494->6495 6496 2c668d5 6494->6496 6497 2c66891 6495->6497 6501 2c668d0 6495->6501 6496->6489 6498 2c6ebcc 4 API calls 6496->6498 6497->6495 6497->6501 6499 2c668f8 6498->6499 6500 2c66900 SetFilePointer 6499->6500 6499->6506 6502 2c6690d ReadFile 6500->6502 6503 2c6695a 6500->6503 6501->6496 6502->6503 6504 2c66922 6502->6504 6505 2c6ec2e codecvt 4 API calls 6503->6505 6504->6489 6505->6506 6506->6489 6508 2c66a8f GetDiskFreeSpaceA 6507->6508 6509 2c66b8c GetLastError 6507->6509 6510 2c66ac5 6508->6510 6519 2c66ad7 6508->6519 6517 2c66b86 6509->6517 7193 2c6eb0e 6510->7193 6514 2c66b56 CloseHandle 6514->6517 6518 2c66b65 GetLastError CloseHandle 6514->6518 6515 2c66b36 GetLastError CloseHandle 6516 2c66b7f DeleteFileA 6515->6516 6516->6517 6517->6190 6518->6516 7197 2c66987 6519->7197 6521 2c696b9 6520->6521 6522 2c673ff 17 API calls 6521->6522 6523 2c696e2 6522->6523 6524 2c696f7 6523->6524 6525 2c6704c 16 API calls 6523->6525 6524->6168 6524->6169 6525->6524 6527 2c642a5 6526->6527 6532 2c6429d 6526->6532 7203 2c63ecd 6527->7203 6529 2c642b0 7207 2c64000 6529->7207 6531 2c643c1 CloseHandle 6531->6532 6532->6172 6532->6187 6533 2c642b6 6533->6531 6533->6532 7213 2c63f18 WriteFile 6533->7213 6538 2c643ba CloseHandle 6538->6531 6539 2c64318 6540 2c63f18 4 API calls 6539->6540 6541 2c64331 6540->6541 6542 2c63f18 4 API calls 6541->6542 6543 2c6434a 6542->6543 6544 2c6ebcc 4 API calls 6543->6544 6545 2c64350 6544->6545 6546 2c63f18 4 API calls 6545->6546 6547 2c64389 6546->6547 6548 2c6ec2e codecvt 4 API calls 6547->6548 6549 2c6438f 6548->6549 6550 2c63f8c 4 API calls 6549->6550 6551 2c6439f CloseHandle CloseHandle 6550->6551 6551->6532 6553 2c699eb 6552->6553 6554 2c69a2f lstrcatA 6553->6554 6555 2c6ee2a 6554->6555 6556 2c69a4b lstrcatA 6555->6556 6557 2c66a60 13 API calls 6556->6557 6558 2c69a60 6557->6558 6558->6197 6558->6212 6559 2c66dc2 6558->6559 6560 2c66dd7 6559->6560 6561 2c66e33 6559->6561 6562 2c66cc9 5 API calls 6560->6562 6561->6214 6563 2c66ddc 6562->6563 6564 2c66e24 6563->6564 6565 2c66e02 GetVolumeInformationA 6563->6565 6564->6561 6565->6564 6567 2c66cdc GetModuleHandleA GetProcAddress 6566->6567 6572 2c66d8b 6566->6572 6568 2c66d12 GetSystemDirectoryA 6567->6568 6569 2c66cfd 6567->6569 6570 2c66d27 GetWindowsDirectoryA 6568->6570 6571 2c66d1e 6568->6571 6569->6568 6569->6572 6574 2c66d42 6570->6574 6571->6570 6571->6572 6572->6222 6573 2c6ef1e lstrlenA 6573->6572 6574->6573 7221 2c61910 6575->7221 6578 2c6934a GetModuleHandleA GetModuleFileNameA 6580 2c6937f 6578->6580 6581 2c693a4 6580->6581 6582 2c693d9 6580->6582 6583 2c693c3 wsprintfA 6581->6583 6584 2c69401 wsprintfA 6582->6584 6585 2c69415 6583->6585 6584->6585 6588 2c66cc9 5 API calls 6585->6588 6609 2c694a0 6585->6609 6586 2c66edd 5 API calls 6587 2c694ac 6586->6587 6589 2c6962f 6587->6589 6591 2c694e8 RegOpenKeyExA 6587->6591 6590 2c69439 6588->6590 6593 2c69646 6589->6593 7236 2c61820 6589->7236 6599 2c6ef1e lstrlenA 6590->6599 6594 2c694fb 6591->6594 6595 2c69502 6591->6595 6604 2c695d6 6593->6604 7242 2c691eb 6593->7242 6594->6589 6597 2c6958a 6594->6597 6598 2c6951f RegQueryValueExA 6595->6598 6597->6593 6600 2c69593 6597->6600 6601 2c69530 6598->6601 6602 2c69539 6598->6602 6603 2c69462 6599->6603 6600->6604 7223 2c6f0e4 6600->7223 6605 2c6956e RegCloseKey 6601->6605 6606 2c69556 RegQueryValueExA 6602->6606 6607 2c6947e wsprintfA 6603->6607 6604->6232 6604->6233 6605->6594 6606->6601 6606->6605 6607->6609 6609->6586 6610 2c695bb 6610->6604 7230 2c618e0 6610->7230 6613 2c62544 6612->6613 6614 2c6972d RegOpenKeyExA 6613->6614 6615 2c69740 6614->6615 6616 2c69765 6614->6616 6617 2c6974f RegDeleteValueA RegCloseKey 6615->6617 6616->6208 6617->6616 6619 2c62554 lstrcatA 6618->6619 6620 2c6ee2a 6619->6620 6621 2c6a0ec lstrcatA 6620->6621 6621->6240 6623 2c6ec37 6622->6623 6624 2c6a15d 6622->6624 6625 2c6eba0 codecvt 2 API calls 6623->6625 6624->6172 6624->6173 6626 2c6ec3d GetProcessHeap RtlFreeHeap 6625->6626 6626->6624 6628 2c62544 6627->6628 6629 2c6919e wsprintfA 6628->6629 6630 2c691bb 6629->6630 7281 2c69064 GetTempPathA 6630->7281 6633 2c691e7 6633->6190 6634 2c691d5 ShellExecuteA 6634->6633 6636 2c66ed5 6635->6636 6637 2c66ecc 6635->6637 6636->6229 6638 2c66e36 2 API calls 6637->6638 6638->6636 6640 2c698f6 6639->6640 6641 2c64280 30 API calls 6640->6641 6642 2c69904 Sleep 6640->6642 6643 2c69915 6640->6643 6641->6640 6642->6640 6642->6643 6645 2c69947 6643->6645 7288 2c6977c 6643->7288 6645->6223 6647 2c6dd41 InterlockedExchange 6646->6647 6648 2c6dd20 GetCurrentThreadId 6647->6648 6649 2c6dd4a 6647->6649 6650 2c6dd53 GetCurrentThreadId 6648->6650 6651 2c6dd2e GetTickCount 6648->6651 6649->6650 6650->6259 6652 2c6dd4c 6651->6652 6653 2c6dd39 Sleep 6651->6653 6652->6650 6653->6647 6655 2c6dbf0 6654->6655 6687 2c6db67 GetEnvironmentVariableA 6655->6687 6657 2c6dc19 6658 2c6dcda 6657->6658 6659 2c6db67 3 API calls 6657->6659 6658->6261 6660 2c6dc5c 6659->6660 6660->6658 6661 2c6db67 3 API calls 6660->6661 6662 2c6dc9b 6661->6662 6662->6658 6663 2c6db67 3 API calls 6662->6663 6663->6658 6665 2c6e528 6664->6665 6666 2c6e3f4 6664->6666 6665->6272 6667 2c6e434 RegQueryValueExA 6666->6667 6668 2c6e51d RegCloseKey 6667->6668 6669 2c6e458 6667->6669 6668->6665 6670 2c6e46e RegQueryValueExA 6669->6670 6670->6669 6671 2c6e488 6670->6671 6671->6668 6672 2c6db2e 8 API calls 6671->6672 6673 2c6e499 6672->6673 6673->6668 6674 2c6e4b9 RegQueryValueExA 6673->6674 6675 2c6e4e8 6673->6675 6674->6673 6674->6675 6675->6668 6676 2c6e332 14 API calls 6675->6676 6677 2c6e513 6676->6677 6677->6668 6679 2c6db3a 6678->6679 6681 2c6db55 6678->6681 6691 2c6ebed 6679->6691 6681->6264 6681->6268 6709 2c6f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6682->6709 6684 2c6e3be 6684->6264 6685 2c6e342 6685->6684 6712 2c6de24 6685->6712 6688 2c6dbca 6687->6688 6689 2c6db89 lstrcpyA CreateFileA 6687->6689 6688->6657 6689->6657 6692 2c6ebf6 6691->6692 6693 2c6ec01 6691->6693 6700 2c6ebcc GetProcessHeap RtlAllocateHeap 6692->6700 6703 2c6eba0 6693->6703 6701 2c6eb74 2 API calls 6700->6701 6702 2c6ebe8 6701->6702 6702->6681 6704 2c6eba7 GetProcessHeap HeapSize 6703->6704 6705 2c6ebbf GetProcessHeap RtlReAllocateHeap 6703->6705 6704->6705 6706 2c6eb74 6705->6706 6707 2c6eb93 6706->6707 6708 2c6eb7b GetProcessHeap HeapSize 6706->6708 6707->6681 6708->6707 6723 2c6eb41 6709->6723 6711 2c6f0b7 6711->6685 6713 2c6de3a 6712->6713 6719 2c6de4e 6713->6719 6732 2c6dd84 6713->6732 6716 2c6ebed 8 API calls 6721 2c6def6 6716->6721 6717 2c6de9e 6717->6716 6717->6719 6718 2c6de76 6736 2c6ddcf 6718->6736 6719->6685 6721->6719 6722 2c6ddcf lstrcmpA 6721->6722 6722->6719 6724 2c6eb4a 6723->6724 6727 2c6eb61 6723->6727 6728 2c6eae4 6724->6728 6726 2c6eb54 6726->6711 6726->6727 6727->6711 6729 2c6eb02 GetProcAddress 6728->6729 6730 2c6eaed LoadLibraryA 6728->6730 6729->6726 6730->6729 6731 2c6eb01 6730->6731 6731->6726 6733 2c6dd96 6732->6733 6734 2c6ddc5 6732->6734 6733->6734 6735 2c6ddad lstrcmpiA 6733->6735 6734->6717 6734->6718 6735->6733 6735->6734 6737 2c6de20 6736->6737 6739 2c6dddd 6736->6739 6737->6719 6738 2c6ddfa lstrcmpA 6738->6739 6739->6737 6739->6738 6741 2c6dd05 6 API calls 6740->6741 6742 2c6e821 6741->6742 6743 2c6dd84 lstrcmpiA 6742->6743 6744 2c6e82c 6743->6744 6745 2c6e844 6744->6745 6790 2c62480 6744->6790 6745->6288 6748 2c6ea98 6747->6748 6799 2c6e8a1 6748->6799 6750 2c61e84 6750->6296 6752 2c619d5 GetProcAddress GetProcAddress GetProcAddress 6751->6752 6753 2c619ce 6751->6753 6754 2c61ab3 FreeLibrary 6752->6754 6755 2c61a04 6752->6755 6753->6301 6754->6753 6755->6754 6756 2c61a14 GetBestInterface GetProcessHeap 6755->6756 6756->6753 6757 2c61a2e HeapAlloc 6756->6757 6757->6753 6758 2c61a42 GetAdaptersInfo 6757->6758 6759 2c61a62 6758->6759 6760 2c61a52 HeapReAlloc 6758->6760 6761 2c61aa1 FreeLibrary 6759->6761 6762 2c61a69 GetAdaptersInfo 6759->6762 6760->6759 6761->6753 6762->6761 6763 2c61a75 HeapFree 6762->6763 6763->6761 6827 2c61ac3 LoadLibraryA 6765->6827 6768 2c61bcf 6768->6312 6770 2c61ac3 13 API calls 6769->6770 6771 2c61c09 6770->6771 6772 2c61c0d GetComputerNameA 6771->6772 6773 2c61c5a 6771->6773 6774 2c61c45 GetVolumeInformationA 6772->6774 6775 2c61c1f 6772->6775 6773->6320 6774->6773 6775->6774 6776 2c61c41 6775->6776 6776->6773 6778 2c6ee2a 6777->6778 6779 2c630d0 gethostname gethostbyname 6778->6779 6780 2c61f82 6779->6780 6780->6325 6780->6327 6782 2c6dd05 6 API calls 6781->6782 6783 2c6df7c 6782->6783 6784 2c6dd84 lstrcmpiA 6783->6784 6785 2c6df89 6784->6785 6786 2c6ddcf lstrcmpA 6785->6786 6787 2c6ec2e codecvt 4 API calls 6785->6787 6788 2c6dd84 lstrcmpiA 6785->6788 6789 2c6dfc4 6785->6789 6786->6785 6787->6785 6788->6785 6789->6293 6793 2c62419 lstrlenA 6790->6793 6792 2c62491 6792->6745 6794 2c62474 6793->6794 6795 2c6243d lstrlenA 6793->6795 6794->6792 6796 2c62464 lstrlenA 6795->6796 6797 2c6244e lstrcmpiA 6795->6797 6796->6794 6796->6795 6797->6796 6798 2c6245c 6797->6798 6798->6794 6798->6796 6800 2c6dd05 6 API calls 6799->6800 6801 2c6e8b4 6800->6801 6802 2c6dd84 lstrcmpiA 6801->6802 6803 2c6e8c0 6802->6803 6804 2c6e90a 6803->6804 6805 2c6e8c8 lstrcpynA 6803->6805 6807 2c62419 4 API calls 6804->6807 6814 2c6ea27 6804->6814 6806 2c6e8f5 6805->6806 6820 2c6df4c 6806->6820 6808 2c6e926 lstrlenA lstrlenA 6807->6808 6810 2c6e94c lstrlenA 6808->6810 6811 2c6e96a 6808->6811 6810->6811 6811->6814 6815 2c6ebcc 4 API calls 6811->6815 6812 2c6e901 6813 2c6dd84 lstrcmpiA 6812->6813 6813->6804 6814->6750 6816 2c6e98f 6815->6816 6816->6814 6817 2c6df4c 20 API calls 6816->6817 6818 2c6ea1e 6817->6818 6819 2c6ec2e codecvt 4 API calls 6818->6819 6819->6814 6821 2c6dd05 6 API calls 6820->6821 6822 2c6df51 6821->6822 6823 2c6f04e 4 API calls 6822->6823 6824 2c6df58 6823->6824 6825 2c6de24 10 API calls 6824->6825 6826 2c6df63 6825->6826 6826->6812 6828 2c61ae2 GetProcAddress 6827->6828 6829 2c61b68 GetComputerNameA GetVolumeInformationA 6827->6829 6828->6829 6832 2c61af5 6828->6832 6829->6768 6830 2c61b1c GetAdaptersAddresses 6830->6832 6833 2c61b29 6830->6833 6831 2c6ebed 8 API calls 6831->6832 6832->6830 6832->6831 6832->6833 6833->6829 6833->6833 6834 2c6ec2e codecvt 4 API calls 6833->6834 6834->6829 6836 2c66ec3 2 API calls 6835->6836 6837 2c67ef4 6836->6837 6839 2c67fc9 6837->6839 6871 2c673ff 6837->6871 6839->6335 6840 2c67f16 6840->6839 6891 2c67809 GetUserNameA 6840->6891 6842 2c67f63 6842->6839 6915 2c6ef1e lstrlenA 6842->6915 6845 2c6ef1e lstrlenA 6846 2c67fb7 6845->6846 6917 2c67a95 RegOpenKeyExA 6846->6917 6849 2c67073 6848->6849 6850 2c670b9 RegOpenKeyExA 6849->6850 6851 2c670d0 6850->6851 6865 2c671b8 6850->6865 6852 2c66dc2 6 API calls 6851->6852 6855 2c670d5 6852->6855 6853 2c6719b RegEnumValueA 6854 2c671af RegCloseKey 6853->6854 6853->6855 6854->6865 6855->6853 6857 2c671d0 6855->6857 6948 2c6f1a5 lstrlenA 6855->6948 6858 2c67205 RegCloseKey 6857->6858 6859 2c67227 6857->6859 6858->6865 6860 2c6728e RegCloseKey 6859->6860 6861 2c672b8 ___ascii_stricmp 6859->6861 6860->6865 6862 2c672cd RegCloseKey 6861->6862 6863 2c672dd 6861->6863 6862->6865 6864 2c67311 RegCloseKey 6863->6864 6867 2c67335 6863->6867 6864->6865 6865->6336 6866 2c673d5 RegCloseKey 6868 2c673e4 6866->6868 6867->6866 6869 2c6737e GetFileAttributesExA 6867->6869 6870 2c67397 6867->6870 6869->6870 6870->6866 6872 2c6741b 6871->6872 6873 2c66dc2 6 API calls 6872->6873 6874 2c6743f 6873->6874 6875 2c67469 RegOpenKeyExA 6874->6875 6877 2c677f9 6875->6877 6887 2c67487 ___ascii_stricmp 6875->6887 6876 2c67703 RegEnumKeyA 6878 2c67714 RegCloseKey 6876->6878 6876->6887 6877->6840 6878->6877 6879 2c6f1a5 lstrlenA 6879->6887 6880 2c674d2 RegOpenKeyExA 6880->6887 6881 2c6772c 6883 2c67742 RegCloseKey 6881->6883 6884 2c6774b 6881->6884 6882 2c67521 RegQueryValueExA 6882->6887 6883->6884 6886 2c677ec RegCloseKey 6884->6886 6885 2c676e4 RegCloseKey 6885->6887 6886->6877 6887->6876 6887->6879 6887->6880 6887->6881 6887->6882 6887->6885 6889 2c6777e GetFileAttributesExA 6887->6889 6890 2c67769 6887->6890 6888 2c677e3 RegCloseKey 6888->6886 6889->6890 6890->6888 6892 2c67a8d 6891->6892 6893 2c6783d LookupAccountNameA 6891->6893 6892->6842 6893->6892 6894 2c67874 GetLengthSid GetFileSecurityA 6893->6894 6894->6892 6895 2c678a8 GetSecurityDescriptorOwner 6894->6895 6896 2c678c5 EqualSid 6895->6896 6897 2c6791d GetSecurityDescriptorDacl 6895->6897 6896->6897 6898 2c678dc LocalAlloc 6896->6898 6897->6892 6904 2c67941 6897->6904 6898->6897 6899 2c678ef InitializeSecurityDescriptor 6898->6899 6900 2c67916 LocalFree 6899->6900 6901 2c678fb SetSecurityDescriptorOwner 6899->6901 6900->6897 6901->6900 6903 2c6790b SetFileSecurityA 6901->6903 6902 2c6795b GetAce 6902->6904 6903->6900 6904->6892 6904->6902 6905 2c67980 EqualSid 6904->6905 6906 2c679be EqualSid 6904->6906 6907 2c67a3d 6904->6907 6909 2c6799d DeleteAce 6904->6909 6905->6904 6906->6904 6907->6892 6908 2c67a43 LocalAlloc 6907->6908 6908->6892 6910 2c67a56 InitializeSecurityDescriptor 6908->6910 6909->6904 6911 2c67a86 LocalFree 6910->6911 6912 2c67a62 SetSecurityDescriptorDacl 6910->6912 6911->6892 6912->6911 6913 2c67a73 SetFileSecurityA 6912->6913 6913->6911 6914 2c67a83 6913->6914 6914->6911 6916 2c67fa6 6915->6916 6916->6845 6918 2c67ac4 6917->6918 6919 2c67acb GetUserNameA 6917->6919 6918->6839 6920 2c67da7 RegCloseKey 6919->6920 6921 2c67aed LookupAccountNameA 6919->6921 6920->6918 6921->6920 6922 2c67b24 RegGetKeySecurity 6921->6922 6922->6920 6923 2c67b49 GetSecurityDescriptorOwner 6922->6923 6924 2c67b63 EqualSid 6923->6924 6925 2c67bb8 GetSecurityDescriptorDacl 6923->6925 6924->6925 6926 2c67b74 LocalAlloc 6924->6926 6927 2c67da6 6925->6927 6933 2c67bdc 6925->6933 6926->6925 6928 2c67b8a InitializeSecurityDescriptor 6926->6928 6927->6920 6929 2c67b96 SetSecurityDescriptorOwner 6928->6929 6930 2c67bb1 LocalFree 6928->6930 6929->6930 6932 2c67ba6 RegSetKeySecurity 6929->6932 6930->6925 6931 2c67bf8 GetAce 6931->6933 6932->6930 6933->6927 6933->6931 6934 2c67c1d EqualSid 6933->6934 6935 2c67c5f EqualSid 6933->6935 6936 2c67cd9 6933->6936 6937 2c67c3a DeleteAce 6933->6937 6934->6933 6935->6933 6936->6927 6938 2c67d5a LocalAlloc 6936->6938 6940 2c67cf2 RegOpenKeyExA 6936->6940 6937->6933 6938->6927 6939 2c67d70 InitializeSecurityDescriptor 6938->6939 6941 2c67d9f LocalFree 6939->6941 6942 2c67d7c SetSecurityDescriptorDacl 6939->6942 6940->6938 6945 2c67d0f 6940->6945 6941->6927 6942->6941 6943 2c67d8c RegSetKeySecurity 6942->6943 6943->6941 6944 2c67d9c 6943->6944 6944->6941 6946 2c67d43 RegSetValueExA 6945->6946 6946->6938 6947 2c67d54 6946->6947 6947->6938 6949 2c6f1c3 6948->6949 6949->6855 6950->6356 6952 2c6dd05 6 API calls 6951->6952 6955 2c6e65f 6952->6955 6953 2c6e6a5 6954 2c6ebcc 4 API calls 6953->6954 6960 2c6e6f5 6953->6960 6958 2c6e6b0 6954->6958 6955->6953 6956 2c6e68c lstrcmpA 6955->6956 6956->6955 6957 2c6e6b7 6957->6358 6958->6957 6959 2c6e6e0 lstrcpynA 6958->6959 6958->6960 6959->6960 6960->6957 6961 2c6e71d lstrcmpA 6960->6961 6961->6960 6962->6364 6964 2c62692 inet_addr 6963->6964 6965 2c6268e 6963->6965 6964->6965 6966 2c6269e gethostbyname 6964->6966 6967 2c6f428 6965->6967 6966->6965 7115 2c6f315 6967->7115 6970 2c6f43e 6971 2c6f473 recv 6970->6971 6972 2c6f47c 6971->6972 6973 2c6f458 6971->6973 6972->6395 6973->6971 6973->6972 6975 2c6c525 6974->6975 6976 2c6c532 6974->6976 6975->6976 6978 2c6ec2e codecvt 4 API calls 6975->6978 6977 2c6c548 6976->6977 7128 2c6e7ff 6976->7128 6979 2c6c54f 6977->6979 6981 2c6e7ff lstrcmpiA 6977->6981 6978->6976 6979->6377 6983 2c6c615 6981->6983 6983->6979 6984 2c6ebcc 4 API calls 6983->6984 6984->6979 6985 2c6c5d1 6987 2c6ebcc 4 API calls 6985->6987 6986 2c6e819 11 API calls 6988 2c6c5b7 6986->6988 6987->6979 6989 2c6f04e 4 API calls 6988->6989 6990 2c6c5bf 6989->6990 6990->6977 6990->6985 6993 2c6c8d2 6991->6993 6992 2c6c907 6992->6379 6993->6992 6994 2c6c517 23 API calls 6993->6994 6994->6992 6996 2c6c67d 6995->6996 6997 2c6c670 6995->6997 6999 2c6ebcc 4 API calls 6996->6999 7001 2c6c699 6996->7001 6998 2c6ebcc 4 API calls 6997->6998 6998->6996 6999->7001 7000 2c6c6f3 7000->6408 7000->6425 7001->7000 7002 2c6c73c send 7001->7002 7002->7000 7004 2c6c77d 7003->7004 7005 2c6c770 7003->7005 7007 2c6c799 7004->7007 7008 2c6ebcc 4 API calls 7004->7008 7006 2c6ebcc 4 API calls 7005->7006 7006->7004 7009 2c6c7b5 7007->7009 7010 2c6ebcc 4 API calls 7007->7010 7008->7007 7011 2c6f43e recv 7009->7011 7010->7009 7012 2c6c7cb 7011->7012 7013 2c6f43e recv 7012->7013 7014 2c6c7d3 7012->7014 7013->7014 7014->6425 7131 2c67db7 7015->7131 7018 2c6f04e 4 API calls 7021 2c67e4c 7018->7021 7019 2c67e96 7019->6425 7020 2c6f04e 4 API calls 7020->7019 7022 2c6f04e 4 API calls 7021->7022 7023 2c67e70 7021->7023 7022->7023 7023->7019 7023->7020 7025 2c66ec3 2 API calls 7024->7025 7026 2c67fdd 7025->7026 7027 2c673ff 17 API calls 7026->7027 7028 2c680c2 CreateProcessA 7026->7028 7029 2c67fff 7027->7029 7028->6462 7028->6463 7029->7028 7030 2c67809 21 API calls 7029->7030 7031 2c6804d 7030->7031 7031->7028 7032 2c6ef1e lstrlenA 7031->7032 7033 2c6809e 7032->7033 7034 2c6ef1e lstrlenA 7033->7034 7035 2c680af 7034->7035 7036 2c67a95 24 API calls 7035->7036 7036->7028 7038 2c67db7 2 API calls 7037->7038 7039 2c67eb8 7038->7039 7040 2c6f04e 4 API calls 7039->7040 7041 2c67ece DeleteFileA 7040->7041 7041->6425 7043 2c6dd05 6 API calls 7042->7043 7044 2c6e31d 7043->7044 7135 2c6e177 7044->7135 7046 2c6e326 7046->6434 7048 2c631f3 7047->7048 7058 2c631ec 7047->7058 7049 2c6ebcc 4 API calls 7048->7049 7063 2c631fc 7049->7063 7050 2c6344b 7051 2c6349d 7050->7051 7052 2c63459 7050->7052 7054 2c6ec2e codecvt 4 API calls 7051->7054 7053 2c6f04e 4 API calls 7052->7053 7055 2c6345f 7053->7055 7054->7058 7056 2c630fa 4 API calls 7055->7056 7056->7058 7057 2c6ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7057->7063 7058->6425 7059 2c6344d 7060 2c6ec2e codecvt 4 API calls 7059->7060 7060->7050 7062 2c63141 lstrcmpiA 7062->7063 7063->7050 7063->7057 7063->7058 7063->7059 7063->7062 7161 2c630fa GetTickCount 7063->7161 7065 2c630fa 4 API calls 7064->7065 7066 2c63c1a 7065->7066 7067 2c63ce6 7066->7067 7166 2c63a72 7066->7166 7067->6425 7070 2c63a72 9 API calls 7072 2c63c5e 7070->7072 7071 2c63a72 9 API calls 7071->7072 7072->7067 7072->7071 7073 2c6ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7072->7073 7073->7072 7075 2c63a10 7074->7075 7076 2c630fa 4 API calls 7075->7076 7077 2c63a1a 7076->7077 7077->6425 7079 2c6dd05 6 API calls 7078->7079 7080 2c6e7be 7079->7080 7080->6425 7082 2c6c07e wsprintfA 7081->7082 7086 2c6c105 7081->7086 7175 2c6bfce GetTickCount wsprintfA 7082->7175 7084 2c6c0ef 7176 2c6bfce GetTickCount wsprintfA 7084->7176 7086->6425 7088 2c67047 7087->7088 7089 2c66f88 LookupAccountNameA 7087->7089 7088->6425 7091 2c67025 7089->7091 7092 2c66fcb 7089->7092 7177 2c66edd 7091->7177 7095 2c66fdb ConvertSidToStringSidA 7092->7095 7095->7091 7096 2c66ff1 7095->7096 7097 2c67013 LocalFree 7096->7097 7097->7091 7099 2c6dd05 6 API calls 7098->7099 7100 2c6e85c 7099->7100 7101 2c6dd84 lstrcmpiA 7100->7101 7102 2c6e867 7101->7102 7103 2c6e885 lstrcpyA 7102->7103 7188 2c624a5 7102->7188 7191 2c6dd69 7103->7191 7109 2c67db7 2 API calls 7108->7109 7110 2c67de1 7109->7110 7111 2c6f04e 4 API calls 7110->7111 7114 2c67e16 7110->7114 7112 2c67df2 7111->7112 7113 2c6f04e 4 API calls 7112->7113 7112->7114 7113->7114 7114->6425 7116 2c6f33b 7115->7116 7124 2c6ca1d 7115->7124 7117 2c6f347 htons socket 7116->7117 7118 2c6f374 closesocket 7117->7118 7119 2c6f382 ioctlsocket 7117->7119 7118->7124 7120 2c6f39d 7119->7120 7121 2c6f3aa connect select 7119->7121 7123 2c6f39f closesocket 7120->7123 7122 2c6f3f2 __WSAFDIsSet 7121->7122 7121->7124 7122->7123 7125 2c6f403 ioctlsocket 7122->7125 7123->7124 7124->6392 7124->6970 7127 2c6f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7125->7127 7127->7124 7129 2c6dd84 lstrcmpiA 7128->7129 7130 2c6c58e 7129->7130 7130->6977 7130->6985 7130->6986 7132 2c67dc8 InterlockedExchange 7131->7132 7133 2c67dd4 7132->7133 7134 2c67dc0 Sleep 7132->7134 7133->7018 7133->7023 7134->7132 7138 2c6e184 7135->7138 7136 2c6e2e4 7136->7046 7137 2c6e223 7137->7136 7140 2c6dfe2 8 API calls 7137->7140 7138->7136 7138->7137 7151 2c6dfe2 7138->7151 7144 2c6e23c 7140->7144 7141 2c6e1be 7141->7137 7142 2c6dbcf 3 API calls 7141->7142 7145 2c6e1d6 7142->7145 7143 2c6e21a CloseHandle 7143->7137 7144->7136 7155 2c6e095 RegCreateKeyExA 7144->7155 7145->7137 7145->7143 7146 2c6e1f9 WriteFile 7145->7146 7146->7143 7148 2c6e213 7146->7148 7148->7143 7149 2c6e2a3 7149->7136 7150 2c6e095 4 API calls 7149->7150 7150->7136 7152 2c6dffc 7151->7152 7154 2c6e024 7151->7154 7153 2c6db2e 8 API calls 7152->7153 7152->7154 7153->7154 7154->7141 7156 2c6e172 7155->7156 7158 2c6e0c0 7155->7158 7156->7149 7157 2c6e13d 7159 2c6e14e RegDeleteValueA RegCloseKey 7157->7159 7158->7157 7160 2c6e115 RegSetValueExA 7158->7160 7159->7156 7160->7157 7160->7158 7162 2c63122 InterlockedExchange 7161->7162 7163 2c6312e 7162->7163 7164 2c6310f GetTickCount 7162->7164 7163->7063 7164->7163 7165 2c6311a Sleep 7164->7165 7165->7162 7167 2c6f04e 4 API calls 7166->7167 7174 2c63a83 7167->7174 7168 2c63be6 7172 2c6ec2e codecvt 4 API calls 7168->7172 7169 2c63ac1 7169->7067 7169->7070 7170 2c6ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7171 2c63bc0 7170->7171 7171->7168 7171->7170 7172->7169 7173 2c63b66 lstrlenA 7173->7169 7173->7174 7174->7169 7174->7171 7174->7173 7175->7084 7176->7086 7178 2c66eef AllocateAndInitializeSid 7177->7178 7179 2c66f55 wsprintfA 7177->7179 7180 2c66f44 7178->7180 7181 2c66f1c CheckTokenMembership 7178->7181 7179->7088 7180->7179 7185 2c66e36 GetUserNameW 7180->7185 7182 2c66f2e 7181->7182 7183 2c66f3b FreeSid 7181->7183 7182->7183 7183->7180 7186 2c66e97 7185->7186 7187 2c66e5f LookupAccountNameW 7185->7187 7186->7179 7187->7186 7189 2c62419 4 API calls 7188->7189 7190 2c624b6 7189->7190 7190->7103 7192 2c6dd79 lstrlenA 7191->7192 7192->6425 7194 2c6eb17 7193->7194 7195 2c6eb21 7193->7195 7196 2c6eae4 2 API calls 7194->7196 7195->6519 7196->7195 7199 2c669b9 WriteFile 7197->7199 7201 2c66a3c 7199->7201 7202 2c669ff 7199->7202 7200 2c66a10 WriteFile 7200->7201 7200->7202 7201->6514 7201->6515 7202->7200 7202->7201 7204 2c63edc 7203->7204 7206 2c63ee2 7203->7206 7205 2c66dc2 6 API calls 7204->7205 7205->7206 7206->6529 7208 2c6400b CreateFileA 7207->7208 7209 2c6402c GetLastError 7208->7209 7211 2c64052 7208->7211 7210 2c64037 7209->7210 7209->7211 7210->7211 7212 2c64041 Sleep 7210->7212 7211->6533 7212->7208 7212->7211 7214 2c63f4e GetLastError 7213->7214 7216 2c63f7c 7213->7216 7215 2c63f5b WaitForSingleObject GetOverlappedResult 7214->7215 7214->7216 7215->7216 7217 2c63f8c ReadFile 7216->7217 7218 2c63fc2 GetLastError 7217->7218 7219 2c63ff0 7217->7219 7218->7219 7220 2c63fcf WaitForSingleObject GetOverlappedResult 7218->7220 7219->6538 7219->6539 7220->7219 7222 2c61924 GetVersionExA 7221->7222 7222->6578 7224 2c6f0f1 7223->7224 7225 2c6f0ed 7223->7225 7226 2c6f0fa lstrlenA SysAllocStringByteLen 7224->7226 7227 2c6f119 7224->7227 7225->6610 7228 2c6f117 7226->7228 7229 2c6f11c MultiByteToWideChar 7226->7229 7227->7229 7228->6610 7229->7228 7231 2c61820 17 API calls 7230->7231 7232 2c618f2 7231->7232 7233 2c618f9 7232->7233 7247 2c61280 7232->7247 7233->6604 7235 2c61908 7235->6604 7260 2c61000 7236->7260 7238 2c61839 7239 2c61851 GetCurrentProcess 7238->7239 7240 2c6183d 7238->7240 7241 2c61864 7239->7241 7240->6593 7241->6593 7243 2c6920e 7242->7243 7246 2c69308 7242->7246 7244 2c692f1 Sleep 7243->7244 7245 2c692bf ShellExecuteA 7243->7245 7243->7246 7244->7243 7245->7243 7245->7246 7246->6604 7250 2c612e1 ShellExecuteExW 7247->7250 7249 2c616f9 GetLastError 7251 2c61699 7249->7251 7250->7249 7257 2c613a8 7250->7257 7251->7235 7252 2c61570 lstrlenW 7252->7257 7253 2c615be GetStartupInfoW 7253->7257 7254 2c615ff CreateProcessWithLogonW 7255 2c616bf GetLastError 7254->7255 7256 2c6163f WaitForSingleObject 7254->7256 7255->7251 7256->7257 7258 2c61659 CloseHandle 7256->7258 7257->7251 7257->7252 7257->7253 7257->7254 7259 2c61668 CloseHandle 7257->7259 7258->7257 7259->7257 7261 2c6100d LoadLibraryA 7260->7261 7272 2c61023 7260->7272 7262 2c61021 7261->7262 7261->7272 7262->7238 7263 2c610b5 GetProcAddress 7264 2c610d1 GetProcAddress 7263->7264 7265 2c6127b 7263->7265 7264->7265 7266 2c610f0 GetProcAddress 7264->7266 7265->7238 7266->7265 7267 2c61110 GetProcAddress 7266->7267 7267->7265 7268 2c61130 GetProcAddress 7267->7268 7268->7265 7269 2c6114f GetProcAddress 7268->7269 7269->7265 7270 2c6116f GetProcAddress 7269->7270 7270->7265 7271 2c6118f GetProcAddress 7270->7271 7271->7265 7273 2c611ae GetProcAddress 7271->7273 7272->7263 7280 2c610ae 7272->7280 7273->7265 7274 2c611ce GetProcAddress 7273->7274 7274->7265 7275 2c611ee GetProcAddress 7274->7275 7275->7265 7276 2c61209 GetProcAddress 7275->7276 7276->7265 7277 2c61225 GetProcAddress 7276->7277 7277->7265 7278 2c61241 GetProcAddress 7277->7278 7278->7265 7279 2c6125c GetProcAddress 7278->7279 7279->7265 7280->7238 7282 2c6908d 7281->7282 7283 2c690e2 wsprintfA 7282->7283 7284 2c6ee2a 7283->7284 7285 2c690fd CreateFileA 7284->7285 7286 2c6913f 7285->7286 7287 2c6911a lstrlenA WriteFile CloseHandle 7285->7287 7286->6633 7286->6634 7287->7286 7289 2c6ee2a 7288->7289 7290 2c69794 CreateProcessA 7289->7290 7291 2c697bb 7290->7291 7292 2c697c2 7290->7292 7291->6645 7293 2c697d4 GetThreadContext 7292->7293 7294 2c697f5 7293->7294 7295 2c69801 7293->7295 7296 2c697f6 TerminateProcess 7294->7296 7302 2c6637c 7295->7302 7296->7291 7298 2c69816 7298->7296 7299 2c6981e WriteProcessMemory 7298->7299 7299->7294 7300 2c6983b SetThreadContext 7299->7300 7300->7294 7301 2c69858 ResumeThread 7300->7301 7301->7291 7303 2c66386 7302->7303 7304 2c6638a GetModuleHandleA VirtualAlloc 7302->7304 7303->7298 7305 2c663b6 7304->7305 7306 2c663f5 7304->7306 7307 2c663be VirtualAllocEx 7305->7307 7306->7298 7307->7306 7308 2c663d6 7307->7308 7309 2c663df WriteProcessMemory 7308->7309 7309->7306 7311 2c6879f 7310->7311 7312 2c68791 7310->7312 7314 2c687bc 7311->7314 7315 2c6f04e 4 API calls 7311->7315 7313 2c6f04e 4 API calls 7312->7313 7313->7311 7316 2c6e819 11 API calls 7314->7316 7315->7314 7317 2c687d7 7316->7317 7330 2c68803 7317->7330 7465 2c626b2 gethostbyaddr 7317->7465 7320 2c687eb 7322 2c6e8a1 30 API calls 7320->7322 7320->7330 7322->7330 7325 2c6f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7325->7330 7326 2c6e819 11 API calls 7326->7330 7327 2c688a0 Sleep 7327->7330 7328 2c626b2 2 API calls 7328->7330 7330->7325 7330->7326 7330->7327 7330->7328 7331 2c6e8a1 30 API calls 7330->7331 7362 2c68cee 7330->7362 7370 2c6c4d6 7330->7370 7373 2c6c4e2 7330->7373 7376 2c62011 7330->7376 7411 2c68328 7330->7411 7331->7330 7333 2c64084 7332->7333 7334 2c6407d 7332->7334 7335 2c63ecd 6 API calls 7333->7335 7336 2c6408f 7335->7336 7337 2c64000 3 API calls 7336->7337 7339 2c64095 7337->7339 7338 2c64130 7341 2c63ecd 6 API calls 7338->7341 7339->7338 7340 2c640c0 7339->7340 7345 2c63f18 4 API calls 7340->7345 7342 2c64159 CreateNamedPipeA 7341->7342 7343 2c64167 Sleep 7342->7343 7344 2c64188 ConnectNamedPipe 7342->7344 7343->7338 7346 2c64176 CloseHandle 7343->7346 7348 2c64195 GetLastError 7344->7348 7358 2c641ab 7344->7358 7347 2c640da 7345->7347 7346->7344 7349 2c63f8c 4 API calls 7347->7349 7350 2c6425e DisconnectNamedPipe 7348->7350 7348->7358 7351 2c640ec 7349->7351 7350->7344 7352 2c64127 CloseHandle 7351->7352 7354 2c64101 7351->7354 7352->7338 7353 2c63f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7353->7358 7355 2c63f18 4 API calls 7354->7355 7356 2c6411c ExitProcess 7355->7356 7357 2c63f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7357->7358 7358->7344 7358->7350 7358->7353 7358->7357 7359 2c6426a CloseHandle CloseHandle 7358->7359 7360 2c6e318 23 API calls 7359->7360 7361 2c6427b 7360->7361 7361->7361 7363 2c68d02 GetTickCount 7362->7363 7364 2c68dae 7362->7364 7363->7364 7367 2c68d19 7363->7367 7364->7330 7365 2c68da1 GetTickCount 7365->7364 7367->7365 7369 2c68d89 7367->7369 7470 2c6a677 7367->7470 7473 2c6a688 7367->7473 7369->7365 7481 2c6c2dc 7370->7481 7374 2c6c2dc 142 API calls 7373->7374 7375 2c6c4ec 7374->7375 7375->7330 7377 2c6202e 7376->7377 7378 2c62020 7376->7378 7380 2c6204b 7377->7380 7381 2c6f04e 4 API calls 7377->7381 7379 2c6f04e 4 API calls 7378->7379 7379->7377 7382 2c6206e GetTickCount 7380->7382 7383 2c6f04e 4 API calls 7380->7383 7381->7380 7384 2c62090 7382->7384 7385 2c620db GetTickCount 7382->7385 7388 2c62068 7383->7388 7389 2c620d4 GetTickCount 7384->7389 7393 2c62684 2 API calls 7384->7393 7399 2c620ce 7384->7399 7821 2c61978 7384->7821 7386 2c620e7 7385->7386 7387 2c62132 GetTickCount GetTickCount 7385->7387 7391 2c6212b GetTickCount 7386->7391 7401 2c62125 7386->7401 7404 2c61978 15 API calls 7386->7404 7811 2c62ef8 7386->7811 7390 2c6f04e 4 API calls 7387->7390 7388->7382 7389->7385 7392 2c62159 7390->7392 7391->7387 7396 2c6e854 13 API calls 7392->7396 7408 2c621b4 7392->7408 7393->7384 7395 2c6f04e 4 API calls 7398 2c621d1 7395->7398 7400 2c6218e 7396->7400 7402 2c621f2 7398->7402 7405 2c6ea84 30 API calls 7398->7405 7399->7389 7403 2c6e819 11 API calls 7400->7403 7401->7391 7402->7330 7406 2c6219c 7403->7406 7404->7386 7407 2c621ec 7405->7407 7406->7408 7826 2c61c5f 7406->7826 7409 2c6f04e 4 API calls 7407->7409 7408->7395 7409->7402 7412 2c67dd6 6 API calls 7411->7412 7413 2c6833c 7412->7413 7414 2c66ec3 2 API calls 7413->7414 7420 2c68340 7413->7420 7415 2c6834f 7414->7415 7416 2c6835c 7415->7416 7422 2c6846b 7415->7422 7417 2c673ff 17 API calls 7416->7417 7426 2c68373 7417->7426 7418 2c68626 GetTempPathA 7438 2c68638 7418->7438 7419 2c68671 7898 2c66ba7 IsBadCodePtr 7419->7898 7420->7330 7421 2c6675c 21 API calls 7440 2c685df 7421->7440 7424 2c684a7 RegOpenKeyExA 7422->7424 7451 2c68450 7422->7451 7427 2c684c0 RegQueryValueExA 7424->7427 7439 2c6852f 7424->7439 7425 2c686ad 7428 2c68762 7425->7428 7431 2c67e2f 6 API calls 7425->7431 7426->7420 7445 2c683ea RegOpenKeyExA 7426->7445 7426->7451 7429 2c68521 RegCloseKey 7427->7429 7430 2c684dd 7427->7430 7432 2c68768 7428->7432 7429->7439 7430->7429 7435 2c6ebcc 4 API calls 7430->7435 7448 2c686bb 7431->7448 7432->7420 7437 2c6ec2e codecvt 4 API calls 7432->7437 7433 2c68564 RegOpenKeyExA 7434 2c68573 RegSetValueExA RegCloseKey 7433->7434 7444 2c685a5 7433->7444 7434->7444 7442 2c684f0 7435->7442 7436 2c6875b DeleteFileA 7436->7428 7437->7420 7438->7419 7439->7433 7439->7444 7440->7418 7440->7419 7440->7432 7442->7429 7443 2c684f8 RegQueryValueExA 7442->7443 7443->7429 7446 2c68515 7443->7446 7447 2c6ec2e codecvt 4 API calls 7444->7447 7444->7451 7449 2c683fd RegQueryValueExA 7445->7449 7445->7451 7450 2c6ec2e codecvt 4 API calls 7446->7450 7447->7451 7448->7436 7452 2c686e0 lstrcpyA lstrlenA 7448->7452 7453 2c6841e 7449->7453 7454 2c6842d RegSetValueExA 7449->7454 7456 2c6851d 7450->7456 7451->7421 7451->7440 7457 2c67fcf 64 API calls 7452->7457 7453->7454 7455 2c68447 RegCloseKey 7453->7455 7454->7455 7455->7451 7456->7429 7458 2c68719 CreateProcessA 7457->7458 7459 2c6874f 7458->7459 7460 2c6873d CloseHandle CloseHandle 7458->7460 7461 2c67ee6 64 API calls 7459->7461 7460->7432 7462 2c68754 7461->7462 7463 2c67ead 6 API calls 7462->7463 7464 2c6875a 7463->7464 7464->7436 7466 2c626cd 7465->7466 7467 2c626fb 7465->7467 7468 2c626e1 inet_ntoa 7466->7468 7469 2c626de 7466->7469 7467->7320 7468->7469 7469->7320 7476 2c6a63d 7470->7476 7472 2c6a685 7472->7367 7474 2c6a63d GetTickCount 7473->7474 7475 2c6a696 7474->7475 7475->7367 7477 2c6a645 7476->7477 7478 2c6a64d 7476->7478 7477->7472 7479 2c6a66e 7478->7479 7480 2c6a65e GetTickCount 7478->7480 7479->7472 7480->7479 7498 2c6a4c7 GetTickCount 7481->7498 7484 2c6c47a 7489 2c6c4d2 7484->7489 7490 2c6c4ab InterlockedIncrement CreateThread 7484->7490 7485 2c6c326 7487 2c6c337 7485->7487 7488 2c6c32b GetTickCount 7485->7488 7486 2c6c300 GetTickCount 7486->7487 7487->7484 7492 2c6c363 GetTickCount 7487->7492 7488->7487 7489->7330 7490->7489 7491 2c6c4cb CloseHandle 7490->7491 7503 2c6b535 7490->7503 7491->7489 7492->7484 7493 2c6c373 7492->7493 7494 2c6c378 GetTickCount 7493->7494 7495 2c6c37f 7493->7495 7494->7495 7496 2c6c43b GetTickCount 7495->7496 7497 2c6c45e 7496->7497 7497->7484 7499 2c6a4f7 InterlockedExchange 7498->7499 7500 2c6a4e4 GetTickCount 7499->7500 7501 2c6a500 7499->7501 7500->7501 7502 2c6a4ef Sleep 7500->7502 7501->7484 7501->7485 7501->7486 7502->7499 7504 2c6b566 7503->7504 7505 2c6ebcc 4 API calls 7504->7505 7506 2c6b587 7505->7506 7507 2c6ebcc 4 API calls 7506->7507 7554 2c6b590 7507->7554 7508 2c6bdcd InterlockedDecrement 7509 2c6bde2 7508->7509 7511 2c6ec2e codecvt 4 API calls 7509->7511 7512 2c6bdea 7511->7512 7514 2c6ec2e codecvt 4 API calls 7512->7514 7513 2c6bdb7 Sleep 7513->7554 7515 2c6bdf2 7514->7515 7517 2c6be05 7515->7517 7518 2c6ec2e codecvt 4 API calls 7515->7518 7516 2c6bdcc 7516->7508 7518->7517 7519 2c6ebed 8 API calls 7519->7554 7522 2c6b6b6 lstrlenA 7522->7554 7523 2c630b5 2 API calls 7523->7554 7524 2c6e819 11 API calls 7524->7554 7525 2c6b6ed lstrcpyA 7578 2c65ce1 7525->7578 7528 2c6b731 lstrlenA 7528->7554 7529 2c6b71f lstrcmpA 7529->7528 7529->7554 7530 2c6b772 GetTickCount 7530->7554 7531 2c6bd49 InterlockedIncrement 7672 2c6a628 7531->7672 7534 2c6b7ce InterlockedIncrement 7588 2c6acd7 7534->7588 7535 2c6bc5b InterlockedIncrement 7535->7554 7538 2c6b912 GetTickCount 7538->7554 7539 2c6b826 InterlockedIncrement 7539->7530 7540 2c6b932 GetTickCount 7543 2c6bc6d InterlockedIncrement 7540->7543 7540->7554 7541 2c6bcdc closesocket 7541->7554 7542 2c65ce1 22 API calls 7542->7554 7543->7554 7544 2c638f0 6 API calls 7544->7554 7546 2c6ab81 lstrcpynA InterlockedIncrement 7546->7554 7548 2c6a7c1 22 API calls 7548->7554 7549 2c6bba6 InterlockedIncrement 7549->7554 7551 2c6bc4c closesocket 7551->7554 7554->7508 7554->7513 7554->7516 7554->7519 7554->7522 7554->7523 7554->7524 7554->7525 7554->7528 7554->7529 7554->7530 7554->7531 7554->7534 7554->7535 7554->7538 7554->7539 7554->7540 7554->7541 7554->7542 7554->7544 7554->7546 7554->7548 7554->7549 7554->7551 7555 2c6ba71 wsprintfA 7554->7555 7556 2c65ded 12 API calls 7554->7556 7558 2c6ef1e lstrlenA 7554->7558 7559 2c6a688 GetTickCount 7554->7559 7560 2c63e10 7554->7560 7563 2c63e4f 7554->7563 7566 2c6384f 7554->7566 7586 2c6a7a3 inet_ntoa 7554->7586 7593 2c6abee 7554->7593 7605 2c61feb GetTickCount 7554->7605 7626 2c63cfb 7554->7626 7629 2c6b3c5 7554->7629 7660 2c6ab81 7554->7660 7606 2c6a7c1 7555->7606 7556->7554 7558->7554 7559->7554 7561 2c630fa 4 API calls 7560->7561 7562 2c63e1d 7561->7562 7562->7554 7564 2c630fa 4 API calls 7563->7564 7565 2c63e5c 7564->7565 7565->7554 7567 2c630fa 4 API calls 7566->7567 7568 2c63863 7567->7568 7569 2c638b9 7568->7569 7570 2c63889 7568->7570 7577 2c638b2 7568->7577 7681 2c635f9 7569->7681 7675 2c63718 7570->7675 7575 2c63718 6 API calls 7575->7577 7576 2c635f9 6 API calls 7576->7577 7577->7554 7579 2c65cf4 7578->7579 7580 2c65cec 7578->7580 7582 2c64bd1 4 API calls 7579->7582 7687 2c64bd1 GetTickCount 7580->7687 7583 2c65d02 7582->7583 7692 2c65472 7583->7692 7587 2c6a7b9 7586->7587 7587->7554 7589 2c6f315 14 API calls 7588->7589 7590 2c6aceb 7589->7590 7591 2c6acff 7590->7591 7592 2c6f315 14 API calls 7590->7592 7591->7554 7592->7591 7594 2c6abfb 7593->7594 7598 2c6ac65 7594->7598 7755 2c62f22 7594->7755 7596 2c6ac23 7596->7598 7602 2c62684 2 API calls 7596->7602 7597 2c6f315 14 API calls 7597->7598 7598->7597 7599 2c6ac6f 7598->7599 7604 2c6ac8a 7598->7604 7600 2c6ab81 2 API calls 7599->7600 7601 2c6ac81 7600->7601 7763 2c638f0 7601->7763 7602->7596 7604->7554 7605->7554 7607 2c6a7df 7606->7607 7608 2c6a87d lstrlenA send 7606->7608 7607->7608 7615 2c6a7fa wsprintfA 7607->7615 7616 2c6a80a 7607->7616 7618 2c6a8f2 7607->7618 7609 2c6a8bf 7608->7609 7610 2c6a899 7608->7610 7612 2c6a8c4 send 7609->7612 7609->7618 7611 2c6a8a5 wsprintfA 7610->7611 7625 2c6a89e 7610->7625 7611->7625 7614 2c6a8d8 wsprintfA 7612->7614 7612->7618 7613 2c6a978 recv 7613->7618 7619 2c6a982 7613->7619 7614->7625 7615->7616 7616->7608 7617 2c6a9b0 wsprintfA 7617->7625 7618->7613 7618->7617 7618->7619 7620 2c630b5 2 API calls 7619->7620 7619->7625 7621 2c6ab05 7620->7621 7622 2c6e819 11 API calls 7621->7622 7623 2c6ab17 7622->7623 7624 2c6a7a3 inet_ntoa 7623->7624 7624->7625 7625->7554 7627 2c630fa 4 API calls 7626->7627 7628 2c63d0b 7627->7628 7628->7554 7630 2c65ce1 22 API calls 7629->7630 7631 2c6b3e6 7630->7631 7632 2c65ce1 22 API calls 7631->7632 7634 2c6b404 7632->7634 7633 2c6b440 7636 2c6ef7c 3 API calls 7633->7636 7634->7633 7635 2c6ef7c 3 API calls 7634->7635 7638 2c6b42b 7635->7638 7637 2c6b458 wsprintfA 7636->7637 7639 2c6ef7c 3 API calls 7637->7639 7640 2c6ef7c 3 API calls 7638->7640 7641 2c6b480 7639->7641 7640->7633 7642 2c6ef7c 3 API calls 7641->7642 7643 2c6b493 7642->7643 7644 2c6ef7c 3 API calls 7643->7644 7645 2c6b4bb 7644->7645 7779 2c6ad89 GetLocalTime SystemTimeToFileTime 7645->7779 7649 2c6b4cc 7650 2c6ef7c 3 API calls 7649->7650 7651 2c6b4dd 7650->7651 7652 2c6b211 7 API calls 7651->7652 7653 2c6b4ec 7652->7653 7654 2c6ef7c 3 API calls 7653->7654 7655 2c6b4fd 7654->7655 7656 2c6b211 7 API calls 7655->7656 7657 2c6b509 7656->7657 7658 2c6ef7c 3 API calls 7657->7658 7659 2c6b51a 7658->7659 7659->7554 7661 2c6ab8c 7660->7661 7663 2c6abe9 GetTickCount 7660->7663 7662 2c6aba8 lstrcpynA 7661->7662 7661->7663 7664 2c6abe1 InterlockedIncrement 7661->7664 7662->7661 7665 2c6a51d 7663->7665 7664->7661 7666 2c6a4c7 4 API calls 7665->7666 7667 2c6a52c 7666->7667 7668 2c6a542 GetTickCount 7667->7668 7670 2c6a539 GetTickCount 7667->7670 7668->7670 7671 2c6a56c 7670->7671 7671->7554 7673 2c6a4c7 4 API calls 7672->7673 7674 2c6a633 7673->7674 7674->7554 7676 2c6f04e 4 API calls 7675->7676 7677 2c6372a 7676->7677 7678 2c63847 7677->7678 7679 2c637b3 GetCurrentThreadId 7677->7679 7678->7575 7678->7577 7679->7677 7680 2c637c8 GetCurrentThreadId 7679->7680 7680->7677 7682 2c6f04e 4 API calls 7681->7682 7686 2c6360c 7682->7686 7683 2c636f1 7683->7576 7683->7577 7684 2c636da GetCurrentThreadId 7684->7683 7685 2c636e5 GetCurrentThreadId 7684->7685 7685->7683 7686->7683 7686->7684 7688 2c64bff InterlockedExchange 7687->7688 7689 2c64bec GetTickCount 7688->7689 7690 2c64c08 7688->7690 7689->7690 7691 2c64bf7 Sleep 7689->7691 7690->7579 7691->7688 7711 2c64763 7692->7711 7694 2c65b58 7721 2c64699 7694->7721 7697 2c64763 lstrlenA 7698 2c65b6e 7697->7698 7742 2c64f9f 7698->7742 7700 2c65b79 7700->7554 7702 2c65549 lstrlenA 7703 2c6548a 7702->7703 7703->7694 7705 2c6558d lstrcpynA 7703->7705 7706 2c65a9f lstrcpyA 7703->7706 7707 2c65935 lstrcpynA 7703->7707 7708 2c65472 13 API calls 7703->7708 7709 2c658e7 lstrcpyA 7703->7709 7710 2c64ae6 8 API calls 7703->7710 7715 2c64ae6 7703->7715 7719 2c6ef7c lstrlenA lstrlenA lstrlenA 7703->7719 7705->7703 7706->7703 7707->7703 7708->7703 7709->7703 7710->7703 7714 2c6477a 7711->7714 7712 2c64859 7712->7703 7713 2c6480d lstrlenA 7713->7714 7714->7712 7714->7713 7716 2c64af3 7715->7716 7718 2c64b03 7715->7718 7717 2c6ebed 8 API calls 7716->7717 7717->7718 7718->7702 7720 2c6efb4 7719->7720 7720->7703 7747 2c645b3 7721->7747 7724 2c645b3 7 API calls 7725 2c646c6 7724->7725 7726 2c645b3 7 API calls 7725->7726 7727 2c646d8 7726->7727 7728 2c645b3 7 API calls 7727->7728 7729 2c646ea 7728->7729 7730 2c645b3 7 API calls 7729->7730 7731 2c646ff 7730->7731 7732 2c645b3 7 API calls 7731->7732 7733 2c64711 7732->7733 7734 2c645b3 7 API calls 7733->7734 7735 2c64723 7734->7735 7736 2c6ef7c 3 API calls 7735->7736 7737 2c64735 7736->7737 7738 2c6ef7c 3 API calls 7737->7738 7739 2c6474a 7738->7739 7740 2c6ef7c 3 API calls 7739->7740 7741 2c6475c 7740->7741 7741->7697 7743 2c64fac 7742->7743 7746 2c64fb0 7742->7746 7743->7700 7744 2c64ffd 7744->7700 7745 2c64fd5 IsBadCodePtr 7745->7746 7746->7744 7746->7745 7748 2c645c1 7747->7748 7749 2c645c8 7747->7749 7750 2c6ebcc 4 API calls 7748->7750 7751 2c6ebcc 4 API calls 7749->7751 7753 2c645e1 7749->7753 7750->7749 7751->7753 7752 2c64691 7752->7724 7753->7752 7754 2c6ef7c 3 API calls 7753->7754 7754->7753 7770 2c62d21 GetModuleHandleA 7755->7770 7758 2c62fcf GetProcessHeap HeapFree 7762 2c62f44 7758->7762 7759 2c62f85 7759->7758 7759->7759 7760 2c62f4f 7761 2c62f6b GetProcessHeap HeapFree 7760->7761 7761->7762 7762->7596 7764 2c63900 7763->7764 7769 2c63980 7763->7769 7765 2c630fa 4 API calls 7764->7765 7767 2c6390a 7765->7767 7766 2c6391b GetCurrentThreadId 7766->7767 7767->7766 7768 2c63939 GetCurrentThreadId 7767->7768 7767->7769 7768->7767 7769->7604 7771 2c62d46 LoadLibraryA 7770->7771 7772 2c62d5b GetProcAddress 7770->7772 7771->7772 7773 2c62d54 7771->7773 7772->7773 7774 2c62d6b DnsQuery_A 7772->7774 7773->7759 7773->7760 7773->7762 7774->7773 7775 2c62d7d 7774->7775 7775->7773 7776 2c62d97 GetProcessHeap HeapAlloc 7775->7776 7776->7773 7778 2c62dac 7776->7778 7777 2c62db5 lstrcpynA 7777->7778 7778->7775 7778->7777 7780 2c6adbf 7779->7780 7804 2c6ad08 gethostname 7780->7804 7783 2c630b5 2 API calls 7784 2c6add3 7783->7784 7785 2c6ade4 7784->7785 7786 2c6a7a3 inet_ntoa 7784->7786 7787 2c6ae85 wsprintfA 7785->7787 7790 2c6ae36 wsprintfA wsprintfA 7785->7790 7786->7785 7788 2c6ef7c 3 API calls 7787->7788 7789 2c6aebb 7788->7789 7792 2c6ef7c 3 API calls 7789->7792 7791 2c6ef7c 3 API calls 7790->7791 7791->7785 7793 2c6aed2 7792->7793 7794 2c6b211 7793->7794 7795 2c6b2af GetLocalTime 7794->7795 7796 2c6b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7794->7796 7797 2c6b2d2 7795->7797 7796->7797 7798 2c6b31c GetTimeZoneInformation 7797->7798 7799 2c6b2d9 SystemTimeToFileTime 7797->7799 7802 2c6b33a wsprintfA 7798->7802 7800 2c6b2ec 7799->7800 7801 2c6b312 FileTimeToSystemTime 7800->7801 7801->7798 7802->7649 7805 2c6ad71 7804->7805 7810 2c6ad26 lstrlenA 7804->7810 7807 2c6ad85 7805->7807 7808 2c6ad79 lstrcpyA 7805->7808 7807->7783 7808->7807 7809 2c6ad68 lstrlenA 7809->7805 7810->7805 7810->7809 7812 2c62d21 7 API calls 7811->7812 7813 2c62f01 7812->7813 7814 2c62f06 7813->7814 7815 2c62f14 7813->7815 7834 2c62df2 GetModuleHandleA 7814->7834 7817 2c62684 2 API calls 7815->7817 7819 2c62f1d 7817->7819 7819->7386 7820 2c62f1f 7820->7386 7822 2c6f428 14 API calls 7821->7822 7823 2c6198a 7822->7823 7824 2c61990 closesocket 7823->7824 7825 2c61998 7823->7825 7824->7825 7825->7384 7827 2c61c80 7826->7827 7828 2c61d1c 7827->7828 7829 2c61cc2 wsprintfA 7827->7829 7832 2c61d79 7827->7832 7828->7828 7831 2c61d47 wsprintfA 7828->7831 7830 2c62684 2 API calls 7829->7830 7830->7827 7833 2c62684 2 API calls 7831->7833 7832->7408 7833->7832 7835 2c62e10 LoadLibraryA 7834->7835 7836 2c62e0b 7834->7836 7837 2c62e17 7835->7837 7836->7835 7836->7837 7838 2c62ef1 7837->7838 7839 2c62e28 GetProcAddress 7837->7839 7838->7815 7838->7820 7839->7838 7840 2c62e3e GetProcessHeap HeapAlloc 7839->7840 7843 2c62e62 7840->7843 7841 2c62ede GetProcessHeap HeapFree 7841->7838 7842 2c62e7f htons inet_addr 7842->7843 7844 2c62ea5 gethostbyname 7842->7844 7843->7838 7843->7841 7843->7842 7843->7844 7846 2c62ceb 7843->7846 7844->7843 7847 2c62cf2 7846->7847 7849 2c62d1c 7847->7849 7850 2c62d0e Sleep 7847->7850 7851 2c62a62 GetProcessHeap HeapAlloc 7847->7851 7849->7843 7850->7847 7850->7849 7852 2c62a92 7851->7852 7853 2c62a99 socket 7851->7853 7852->7847 7854 2c62ab4 7853->7854 7855 2c62cd3 GetProcessHeap HeapFree 7853->7855 7854->7855 7869 2c62abd 7854->7869 7855->7852 7856 2c62adb htons 7871 2c626ff 7856->7871 7858 2c62b04 select 7858->7869 7859 2c62ca4 7860 2c62cb3 GetProcessHeap HeapFree closesocket 7859->7860 7860->7852 7861 2c62b3f recv 7861->7869 7862 2c62b66 htons 7862->7859 7862->7869 7863 2c62b87 htons 7863->7859 7863->7869 7866 2c62bf3 GetProcessHeap HeapAlloc 7866->7869 7867 2c62c17 htons 7886 2c62871 7867->7886 7869->7856 7869->7858 7869->7859 7869->7860 7869->7861 7869->7862 7869->7863 7869->7866 7869->7867 7870 2c62c4d GetProcessHeap HeapFree 7869->7870 7878 2c62923 7869->7878 7890 2c62904 7869->7890 7870->7869 7872 2c62717 7871->7872 7873 2c6271d 7871->7873 7874 2c6ebcc 4 API calls 7872->7874 7875 2c6272b GetTickCount htons 7873->7875 7874->7873 7876 2c627cc htons htons sendto 7875->7876 7877 2c6278a 7875->7877 7876->7869 7877->7876 7879 2c62944 7878->7879 7881 2c6293d 7878->7881 7894 2c62816 htons 7879->7894 7881->7869 7882 2c62871 htons 7883 2c62950 7882->7883 7883->7881 7883->7882 7884 2c629bd htons htons htons 7883->7884 7884->7881 7885 2c629f6 GetProcessHeap HeapAlloc 7884->7885 7885->7881 7885->7883 7887 2c628e3 7886->7887 7888 2c62889 7886->7888 7887->7869 7888->7887 7889 2c628c3 htons 7888->7889 7889->7887 7889->7888 7891 2c62921 7890->7891 7892 2c62908 7890->7892 7891->7869 7893 2c62909 GetProcessHeap HeapFree 7892->7893 7893->7891 7893->7893 7895 2c6286b 7894->7895 7896 2c62836 7894->7896 7895->7883 7896->7895 7897 2c6285c htons 7896->7897 7897->7895 7897->7896 7899 2c66bc0 7898->7899 7900 2c66bbc 7898->7900 7901 2c66bd4 7899->7901 7902 2c6ebcc 4 API calls 7899->7902 7900->7425 7901->7425 7903 2c66be4 7902->7903 7903->7901 7904 2c66c07 CreateFileA 7903->7904 7905 2c66bfc 7903->7905 7907 2c66c34 WriteFile 7904->7907 7908 2c66c2a 7904->7908 7906 2c6ec2e codecvt 4 API calls 7905->7906 7906->7901 7910 2c66c5a CloseHandle 7907->7910 7911 2c66c49 CloseHandle DeleteFileA 7907->7911 7909 2c6ec2e codecvt 4 API calls 7908->7909 7909->7901 7912 2c6ec2e codecvt 4 API calls 7910->7912 7911->7908 7912->7901 8207 2c65029 8212 2c64a02 8207->8212 8213 2c64a12 8212->8213 8215 2c64a18 8212->8215 8214 2c6ec2e codecvt 4 API calls 8213->8214 8214->8215 8216 2c6ec2e codecvt 4 API calls 8215->8216 8218 2c64a26 8215->8218 8216->8218 8217 2c64a34 8218->8217 8219 2c6ec2e codecvt 4 API calls 8218->8219 8219->8217 8220 2c65d34 IsBadWritePtr 8221 2c65d47 8220->8221 8222 2c65d4a 8220->8222 8223 2c65389 12 API calls 8222->8223 8224 2c65d80 8223->8224 8225 2c6be31 lstrcmpiA 8226 2c6be55 lstrcmpiA 8225->8226 8232 2c6be71 8225->8232 8227 2c6be61 lstrcmpiA 8226->8227 8226->8232 8230 2c6bfc8 8227->8230 8227->8232 8228 2c6bf62 lstrcmpiA 8229 2c6bf77 lstrcmpiA 8228->8229 8233 2c6bf70 8228->8233 8231 2c6bf8c lstrcmpiA 8229->8231 8229->8233 8231->8233 8232->8228 8236 2c6ebcc 4 API calls 8232->8236 8233->8230 8234 2c6bfc2 8233->8234 8235 2c6ec2e codecvt 4 API calls 8233->8235 8237 2c6ec2e codecvt 4 API calls 8234->8237 8235->8233 8238 2c6beb6 8236->8238 8237->8230 8238->8228 8238->8230 8239 2c6ebcc 4 API calls 8238->8239 8240 2c6bf5a 8238->8240 8239->8238 8240->8228
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(?), ref: 02C6CA4E
                                                                                                  • closesocket.WS2_32(?), ref: 02C6CB63
                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 02C6CC28
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02C6CCB4
                                                                                                  • WriteFile.KERNEL32(02C6A4B3,?,-000000E8,?,00000000), ref: 02C6CCDC
                                                                                                  • CloseHandle.KERNEL32(02C6A4B3), ref: 02C6CCED
                                                                                                  • wsprintfA.USER32 ref: 02C6CD21
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02C6CD77
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02C6CD89
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02C6CD98
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02C6CD9D
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 02C6CDC4
                                                                                                  • CloseHandle.KERNEL32(02C6A4B3), ref: 02C6CDCC
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02C6CFB1
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02C6CFEF
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02C6D033
                                                                                                  • lstrcatA.KERNEL32(?,04100108), ref: 02C6D10C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 02C6D155
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02C6D171
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000), ref: 02C6D195
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02C6D19C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 02C6D1C8
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02C6D231
                                                                                                  • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 02C6D27C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02C6D2AB
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D2C7
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D2EB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D2F2
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02C6D326
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02C6D372
                                                                                                  • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 02C6D3BD
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02C6D3EC
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D408
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D428
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02C6D42F
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02C6D45B
                                                                                                  • CreateProcessA.KERNEL32(?,02C70264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02C6D4DE
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02C6D4F4
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02C6D4FC
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02C6D513
                                                                                                  • closesocket.WS2_32(?), ref: 02C6D56C
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 02C6D577
                                                                                                  • ExitProcess.KERNEL32 ref: 02C6D583
                                                                                                  • wsprintfA.USER32 ref: 02C6D81F
                                                                                                    • Part of subcall function 02C6C65C: send.WS2_32(00000000,?,00000000), ref: 02C6C74B
                                                                                                  • closesocket.WS2_32(?), ref: 02C6DAD5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                  • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                  • API String ID: 562065436-500150725
                                                                                                  • Opcode ID: f5f300e50196e1ceb21bbb501675f18cfc16e1bb738888d9dc2d328d60f121a2
                                                                                                  • Instruction ID: e667439eccf7e90c937b8ab96da8c0527d8cac2e6fe22077a05a8845373a5307
                                                                                                  • Opcode Fuzzy Hash: f5f300e50196e1ceb21bbb501675f18cfc16e1bb738888d9dc2d328d60f121a2
                                                                                                  • Instruction Fuzzy Hash: 87B2C0B2D40249AFEB20ABA4DCCCFBE7BBDAB48304F04056AE546A3140D7719A59DF51
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 02C69A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 02C69A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(02C66511), ref: 02C69A8A
                                                                                                    • Part of subcall function 02C6EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02C6EC5E
                                                                                                    • Part of subcall function 02C6EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02C6EC72
                                                                                                    • Part of subcall function 02C6EC54: GetTickCount.KERNEL32 ref: 02C6EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02C69AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02C69ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 02C69AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 02C69B99
                                                                                                  • ExitProcess.KERNEL32 ref: 02C69C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 02C69CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 02C69D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 02C69D8B
                                                                                                  • lstrcatA.KERNEL32(?,02C7070C), ref: 02C69D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02C69DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 02C69E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02C69E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02C69EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02C69ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02C69F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02C69F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02C69F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02C69FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02C69FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02C69FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 02C6A038
                                                                                                  • lstrcatA.KERNEL32(00000022,02C70A34), ref: 02C6A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 02C6A072
                                                                                                  • lstrcatA.KERNEL32(00000022,02C70A34), ref: 02C6A08D
                                                                                                  • wsprintfA.USER32 ref: 02C6A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 02C6A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 02C6A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02C6A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02C6A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02C6A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02C6A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 02C6A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 02C6A1E5
                                                                                                    • Part of subcall function 02C699D2: lstrcpyA.KERNEL32(?,?,00000100,02C722F8,00000000,?,02C69E9D,?,00000022,?,?,?,?,?,?,?), ref: 02C699DF
                                                                                                    • Part of subcall function 02C699D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02C69E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02C69A3C
                                                                                                    • Part of subcall function 02C699D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02C69E9D,?,00000022,?,?,?), ref: 02C69A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 02C6A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02C6A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 02C6A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 02C6A400
                                                                                                  • DeleteFileA.KERNELBASE(02C733D8), ref: 02C6A407
                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,02C6405E,00000000,00000000,00000000), ref: 02C6A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 02C6A43A
                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,02C6877E,00000000,00000000,00000000), ref: 02C6A469
                                                                                                  • Sleep.KERNELBASE(00000BB8), ref: 02C6A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6A4B7
                                                                                                  • Sleep.KERNELBASE(00001A90), ref: 02C6A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$D$P$\$tdomrpcj
                                                                                                  • API String ID: 2089075347-1480026688
                                                                                                  • Opcode ID: 321b8211d0c709e4c9f8f6306379f90df9bdc3e48a44cd923b8fd1efdf81154f
                                                                                                  • Instruction ID: a4beb50a409720af899b5da479d4a5ae68e74acd6fcc140f4ea8d4cfada00a30
                                                                                                  • Opcode Fuzzy Hash: 321b8211d0c709e4c9f8f6306379f90df9bdc3e48a44cd923b8fd1efdf81154f
                                                                                                  • Instruction Fuzzy Hash: 1C527FB1C40259AFDB219FA0CCCDFFE7BBDAB44304F1445A6E609E2140EB719A499F61

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 905 2c6199c-2c619cc inet_addr LoadLibraryA 906 2c619d5-2c619fe GetProcAddress * 3 905->906 907 2c619ce-2c619d0 905->907 909 2c61a04-2c61a06 906->909 910 2c61ab3-2c61ab6 FreeLibrary 906->910 908 2c61abf-2c61ac2 907->908 909->910 912 2c61a0c-2c61a0e 909->912 911 2c61abc 910->911 914 2c61abe 911->914 912->910 913 2c61a14-2c61a28 GetBestInterface GetProcessHeap 912->913 913->911 915 2c61a2e-2c61a40 HeapAlloc 913->915 914->908 915->911 916 2c61a42-2c61a50 GetAdaptersInfo 915->916 917 2c61a62-2c61a67 916->917 918 2c61a52-2c61a60 HeapReAlloc 916->918 919 2c61aa1-2c61aad FreeLibrary 917->919 920 2c61a69-2c61a73 GetAdaptersInfo 917->920 918->917 919->911 922 2c61aaf-2c61ab1 919->922 920->919 921 2c61a75 920->921 923 2c61a77-2c61a80 921->923 922->914 924 2c61a82-2c61a86 923->924 925 2c61a8a-2c61a91 923->925 924->923 926 2c61a88 924->926 927 2c61a96-2c61a9b HeapFree 925->927 928 2c61a93 925->928 926->927 927->919 928->927
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 02C619B1
                                                                                                  • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02C61E9E), ref: 02C619BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C619E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02C619ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02C619F9
                                                                                                  • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02C61E9E), ref: 02C61A1B
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02C61E9E), ref: 02C61A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02C61E9E), ref: 02C61A36
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02C61E9E,?,?,?,?,00000001,02C61E9E), ref: 02C61A4A
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,02C61E9E,?,?,?,?,00000001,02C61E9E), ref: 02C61A5A
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02C61E9E,?,?,?,?,00000001,02C61E9E), ref: 02C61A6E
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02C61E9E), ref: 02C61A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02C61E9E), ref: 02C61AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 293628436-270533642
                                                                                                  • Opcode ID: d8adb62eb90d9e0895213b0d3e174ba622e13831724d269757d88d5fe032a84d
                                                                                                  • Instruction ID: ec485574ffac8489b4fac5e3de90fd580e144cb73ec84aa84d1a1d1757444616
                                                                                                  • Opcode Fuzzy Hash: d8adb62eb90d9e0895213b0d3e174ba622e13831724d269757d88d5fe032a84d
                                                                                                  • Instruction Fuzzy Hash: 9A317072D80249AFDB119FE4CCCC9BEBBB9EF84206B180579E505E2211D7B14B40CBA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 696 2c67a95-2c67ac2 RegOpenKeyExA 697 2c67ac4-2c67ac6 696->697 698 2c67acb-2c67ae7 GetUserNameA 696->698 699 2c67db4-2c67db6 697->699 700 2c67da7-2c67db3 RegCloseKey 698->700 701 2c67aed-2c67b1e LookupAccountNameA 698->701 700->699 701->700 702 2c67b24-2c67b43 RegGetKeySecurity 701->702 702->700 703 2c67b49-2c67b61 GetSecurityDescriptorOwner 702->703 704 2c67b63-2c67b72 EqualSid 703->704 705 2c67bb8-2c67bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2c67b74-2c67b88 LocalAlloc 704->706 707 2c67da6 705->707 708 2c67bdc-2c67be1 705->708 706->705 709 2c67b8a-2c67b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2c67be7-2c67bf2 708->710 711 2c67b96-2c67ba4 SetSecurityDescriptorOwner 709->711 712 2c67bb1-2c67bb2 LocalFree 709->712 710->707 713 2c67bf8-2c67c08 GetAce 710->713 711->712 714 2c67ba6-2c67bab RegSetKeySecurity 711->714 712->705 715 2c67cc6 713->715 716 2c67c0e-2c67c1b 713->716 714->712 717 2c67cc9-2c67cd3 715->717 718 2c67c4f-2c67c52 716->718 719 2c67c1d-2c67c2f EqualSid 716->719 717->713 722 2c67cd9-2c67cdc 717->722 720 2c67c54-2c67c5e 718->720 721 2c67c5f-2c67c71 EqualSid 718->721 723 2c67c36-2c67c38 719->723 724 2c67c31-2c67c34 719->724 720->721 725 2c67c86 721->725 726 2c67c73-2c67c84 721->726 722->707 727 2c67ce2-2c67ce8 722->727 723->718 728 2c67c3a-2c67c4d DeleteAce 723->728 724->719 724->723 729 2c67c8b-2c67c8e 725->729 726->729 730 2c67d5a-2c67d6e LocalAlloc 727->730 731 2c67cea-2c67cf0 727->731 728->717 732 2c67c90-2c67c96 729->732 733 2c67c9d-2c67c9f 729->733 730->707 734 2c67d70-2c67d7a InitializeSecurityDescriptor 730->734 731->730 735 2c67cf2-2c67d0d RegOpenKeyExA 731->735 732->733 737 2c67ca7-2c67cc3 733->737 738 2c67ca1-2c67ca5 733->738 739 2c67d9f-2c67da0 LocalFree 734->739 740 2c67d7c-2c67d8a SetSecurityDescriptorDacl 734->740 735->730 736 2c67d0f-2c67d16 735->736 741 2c67d19-2c67d1e 736->741 737->715 738->715 738->737 739->707 740->739 742 2c67d8c-2c67d9a RegSetKeySecurity 740->742 741->741 743 2c67d20-2c67d52 call 2c62544 RegSetValueExA 741->743 742->739 744 2c67d9c 742->744 743->730 747 2c67d54 743->747 744->739 747->730
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02C67ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02C67ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,02C7070C,?,?,?), ref: 02C67B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02C67B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02C67B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 02C67B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C67B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C67B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02C67B9C
                                                                                                  • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02C67BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02C67BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,02C67FC9,?,00000000), ref: 02C67BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$D
                                                                                                  • API String ID: 2976863881-2638929953
                                                                                                  • Opcode ID: 5bbb6858b2f72946b6cea0bef3fe0c1ccf0a5713e207e703b1bd28615979d19e
                                                                                                  • Instruction ID: 0fd21780345834d0203d78b96aae2bc437dc6944b6e105b02399466e45eda9cd
                                                                                                  • Opcode Fuzzy Hash: 5bbb6858b2f72946b6cea0bef3fe0c1ccf0a5713e207e703b1bd28615979d19e
                                                                                                  • Instruction Fuzzy Hash: 4BA15E71D40219AFEF118FA4DC88FFEBBB9FB44708F044969E905E2140E7358A59CB60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 748 2c67809-2c67837 GetUserNameA 749 2c67a8e-2c67a94 748->749 750 2c6783d-2c6786e LookupAccountNameA 748->750 750->749 751 2c67874-2c678a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 2c678a8-2c678c3 GetSecurityDescriptorOwner 751->752 753 2c678c5-2c678da EqualSid 752->753 754 2c6791d-2c6793b GetSecurityDescriptorDacl 752->754 753->754 755 2c678dc-2c678ed LocalAlloc 753->755 756 2c67941-2c67946 754->756 757 2c67a8d 754->757 755->754 758 2c678ef-2c678f9 InitializeSecurityDescriptor 755->758 756->757 759 2c6794c-2c67955 756->759 757->749 760 2c67916-2c67917 LocalFree 758->760 761 2c678fb-2c67909 SetSecurityDescriptorOwner 758->761 759->757 762 2c6795b-2c6796b GetAce 759->762 760->754 761->760 763 2c6790b-2c67910 SetFileSecurityA 761->763 764 2c67971-2c6797e 762->764 765 2c67a2a 762->765 763->760 766 2c67980-2c67992 EqualSid 764->766 767 2c679ae-2c679b1 764->767 768 2c67a2d-2c67a37 765->768 771 2c67994-2c67997 766->771 772 2c67999-2c6799b 766->772 769 2c679b3-2c679bd 767->769 770 2c679be-2c679d0 EqualSid 767->770 768->762 773 2c67a3d-2c67a41 768->773 769->770 775 2c679e5 770->775 776 2c679d2-2c679e3 770->776 771->766 771->772 772->767 777 2c6799d-2c679ac DeleteAce 772->777 773->757 774 2c67a43-2c67a54 LocalAlloc 773->774 774->757 778 2c67a56-2c67a60 InitializeSecurityDescriptor 774->778 779 2c679ea-2c679ed 775->779 776->779 777->768 780 2c67a86-2c67a87 LocalFree 778->780 781 2c67a62-2c67a71 SetSecurityDescriptorDacl 778->781 782 2c679ef-2c679f5 779->782 783 2c679f8-2c679fb 779->783 780->757 781->780 784 2c67a73-2c67a81 SetFileSecurityA 781->784 782->783 785 2c67a03-2c67a0e 783->785 786 2c679fd-2c67a01 783->786 784->780 787 2c67a83 784->787 788 2c67a10-2c67a17 785->788 789 2c67a19-2c67a24 785->789 786->765 786->785 787->780 790 2c67a27 788->790 789->790 790->765
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02C6782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02C67866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 02C67878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02C6789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,02C67F63,?), ref: 02C678B8
                                                                                                  • EqualSid.ADVAPI32(?,02C67F63), ref: 02C678D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C678E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C678F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02C67901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02C67910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02C67917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02C67933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 02C67963
                                                                                                  • EqualSid.ADVAPI32(?,02C67F63), ref: 02C6798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 02C679A3
                                                                                                  • EqualSid.ADVAPI32(?,02C67F63), ref: 02C679C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02C67A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02C67A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02C67A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02C67A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02C67A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: 47598c53a7c0883537a50b95ddcdfe871a2014342b9f4989235f4d74dfb18b0b
                                                                                                  • Instruction ID: 888dae4c7821b5e3fdbaa1175e1220d4bc8f765593660466bc83c187a30aa5c5
                                                                                                  • Opcode Fuzzy Hash: 47598c53a7c0883537a50b95ddcdfe871a2014342b9f4989235f4d74dfb18b0b
                                                                                                  • Instruction Fuzzy Hash: FB815B71D40219ABDB21CFA4CD88FEEFBB8EF48348F14496AE515E2141E7358749CBA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 791 2c68328-2c6833e call 2c67dd6 794 2c68340-2c68343 791->794 795 2c68348-2c68356 call 2c66ec3 791->795 796 2c6877b-2c6877d 794->796 799 2c6835c-2c68378 call 2c673ff 795->799 800 2c6846b-2c68474 795->800 810 2c68464-2c68466 799->810 811 2c6837e-2c68384 799->811 802 2c685c2-2c685ce 800->802 803 2c6847a-2c68480 800->803 805 2c68615-2c68620 802->805 806 2c685d0-2c685da call 2c6675c 802->806 803->802 807 2c68486-2c684ba call 2c62544 RegOpenKeyExA 803->807 808 2c68626-2c6864c GetTempPathA call 2c68274 call 2c6eca5 805->808 809 2c686a7-2c686b0 call 2c66ba7 805->809 818 2c685df-2c685eb 806->818 824 2c68543-2c68571 call 2c62544 RegOpenKeyExA 807->824 825 2c684c0-2c684db RegQueryValueExA 807->825 846 2c68671-2c686a4 call 2c62544 call 2c6ef00 call 2c6ee2a 808->846 847 2c6864e-2c6866f call 2c6eca5 808->847 826 2c686b6-2c686bd call 2c67e2f 809->826 827 2c68762 809->827 817 2c68779-2c6877a 810->817 811->810 816 2c6838a-2c6838d 811->816 816->810 822 2c68393-2c68399 816->822 817->796 818->805 823 2c685ed-2c685ef 818->823 829 2c6839c-2c683a1 822->829 823->805 830 2c685f1-2c685fa 823->830 852 2c685a5-2c685b7 call 2c6ee2a 824->852 853 2c68573-2c6857b 824->853 832 2c68521-2c6852d RegCloseKey 825->832 833 2c684dd-2c684e1 825->833 856 2c686c3-2c6873b call 2c6ee2a * 2 lstrcpyA lstrlenA call 2c67fcf CreateProcessA 826->856 857 2c6875b-2c6875c DeleteFileA 826->857 835 2c68768-2c6876b 827->835 829->829 837 2c683a3-2c683af 829->837 830->805 839 2c685fc-2c6860f call 2c624c2 830->839 832->824 838 2c6852f-2c68541 call 2c6eed1 832->838 833->832 841 2c684e3-2c684e6 833->841 844 2c68776-2c68778 835->844 845 2c6876d-2c68775 call 2c6ec2e 835->845 848 2c683b3-2c683ba 837->848 849 2c683b1 837->849 838->824 838->852 839->805 839->835 841->832 842 2c684e8-2c684f6 call 2c6ebcc 841->842 842->832 875 2c684f8-2c68513 RegQueryValueExA 842->875 844->817 845->844 846->809 847->846 862 2c68450-2c6845f call 2c6ee2a 848->862 863 2c683c0-2c683fb call 2c62544 RegOpenKeyExA 848->863 849->848 852->802 876 2c685b9-2c685c1 call 2c6ec2e 852->876 865 2c6857e-2c68583 853->865 899 2c6874f-2c6875a call 2c67ee6 call 2c67ead 856->899 900 2c6873d-2c6874d CloseHandle * 2 856->900 857->827 862->802 863->862 885 2c683fd-2c6841c RegQueryValueExA 863->885 865->865 866 2c68585-2c6859f RegSetValueExA RegCloseKey 865->866 866->852 875->832 881 2c68515-2c6851e call 2c6ec2e 875->881 876->802 881->832 890 2c6841e-2c68421 885->890 891 2c6842d-2c68441 RegSetValueExA 885->891 890->891 892 2c68423-2c68426 890->892 893 2c68447-2c6844a RegCloseKey 891->893 892->891 897 2c68428-2c6842b 892->897 893->862 897->891 897->893 899->857 900->835
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02C683F3
                                                                                                  • RegQueryValueExA.KERNELBASE(02C70750,?,00000000,?,02C68893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02C68414
                                                                                                  • RegSetValueExA.KERNELBASE(02C70750,?,00000000,00000004,02C68893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02C68441
                                                                                                  • RegCloseKey.ADVAPI32(02C70750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02C6844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe$localcfg
                                                                                                  • API String ID: 237177642-432336059
                                                                                                  • Opcode ID: 2be0313683d67660f44a721da375f43a3f981371414aaa3056d1ce6bdf935c73
                                                                                                  • Instruction ID: 9f397c09bc562abd6c7b08c044deb4ac1eabb4fe67fad982ade7e4f2dce782a7
                                                                                                  • Opcode Fuzzy Hash: 2be0313683d67660f44a721da375f43a3f981371414aaa3056d1ce6bdf935c73
                                                                                                  • Instruction Fuzzy Hash: 00C181B1D80149BFEF11ABA49CC9EFE7BBDEB44304F144666F505A2040E7709B989F61

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 02C61DC6
                                                                                                  • GetSystemInfo.KERNELBASE(?), ref: 02C61DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02C61E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02C61E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 02C61E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 02C61FC9
                                                                                                    • Part of subcall function 02C61BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02C61C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: d9fd8f9288c1d4d3d71a2fb66eb237fc9f5a83052336f0b2b548416dd484a2f2
                                                                                                  • Instruction ID: 4b03dbe8e769a6f94530253ccc8ff0c0d685625bfc7293780d0d866699fc6c7d
                                                                                                  • Opcode Fuzzy Hash: d9fd8f9288c1d4d3d71a2fb66eb237fc9f5a83052336f0b2b548416dd484a2f2
                                                                                                  • Instruction Fuzzy Hash: B05173B09447446FE320AF758CCDF77BAECEF85749F04491DE54A82242D7B5A504CBA2

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 999 2c673ff-2c67419 1000 2c6741d-2c67422 999->1000 1001 2c6741b 999->1001 1002 2c67426-2c6742b 1000->1002 1003 2c67424 1000->1003 1001->1000 1004 2c67430-2c67435 1002->1004 1005 2c6742d 1002->1005 1003->1002 1006 2c67437 1004->1006 1007 2c6743a-2c67481 call 2c66dc2 call 2c62544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2c67487-2c6749d call 2c6ee2a 1007->1012 1013 2c677f9-2c677fe call 2c6ee2a 1007->1013 1018 2c67703-2c6770e RegEnumKeyA 1012->1018 1019 2c67801 1013->1019 1020 2c67714-2c6771d RegCloseKey 1018->1020 1021 2c674a2-2c674b1 call 2c66cad 1018->1021 1022 2c67804-2c67808 1019->1022 1020->1019 1025 2c674b7-2c674cc call 2c6f1a5 1021->1025 1026 2c676ed-2c67700 1021->1026 1025->1026 1029 2c674d2-2c674f8 RegOpenKeyExA 1025->1029 1026->1018 1030 2c67727-2c6772a 1029->1030 1031 2c674fe-2c67530 call 2c62544 RegQueryValueExA 1029->1031 1032 2c67755-2c67764 call 2c6ee2a 1030->1032 1033 2c6772c-2c67740 call 2c6ef00 1030->1033 1031->1030 1040 2c67536-2c6753c 1031->1040 1041 2c676df-2c676e2 1032->1041 1042 2c67742-2c67745 RegCloseKey 1033->1042 1043 2c6774b-2c6774e 1033->1043 1044 2c6753f-2c67544 1040->1044 1041->1026 1045 2c676e4-2c676e7 RegCloseKey 1041->1045 1042->1043 1047 2c677ec-2c677f7 RegCloseKey 1043->1047 1044->1044 1046 2c67546-2c6754b 1044->1046 1045->1026 1046->1032 1048 2c67551-2c6756b call 2c6ee95 1046->1048 1047->1022 1048->1032 1051 2c67571-2c67593 call 2c62544 call 2c6ee95 1048->1051 1056 2c67753 1051->1056 1057 2c67599-2c675a0 1051->1057 1056->1032 1058 2c675a2-2c675c6 call 2c6ef00 call 2c6ed03 1057->1058 1059 2c675c8-2c675d7 call 2c6ed03 1057->1059 1064 2c675d8-2c675da 1058->1064 1059->1064 1066 2c675df-2c67623 call 2c6ee95 call 2c62544 call 2c6ee95 call 2c6ee2a 1064->1066 1067 2c675dc 1064->1067 1077 2c67626-2c6762b 1066->1077 1067->1066 1077->1077 1078 2c6762d-2c67634 1077->1078 1079 2c67637-2c6763c 1078->1079 1079->1079 1080 2c6763e-2c67642 1079->1080 1081 2c67644-2c67656 call 2c6ed77 1080->1081 1082 2c6765c-2c67673 call 2c6ed23 1080->1082 1081->1082 1087 2c67769-2c6777c call 2c6ef00 1081->1087 1088 2c67675-2c6767e 1082->1088 1089 2c67680 1082->1089 1094 2c677e3-2c677e6 RegCloseKey 1087->1094 1091 2c67683-2c6768e call 2c66cad 1088->1091 1089->1091 1096 2c67694-2c676bf call 2c6f1a5 call 2c66c96 1091->1096 1097 2c67722-2c67725 1091->1097 1094->1047 1103 2c676c1-2c676c7 1096->1103 1104 2c676d8 1096->1104 1098 2c676dd 1097->1098 1098->1041 1103->1104 1105 2c676c9-2c676d2 1103->1105 1104->1098 1105->1104 1106 2c6777e-2c67797 GetFileAttributesExA 1105->1106 1107 2c6779a-2c6779f 1106->1107 1108 2c67799 1106->1108 1109 2c677a3-2c677a8 1107->1109 1110 2c677a1 1107->1110 1108->1107 1111 2c677c4-2c677c8 1109->1111 1112 2c677aa-2c677c0 call 2c6ee08 1109->1112 1110->1109 1114 2c677d7-2c677dc 1111->1114 1115 2c677ca-2c677d6 call 2c6ef00 1111->1115 1112->1111 1117 2c677e0-2c677e2 1114->1117 1118 2c677de 1114->1118 1115->1114 1117->1094 1118->1117
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 02C67472
                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 02C674F0
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 02C67528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 02C6764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 02C676E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02C67706
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 02C67717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 02C67745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 02C677EF
                                                                                                    • Part of subcall function 02C6F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02C722F8,000000C8,02C67150,?), ref: 02C6F1AD
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02C6778F
                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 02C677E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: 3041dc0184deaff60e44e4737a776b08320dc549a9572ed9486814d7f0e9031c
                                                                                                  • Instruction ID: ded8bfa04517751b23fe788b9b12404a9621368e1d0ece58cbd91eb275899e76
                                                                                                  • Opcode Fuzzy Hash: 3041dc0184deaff60e44e4737a776b08320dc549a9572ed9486814d7f0e9031c
                                                                                                  • Instruction Fuzzy Hash: E1C19171944209AFEB119FA5DC8CFFEBBB9EF84314F140896E504A6190EB71DA48DF60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1121 2c6675c-2c66778 1122 2c66784-2c667a2 CreateFileA 1121->1122 1123 2c6677a-2c6677e SetFileAttributesA 1121->1123 1124 2c667a4-2c667b2 CreateFileA 1122->1124 1125 2c667b5-2c667b8 1122->1125 1123->1122 1124->1125 1126 2c667c5-2c667c9 1125->1126 1127 2c667ba-2c667bf SetFileAttributesA 1125->1127 1128 2c66977-2c66986 1126->1128 1129 2c667cf-2c667df GetFileSize 1126->1129 1127->1126 1130 2c667e5-2c667e7 1129->1130 1131 2c6696b 1129->1131 1130->1131 1133 2c667ed-2c6680b ReadFile 1130->1133 1132 2c6696e-2c66971 FindCloseChangeNotification 1131->1132 1132->1128 1133->1131 1134 2c66811-2c66824 SetFilePointer 1133->1134 1134->1131 1135 2c6682a-2c66842 ReadFile 1134->1135 1135->1131 1136 2c66848-2c66861 SetFilePointer 1135->1136 1136->1131 1137 2c66867-2c66876 1136->1137 1138 2c668d5-2c668df 1137->1138 1139 2c66878-2c6688f ReadFile 1137->1139 1138->1132 1142 2c668e5-2c668eb 1138->1142 1140 2c668d2 1139->1140 1141 2c66891-2c6689e 1139->1141 1140->1138 1143 2c668b7-2c668ba 1141->1143 1144 2c668a0-2c668b5 1141->1144 1145 2c668f0-2c668fe call 2c6ebcc 1142->1145 1146 2c668ed 1142->1146 1147 2c668bd-2c668c3 1143->1147 1144->1147 1145->1131 1152 2c66900-2c6690b SetFilePointer 1145->1152 1146->1145 1150 2c668c5 1147->1150 1151 2c668c8-2c668ce 1147->1151 1150->1151 1151->1139 1153 2c668d0 1151->1153 1154 2c6690d-2c66920 ReadFile 1152->1154 1155 2c6695a-2c66969 call 2c6ec2e 1152->1155 1153->1138 1154->1155 1156 2c66922-2c66958 1154->1156 1155->1132 1156->1132
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 02C6677E
                                                                                                  • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 02C6679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 02C667B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 02C667BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 02C667D3
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,00000040,02C68244,00000000,?,771B0F10,00000000), ref: 02C66807
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02C6681F
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 02C6683E
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02C6685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,02C68244,00000000,?,771B0F10,00000000), ref: 02C6688B
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 02C66906
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,02C68244,00000000,?,771B0F10,00000000), ref: 02C6691C
                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 02C66971
                                                                                                    • Part of subcall function 02C6EC2E: GetProcessHeap.KERNEL32(00000000,02C6EA27,00000000,02C6EA27,00000000), ref: 02C6EC41
                                                                                                    • Part of subcall function 02C6EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02C6EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400801100-0
                                                                                                  • Opcode ID: 8920f1a96793a9724c09bc3ce7fb366ae48177ec5af02c8d44625389d880cda1
                                                                                                  • Instruction ID: 7565961feb1055cab3bae41eba810a89049ce4a13314edbc4b1630b0e29aa6e0
                                                                                                  • Opcode Fuzzy Hash: 8920f1a96793a9724c09bc3ce7fb366ae48177ec5af02c8d44625389d880cda1
                                                                                                  • Instruction Fuzzy Hash: 3B711571D00219EFDB148FA5CC84AFEBBB9FF48314F20456AE915A6190E7349E52DB60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1159 2c6f315-2c6f332 1160 2c6f334-2c6f336 1159->1160 1161 2c6f33b-2c6f372 call 2c6ee2a htons socket 1159->1161 1162 2c6f424-2c6f427 1160->1162 1165 2c6f374-2c6f37d closesocket 1161->1165 1166 2c6f382-2c6f39b ioctlsocket 1161->1166 1165->1162 1167 2c6f39d 1166->1167 1168 2c6f3aa-2c6f3f0 connect select 1166->1168 1171 2c6f39f-2c6f3a8 closesocket 1167->1171 1169 2c6f3f2-2c6f401 __WSAFDIsSet 1168->1169 1170 2c6f421 1168->1170 1169->1171 1173 2c6f403-2c6f416 ioctlsocket call 2c6f26d 1169->1173 1172 2c6f423 1170->1172 1171->1172 1172->1162 1175 2c6f41b-2c6f41f 1173->1175 1175->1172
                                                                                                  APIs
                                                                                                  • htons.WS2_32(02C6CA1D), ref: 02C6F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 02C6F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 02C6F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 6f467beafa6d54805f42ae87307542d2af9633f211691a94efd91ba4730c7454
                                                                                                  • Instruction ID: 5dc1132ffb5b51d39ea20676ac7dbe6ab3cdfb513cb086f28f258faa49ecc3b1
                                                                                                  • Opcode Fuzzy Hash: 6f467beafa6d54805f42ae87307542d2af9633f211691a94efd91ba4730c7454
                                                                                                  • Instruction Fuzzy Hash: A5317E72944118ABDB10DFA5EC89EFE7BBCFF88350F10456AF915D3540E7709A458BA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1176 2c6405e-2c6407b CreateEventA 1177 2c64084-2c640a8 call 2c63ecd call 2c64000 1176->1177 1178 2c6407d-2c64081 1176->1178 1183 2c64130-2c6413e call 2c6ee2a 1177->1183 1184 2c640ae-2c640be call 2c6ee2a 1177->1184 1189 2c6413f-2c64165 call 2c63ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2c640c0-2c640f1 call 2c6eca5 call 2c63f18 call 2c63f8c 1184->1190 1195 2c64167-2c64174 Sleep 1189->1195 1196 2c64188-2c64193 ConnectNamedPipe 1189->1196 1208 2c64127-2c6412a CloseHandle 1190->1208 1209 2c640f3-2c640ff 1190->1209 1195->1189 1198 2c64176-2c64182 CloseHandle 1195->1198 1200 2c64195-2c641a5 GetLastError 1196->1200 1201 2c641ab-2c641c0 call 2c63f8c 1196->1201 1198->1196 1200->1201 1203 2c6425e-2c64265 DisconnectNamedPipe 1200->1203 1201->1196 1207 2c641c2-2c641f2 call 2c63f18 call 2c63f8c 1201->1207 1203->1196 1207->1203 1217 2c641f4-2c64200 1207->1217 1208->1183 1209->1208 1211 2c64101-2c64121 call 2c63f18 ExitProcess 1209->1211 1217->1203 1218 2c64202-2c64215 call 2c63f8c 1217->1218 1218->1203 1221 2c64217-2c6421b 1218->1221 1221->1203 1222 2c6421d-2c64230 call 2c63f8c 1221->1222 1222->1203 1225 2c64232-2c64236 1222->1225 1225->1196 1226 2c6423c-2c64251 call 2c63f18 1225->1226 1229 2c64253-2c64259 1226->1229 1230 2c6426a-2c64276 CloseHandle * 2 call 2c6e318 1226->1230 1229->1196 1232 2c6427b 1230->1232 1232->1232
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02C64070
                                                                                                  • ExitProcess.KERNEL32 ref: 02C64121
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2404124870-0
                                                                                                  • Opcode ID: 581dbe2cab949c32e943b5ce79324cef4babe669f5c7b60eb02b7cb4810a2ca8
                                                                                                  • Instruction ID: 58112937eb627fb56dfc8ee6ff0b40c5a835998bb77509de8c533e0c5d541d16
                                                                                                  • Opcode Fuzzy Hash: 581dbe2cab949c32e943b5ce79324cef4babe669f5c7b60eb02b7cb4810a2ca8
                                                                                                  • Instruction Fuzzy Hash: 5E516CB1D40219BBEB34AAA08CC9FBF7B7DEB51714F1001A5FA14B6180E7718A05DBA1

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1233 2c62d21-2c62d44 GetModuleHandleA 1234 2c62d46-2c62d52 LoadLibraryA 1233->1234 1235 2c62d5b-2c62d69 GetProcAddress 1233->1235 1234->1235 1236 2c62d54-2c62d56 1234->1236 1235->1236 1237 2c62d6b-2c62d7b DnsQuery_A 1235->1237 1238 2c62dee-2c62df1 1236->1238 1237->1236 1239 2c62d7d-2c62d88 1237->1239 1240 2c62d8a-2c62d8b 1239->1240 1241 2c62deb 1239->1241 1242 2c62d90-2c62d95 1240->1242 1241->1238 1243 2c62d97-2c62daa GetProcessHeap HeapAlloc 1242->1243 1244 2c62de2-2c62de8 1242->1244 1245 2c62dac-2c62dd9 call 2c6ee2a lstrcpynA 1243->1245 1246 2c62dea 1243->1246 1244->1242 1244->1246 1249 2c62de0 1245->1249 1250 2c62ddb-2c62dde 1245->1250 1246->1241 1249->1244 1250->1244
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,02C62F01,?,02C620FF,02C72000), ref: 02C62D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 02C62D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02C62D61
                                                                                                  • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02C62D77
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02C62D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 02C62DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02C62DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 233223969-3847274415
                                                                                                  • Opcode ID: e39f1e170116239d7bc8c90bbf147e6a5164738d80efeadc651a652cba6691c3
                                                                                                  • Instruction ID: 299ec7073fec8495121df66f522e2746ea1c20135f060829cc679dd793598a0f
                                                                                                  • Opcode Fuzzy Hash: e39f1e170116239d7bc8c90bbf147e6a5164738d80efeadc651a652cba6691c3
                                                                                                  • Instruction Fuzzy Hash: C0219071D40226ABCB219F54DC88ABEBBB8EF48B50F004512F845E7140D770AA96C7D1

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1251 2c680c9-2c680ed call 2c66ec3 1254 2c680ef call 2c67ee6 1251->1254 1255 2c680f9-2c68115 call 2c6704c 1251->1255 1258 2c680f4 1254->1258 1260 2c68225-2c6822b 1255->1260 1261 2c6811b-2c68121 1255->1261 1258->1260 1262 2c6826c-2c68273 1260->1262 1263 2c6822d-2c68233 1260->1263 1261->1260 1264 2c68127-2c6812a 1261->1264 1263->1262 1265 2c68235-2c6823f call 2c6675c 1263->1265 1264->1260 1266 2c68130-2c68167 call 2c62544 RegOpenKeyExA 1264->1266 1269 2c68244-2c6824b 1265->1269 1272 2c68216-2c68222 call 2c6ee2a 1266->1272 1273 2c6816d-2c6818b RegQueryValueExA 1266->1273 1269->1262 1271 2c6824d-2c68269 call 2c624c2 call 2c6ec2e 1269->1271 1271->1262 1272->1260 1276 2c681f7-2c681fe 1273->1276 1277 2c6818d-2c68191 1273->1277 1280 2c68200-2c68206 call 2c6ec2e 1276->1280 1281 2c6820d-2c68210 RegCloseKey 1276->1281 1277->1276 1282 2c68193-2c68196 1277->1282 1289 2c6820c 1280->1289 1281->1272 1282->1276 1285 2c68198-2c681a8 call 2c6ebcc 1282->1285 1285->1281 1291 2c681aa-2c681c2 RegQueryValueExA 1285->1291 1289->1281 1291->1276 1292 2c681c4-2c681ca 1291->1292 1293 2c681cd-2c681d2 1292->1293 1293->1293 1294 2c681d4-2c681e5 call 2c6ebcc 1293->1294 1294->1281 1297 2c681e7-2c681f5 call 2c6ef00 1294->1297 1297->1289
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02C6815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02C6A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02C68187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02C6A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02C681BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02C68210
                                                                                                    • Part of subcall function 02C6675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 02C6677E
                                                                                                    • Part of subcall function 02C6675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 02C6679A
                                                                                                    • Part of subcall function 02C6675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 02C667B0
                                                                                                    • Part of subcall function 02C6675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 02C667BF
                                                                                                    • Part of subcall function 02C6675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 02C667D3
                                                                                                    • Part of subcall function 02C6675C: ReadFile.KERNELBASE(000000FF,?,00000040,02C68244,00000000,?,771B0F10,00000000), ref: 02C66807
                                                                                                    • Part of subcall function 02C6675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02C6681F
                                                                                                    • Part of subcall function 02C6675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 02C6683E
                                                                                                    • Part of subcall function 02C6675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02C6685C
                                                                                                    • Part of subcall function 02C6EC2E: GetProcessHeap.KERNEL32(00000000,02C6EA27,00000000,02C6EA27,00000000), ref: 02C6EC41
                                                                                                    • Part of subcall function 02C6EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02C6EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\tdomrpcj\lsremmuy.exe
                                                                                                  • API String ID: 124786226-541925129
                                                                                                  • Opcode ID: 861b8b7500dedac994307b083a9ab8a5779ac5160fb2e46d7fdd685d21c56455
                                                                                                  • Instruction ID: 7ffde205d1601004a47ab82dbe42ee9561e7fc59f534abdbdc54c4dddfde3898
                                                                                                  • Opcode Fuzzy Hash: 861b8b7500dedac994307b083a9ab8a5779ac5160fb2e46d7fdd685d21c56455
                                                                                                  • Instruction Fuzzy Hash: 8A4180B2D45109BFEB11EBA0DDC8EBE77BDAB44704F140A6AE901A2000E7705F5C9B62

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1300 2c61ac3-2c61adc LoadLibraryA 1301 2c61ae2-2c61af3 GetProcAddress 1300->1301 1302 2c61b6b-2c61b70 1300->1302 1303 2c61af5-2c61b01 1301->1303 1304 2c61b6a 1301->1304 1305 2c61b1c-2c61b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2c61b03-2c61b12 call 2c6ebed 1305->1306 1307 2c61b29-2c61b2b 1305->1307 1306->1307 1315 2c61b14-2c61b1b 1306->1315 1309 2c61b2d-2c61b32 1307->1309 1310 2c61b5b-2c61b5e 1307->1310 1312 2c61b34-2c61b3b 1309->1312 1313 2c61b69 1309->1313 1310->1313 1314 2c61b60-2c61b68 call 2c6ec2e 1310->1314 1316 2c61b54-2c61b59 1312->1316 1317 2c61b3d-2c61b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1310 1316->1312 1317->1316 1317->1317
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02C61AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02C61AE9
                                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02C61B20
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 3646706440-1087626847
                                                                                                  • Opcode ID: 10f75e25506b84bc177c3fcaef8e7109c95a24a365f15d6f61c4e3f9182964bb
                                                                                                  • Instruction ID: 19472795d238038a8129e430dff52670cd7249c3ea231c18581e5ff09a0d1d2b
                                                                                                  • Opcode Fuzzy Hash: 10f75e25506b84bc177c3fcaef8e7109c95a24a365f15d6f61c4e3f9182964bb
                                                                                                  • Instruction Fuzzy Hash: 0E1187B5E01124AFDB159BA9DCC9CBDBBBAEBC4B11B184156E009E7200E7705B40DB94

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1320 2c6e3ca-2c6e3ee RegOpenKeyExA 1321 2c6e3f4-2c6e3fb 1320->1321 1322 2c6e528-2c6e52d 1320->1322 1323 2c6e3fe-2c6e403 1321->1323 1323->1323 1324 2c6e405-2c6e40f 1323->1324 1325 2c6e414-2c6e452 call 2c6ee08 call 2c6f1ed RegQueryValueExA 1324->1325 1326 2c6e411-2c6e413 1324->1326 1331 2c6e51d-2c6e527 RegCloseKey 1325->1331 1332 2c6e458-2c6e486 call 2c6f1ed RegQueryValueExA 1325->1332 1326->1325 1331->1322 1335 2c6e488-2c6e48a 1332->1335 1335->1331 1336 2c6e490-2c6e4a1 call 2c6db2e 1335->1336 1336->1331 1339 2c6e4a3-2c6e4a6 1336->1339 1340 2c6e4a9-2c6e4d3 call 2c6f1ed RegQueryValueExA 1339->1340 1343 2c6e4d5-2c6e4da 1340->1343 1344 2c6e4e8-2c6e4ea 1340->1344 1343->1344 1345 2c6e4dc-2c6e4e6 1343->1345 1344->1331 1346 2c6e4ec-2c6e516 call 2c62544 call 2c6e332 1344->1346 1345->1340 1345->1344 1346->1331
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,02C6E5F2,00000000,00020119,02C6E5F2,02C722F8), ref: 02C6E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(02C6E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02C6E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(02C6E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02C6E482
                                                                                                  • RegQueryValueExA.ADVAPI32(02C6E5F2,?,00000000,?,80000001,?), ref: 02C6E4CF
                                                                                                  • RegCloseKey.ADVAPI32(02C6E5F2,?,?,?,?,000000C8,000000E4), ref: 02C6E520
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586453840-0
                                                                                                  • Opcode ID: 383fa03fa0f185f986904a5ac5e1ef11c589370cb26c6745868e05c007df9437
                                                                                                  • Instruction ID: d6edff56d1aa729f17f58ac90b107de748d5d0465824f305fff31e2eab493d66
                                                                                                  • Opcode Fuzzy Hash: 383fa03fa0f185f986904a5ac5e1ef11c589370cb26c6745868e05c007df9437
                                                                                                  • Instruction Fuzzy Hash: F74106B6D0021DAFEF119FE4DC84EFEBBBAFB48344F144566E911A2150E3319A159FA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1351 2c6f26d-2c6f303 setsockopt * 5
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02C6F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02C6F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02C6F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02C6F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02C6F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: e90ebd07b7731aa1aa5a9264a76623dad034f2a7af9f45e8e7d223c9a30b70a7
                                                                                                  • Instruction ID: 7693878618e0a3440737847208498ebba40fd6f219bec8f4cbe7337a8d35fedb
                                                                                                  • Opcode Fuzzy Hash: e90ebd07b7731aa1aa5a9264a76623dad034f2a7af9f45e8e7d223c9a30b70a7
                                                                                                  • Instruction Fuzzy Hash: ED110DB2A40248BAEF11DF94CD41FDE7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1352 2c61bdf-2c61c04 call 2c61ac3 1354 2c61c09-2c61c0b 1352->1354 1355 2c61c0d-2c61c1d GetComputerNameA 1354->1355 1356 2c61c5a-2c61c5e 1354->1356 1357 2c61c45-2c61c57 GetVolumeInformationA 1355->1357 1358 2c61c1f-2c61c24 1355->1358 1357->1356 1358->1357 1359 2c61c26-2c61c3b 1358->1359 1359->1359 1360 2c61c3d-2c61c3f 1359->1360 1360->1357 1361 2c61c41-2c61c43 1360->1361 1361->1356
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C61AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02C61AD4
                                                                                                    • Part of subcall function 02C61AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02C61AE9
                                                                                                    • Part of subcall function 02C61AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02C61B20
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02C61C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02C61C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2794401326-2393279970
                                                                                                  • Opcode ID: 195d0be5c891fdeb4d3349aa23c978b404d0ef3397283dbe172cb43ca3518744
                                                                                                  • Instruction ID: fe82df99cee3b28d321edd803f4b52c14902ce064ac1511d4407f9a5040750ef
                                                                                                  • Opcode Fuzzy Hash: 195d0be5c891fdeb4d3349aa23c978b404d0ef3397283dbe172cb43ca3518744
                                                                                                  • Instruction Fuzzy Hash: DF018472904518BBEB10DEE9C8C89FFBABDAB44656F140475D606E2240D6709E4496A0
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C61AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02C61AD4
                                                                                                    • Part of subcall function 02C61AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02C61AE9
                                                                                                    • Part of subcall function 02C61AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02C61B20
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02C61BA3
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02C61EFD,00000000,00000000,00000000,00000000), ref: 02C61BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2794401326-1857712256
                                                                                                  • Opcode ID: 460d759aab51975a442ba3cdf7e9ef08843fb1d3c3ed7f029b9616c1e4b2b677
                                                                                                  • Instruction ID: 9a1bb5421b8be2548f57d44c552275fff4e1fbe77cce204a077ad972307c02f3
                                                                                                  • Opcode Fuzzy Hash: 460d759aab51975a442ba3cdf7e9ef08843fb1d3c3ed7f029b9616c1e4b2b677
                                                                                                  • Instruction Fuzzy Hash: 31014FB6D00118BFE7019AE9C8859EFFABDAB88665F150562A605E7140D5705E084BE0
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(00000001), ref: 02C62693
                                                                                                  • gethostbyname.WS2_32(00000001), ref: 02C6269F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: eac8e5818b0f41a33b211fac407e550aff8c2375e80d44e5597839836d27e51e
                                                                                                  • Instruction ID: e6560f245753da586fe97a19b955f5bf08c7ce20deeaee9873253ad5cb7104c9
                                                                                                  • Opcode Fuzzy Hash: eac8e5818b0f41a33b211fac407e550aff8c2375e80d44e5597839836d27e51e
                                                                                                  • Instruction Fuzzy Hash: F7E0C231A040118FCB108B28F488BE937E4EF86230F014680F850C3190C730DD809791
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C6DD05: GetTickCount.KERNEL32 ref: 02C6DD0F
                                                                                                    • Part of subcall function 02C6DD05: InterlockedExchange.KERNEL32(02C736B4,00000001), ref: 02C6DD44
                                                                                                    • Part of subcall function 02C6DD05: GetCurrentThreadId.KERNEL32 ref: 02C6DD53
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,02C6A445), ref: 02C6E558
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,771B0F10,?,00000000,?,02C6A445), ref: 02C6E583
                                                                                                  • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,02C6A445), ref: 02C6E5B2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                  • String ID:
                                                                                                  • API String ID: 3683885500-0
                                                                                                  • Opcode ID: 1c718694f6c04b577a77e7207130c7848144eb416be2e019c10ba39805028173
                                                                                                  • Instruction ID: 3207bc585bedb77d198a8f27e9a5f56594a2f03ec2da14617e57302cf2c21172
                                                                                                  • Opcode Fuzzy Hash: 1c718694f6c04b577a77e7207130c7848144eb416be2e019c10ba39805028173
                                                                                                  • Instruction Fuzzy Hash: CC21F9B6A803007AF2307A315C9DF7B3A1DDF95750F040565BE0EB51D2EA51E514AAF2
                                                                                                  APIs
                                                                                                  • Sleep.KERNELBASE(000003E8), ref: 02C688A5
                                                                                                    • Part of subcall function 02C6F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02C6E342,00000000,7686EA50,80000001,00000000,02C6E513,?,00000000,00000000,?,000000E4), ref: 02C6F089
                                                                                                    • Part of subcall function 02C6F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02C6E342,00000000,7686EA50,80000001,00000000,02C6E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02C6F093
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$FileSystem$Sleep
                                                                                                  • String ID: localcfg$rresolv
                                                                                                  • API String ID: 1561729337-486471987
                                                                                                  • Opcode ID: 27773ab8947e66af7750ae0c44c19e1d6de4ef29a00ba1b0614d0738bb9e4df4
                                                                                                  • Instruction ID: 3287ac30f3f6191c485101d9a60b23d5ea81b7cac65f5d0ea0fc8416799b610d
                                                                                                  • Opcode Fuzzy Hash: 27773ab8947e66af7750ae0c44c19e1d6de4ef29a00ba1b0614d0738bb9e4df4
                                                                                                  • Instruction Fuzzy Hash: 1821B9719883116AF314F7656CCDF7A369AEF48750F540A1EFD04950C0EFA145589AE3
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02C722F8,02C642B6,00000000,00000001,02C722F8,00000000,?,02C698FD), ref: 02C64021
                                                                                                  • GetLastError.KERNEL32(?,02C698FD,00000001,00000100,02C722F8,02C6A3C7), ref: 02C6402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,02C698FD,00000001,00000100,02C722F8,02C6A3C7), ref: 02C64046
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 408151869-0
                                                                                                  • Opcode ID: d6b1151b7a0b703f6046cd3c8942d34f141c579975b60fc6f91c36c84346cf8d
                                                                                                  • Instruction ID: e9fbe5fa2264581a4a092302c67bec0c3b7965988732964c40871b0dfcedcfc2
                                                                                                  • Opcode Fuzzy Hash: d6b1151b7a0b703f6046cd3c8942d34f141c579975b60fc6f91c36c84346cf8d
                                                                                                  • Instruction Fuzzy Hash: 86F0A032680211AAD73D0A38AD8EB7A32A1EBC1738F254B24F3B6E20D0C77045859B94
                                                                                                  APIs
                                                                                                  • GetEnvironmentVariableA.KERNEL32(02C6DC19,?,00000104), ref: 02C6DB7F
                                                                                                  • lstrcpyA.KERNEL32(?,02C728F8), ref: 02C6DBA4
                                                                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02C6DBC2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 2536392590-0
                                                                                                  • Opcode ID: 22b0cb264fcefda12759d46282a686ec38a64f1b7fab1289e1291692458f61c6
                                                                                                  • Instruction ID: 7c05f2f63dc1221685785cc7fd2d2b6f12d45429dca577ab32d1cd09ea5bb5df
                                                                                                  • Opcode Fuzzy Hash: 22b0cb264fcefda12759d46282a686ec38a64f1b7fab1289e1291692458f61c6
                                                                                                  • Instruction Fuzzy Hash: C0F0B470640209ABEF10DF64DD89FE93B69BB00318F104594BB51A40D0D7F2D559CF50
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02C6EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02C6EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: c218383a254d0e15b5be271eb0df1ca130eb6f278f645165444d4d9b9b19b203
                                                                                                  • Instruction ID: 74cc2f0d7946468f0a6edbbcfd3144fdc626264910e3330d672062adacf34021
                                                                                                  • Opcode Fuzzy Hash: c218383a254d0e15b5be271eb0df1ca130eb6f278f645165444d4d9b9b19b203
                                                                                                  • Instruction Fuzzy Hash: 09E09AF5C50104BFE701ABB0DC4AE6B77BCFB08314F500B50B911D6080DA70AA188BA0
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 02C630D8
                                                                                                  • gethostbyname.WS2_32(?), ref: 02C630E2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynamegethostname
                                                                                                  • String ID:
                                                                                                  • API String ID: 3961807697-0
                                                                                                  • Opcode ID: c92d63935eeed0e0b86b1e20cc98502b98215179c87957a81c94339b7f82b3fd
                                                                                                  • Instruction ID: 7e1572fa91ea1fba6609529cb2d0fb27330f5c1362d39e410c1fb9bb5d56a732
                                                                                                  • Opcode Fuzzy Hash: c92d63935eeed0e0b86b1e20cc98502b98215179c87957a81c94339b7f82b3fd
                                                                                                  • Instruction Fuzzy Hash: 22E09B72D401199FCF00DBA8EC89F9A77ECFF04308F080561F905E3250EA34E5088790
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,02C6DB55,7FFF0001), ref: 02C6EC13
                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,02C6DB55,7FFF0001), ref: 02C6EC1A
                                                                                                    • Part of subcall function 02C6EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02C6EBFE,7FFF0001,?,02C6DB55,7FFF0001), ref: 02C6EBD3
                                                                                                    • Part of subcall function 02C6EBCC: RtlAllocateHeap.NTDLL(00000000,?,02C6DB55,7FFF0001), ref: 02C6EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1357844191-0
                                                                                                  • Opcode ID: 007c44047b283143f439cddf45da5864dc1176cd6629b752006e7edf2e92b200
                                                                                                  • Instruction ID: 8aa6d5902ec65397c0293496973d1f8e67cbdb07a82c9c7a2ac2eed0a30d8173
                                                                                                  • Opcode Fuzzy Hash: 007c44047b283143f439cddf45da5864dc1176cd6629b752006e7edf2e92b200
                                                                                                  • Instruction Fuzzy Hash: E7E048365442187BDF012F94FC4CFB93B9ADF44775F108116F90D89460DB3285A0EB94
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C6EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02C6EC0A,00000000,80000001,?,02C6DB55,7FFF0001), ref: 02C6EBAD
                                                                                                    • Part of subcall function 02C6EBA0: HeapSize.KERNEL32(00000000,?,02C6DB55,7FFF0001), ref: 02C6EBB4
                                                                                                  • GetProcessHeap.KERNEL32(00000000,02C6EA27,00000000,02C6EA27,00000000), ref: 02C6EC41
                                                                                                  • RtlFreeHeap.NTDLL(00000000), ref: 02C6EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$FreeSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1305341483-0
                                                                                                  • Opcode ID: 8130bafc31773d293b34cf9bd616cb010ad3c388438121da6b15f64b0436928c
                                                                                                  • Instruction ID: 28ca5aab353918f279b77081e9205723295043cd46e996946665c46a5b17126d
                                                                                                  • Opcode Fuzzy Hash: 8130bafc31773d293b34cf9bd616cb010ad3c388438121da6b15f64b0436928c
                                                                                                  • Instruction Fuzzy Hash: D2C01232846630ABC6512654BC4CFAB6B59DF85611F09090AF405A60508760584087E5
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02C6EBFE,7FFF0001,?,02C6DB55,7FFF0001), ref: 02C6EBD3
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,02C6DB55,7FFF0001), ref: 02C6EBDA
                                                                                                    • Part of subcall function 02C6EB74: GetProcessHeap.KERNEL32(00000000,00000000,02C6EC28,00000000,?,02C6DB55,7FFF0001), ref: 02C6EB81
                                                                                                    • Part of subcall function 02C6EB74: HeapSize.KERNEL32(00000000,?,02C6DB55,7FFF0001), ref: 02C6EB88
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2559512979-0
                                                                                                  • Opcode ID: ae5785b372738ba06de46ec9053135b1a557aec27bef886cc51549ba3216b0ce
                                                                                                  • Instruction ID: be3153e3e2b19d40eedf7842ed00bb26a42d99ecbc425268ff077602d54b02dd
                                                                                                  • Opcode Fuzzy Hash: ae5785b372738ba06de46ec9053135b1a557aec27bef886cc51549ba3216b0ce
                                                                                                  • Instruction Fuzzy Hash: 9BC08C36A482206BCB0127A4BC0CFAA3F98EF483A2F040A15F609C2160CB3048518BA6
                                                                                                  APIs
                                                                                                  • recv.WS2_32(000000C8,?,00000000,02C6CA44), ref: 02C6F476
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: recv
                                                                                                  • String ID:
                                                                                                  • API String ID: 1507349165-0
                                                                                                  • Opcode ID: 7c68f56337ea1a7ff14dcca7fb7b587aee217a652884b8be918cbb97e2197401
                                                                                                  • Instruction ID: f6a5e1407fd70407726814be6116ee2497ce1431519a279360f467354923d368
                                                                                                  • Opcode Fuzzy Hash: 7c68f56337ea1a7ff14dcca7fb7b587aee217a652884b8be918cbb97e2197401
                                                                                                  • Instruction Fuzzy Hash: 26F08C3320014AAB9B019E9AEC88DBB3BAEFBC92107040126FA05D3910D631E8208BA0
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(00000000), ref: 02C61992
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 2781271927-0
                                                                                                  • Opcode ID: b4738b348827692f361cb8be4f2d6045bb4541a83dc57187dc876c70d67473f7
                                                                                                  • Instruction ID: 5738b3979670e4950b9c221fb652e5c75b2fecf444860ff95e0ad4cc5820cfcd
                                                                                                  • Opcode Fuzzy Hash: b4738b348827692f361cb8be4f2d6045bb4541a83dc57187dc876c70d67473f7
                                                                                                  • Instruction Fuzzy Hash: 5DD0222314C2312A42002318B80857FAB8CDF44262700881AFC48C0510C730CC419791
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02C6DDB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586166983-0
                                                                                                  • Opcode ID: 8b05cde734695c180e1fa8ef3c27fadca39d4d1e42c8d8f1c5e551351e7141db
                                                                                                  • Instruction ID: c8d11047d8cdf82b092843d4040e9efec2f5ee0c672e6d80483f0c54ef2641df
                                                                                                  • Opcode Fuzzy Hash: 8b05cde734695c180e1fa8ef3c27fadca39d4d1e42c8d8f1c5e551351e7141db
                                                                                                  • Instruction Fuzzy Hash: 34F08271700302CBCB20EE35A8C8676B3ECEBC6229F14492EE156D2180D730D955CBB1
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02C69816,EntryPoint), ref: 02C6638F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02C69816,EntryPoint), ref: 02C663A9
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02C663CA
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02C663EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: ddb3c89087f133c8b2a7ae370e4967dcdbf2a86ee631103a3f6487fff59f9cac
                                                                                                  • Instruction ID: f2e6c1317d36271afd1d82d6a90ee035d037669b103e5eb0b0b4fe58c5c66fb7
                                                                                                  • Opcode Fuzzy Hash: ddb3c89087f133c8b2a7ae370e4967dcdbf2a86ee631103a3f6487fff59f9cac
                                                                                                  • Instruction Fuzzy Hash: 601191B1A00219BFDB118F65DC89FAB3BACEB447A8F104424F908E6280D770DD108BA0
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02C61839,02C69646), ref: 02C61012
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02C610C2
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02C610E1
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02C61101
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02C61121
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02C61140
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02C61160
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02C61180
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02C6119F
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02C611BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02C611DF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02C611FE
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02C6121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 34d141dd4630ff641efe9e5856f2bf78435f0533cd5b52ffacdc60a83cee91ae
                                                                                                  • Instruction ID: ceb511a725eb4c6f85d9567c5c44c487e011afe0246b90cefa37864581513de7
                                                                                                  • Opcode Fuzzy Hash: 34d141dd4630ff641efe9e5856f2bf78435f0533cd5b52ffacdc60a83cee91ae
                                                                                                  • Instruction Fuzzy Hash: D751DB7198268197EB108B6CEC8476273E86788375F1C47A69829D73D0D7F0C299EF92
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 02C6B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 02C6B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02C6B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 02C6B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02C6B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 02C6B329
                                                                                                  • wsprintfA.USER32 ref: 02C6B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: ebc2ac0e43f2144fb616766ce8d4d63ef0a968ccabdea2b3983cbe652b58a68b
                                                                                                  • Instruction ID: c642ce9507801ad44d038302185c5b24d8ebae4da6375babf284a26d241622c5
                                                                                                  • Opcode Fuzzy Hash: ebc2ac0e43f2144fb616766ce8d4d63ef0a968ccabdea2b3983cbe652b58a68b
                                                                                                  • Instruction Fuzzy Hash: 915137B1E00619AADF14CFD5DA889EFBBB9BF48308F1444A9E605FA150D7744A88CB91
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: 0f879c6d9e2ea53ada13950bd56c0b3e41c34dd9713f329b24a0ab33df8403ff
                                                                                                  • Instruction ID: 1ac6068f0b64d1709efd6a05b33523d5a4dffd718d31a20a6b7f0a715c54c86e
                                                                                                  • Opcode Fuzzy Hash: 0f879c6d9e2ea53ada13950bd56c0b3e41c34dd9713f329b24a0ab33df8403ff
                                                                                                  • Instruction Fuzzy Hash: 55616C72940208AFEB609FB4DC85FEA77E9FF48300F248569F969D2121EA7199548F50
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 02C6A7FB
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02C6A87E
                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 02C6A893
                                                                                                  • wsprintfA.USER32 ref: 02C6A8AF
                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 02C6A8D2
                                                                                                  • wsprintfA.USER32 ref: 02C6A8E2
                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02C6A97C
                                                                                                  • wsprintfA.USER32 ref: 02C6A9B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                  • Opcode ID: 88a2b632650e0f9acb4810cd25f692555208e86c759f4dc0b3ff86ce398d3185
                                                                                                  • Instruction ID: 2b866e1e1087b0a11dedf449ac72282eac230ff7b0027ef968684f3ba2f3833d
                                                                                                  • Opcode Fuzzy Hash: 88a2b632650e0f9acb4810cd25f692555208e86c759f4dc0b3ff86ce398d3185
                                                                                                  • Instruction Fuzzy Hash: AAA11871984345AFEF208A54DCCDFBE776AFF84708F140466F902B6090DB719A58CB95
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 02C6139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 02C61571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                  • Opcode ID: 158ccd209a3a7a043f144ce3aef63f267333ad59ac64aecce5b88828f2144819
                                                                                                  • Instruction ID: c22dc4f85539f912133f47c4451e0966dc039763361f9585ec6d2ebd8a92733a
                                                                                                  • Opcode Fuzzy Hash: 158ccd209a3a7a043f144ce3aef63f267333ad59ac64aecce5b88828f2144819
                                                                                                  • Instruction Fuzzy Hash: C3F149B55083419FD720DF64C8C8BAAB7E5FB88305F084A2DF99A97390D7B4D948CB52
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 02C62A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 02C62A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 02C62AA0
                                                                                                  • htons.WS2_32(00000000), ref: 02C62ADB
                                                                                                  • select.WS2_32 ref: 02C62B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 02C62B4A
                                                                                                  • htons.WS2_32(?), ref: 02C62B71
                                                                                                  • htons.WS2_32(?), ref: 02C62B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02C62BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 336d3e58a2437f0dbe9c10bd9f3d0425370b0c33fb2e50aaae69c1a0112ade2b
                                                                                                  • Instruction ID: aafa43bbfe8bf8bfea5a04356ccf000d8e12b0826d39313e36ff1809351ddc8a
                                                                                                  • Opcode Fuzzy Hash: 336d3e58a2437f0dbe9c10bd9f3d0425370b0c33fb2e50aaae69c1a0112ade2b
                                                                                                  • Instruction Fuzzy Hash: 3761EE72944705AFE3209F65DC8CB7ABBE9FB88745F010909FD8997150D7B0D944CBA2
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 02C670C2
                                                                                                  • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 02C6719E
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 02C671B2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 02C67208
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 02C67291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 02C672C2
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 02C672D0
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 02C67314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02C6738D
                                                                                                  • RegCloseKey.ADVAPI32(771B0F10), ref: 02C673D8
                                                                                                    • Part of subcall function 02C6F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02C722F8,000000C8,02C67150,?), ref: 02C6F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"
                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                  • Opcode ID: 277fa1bb2a95ee371aaf55ffe14ccf934226233f806669ebef96016a06a007ab
                                                                                                  • Instruction ID: 2d8c7ec95d988100d9039b154f290177ad8cc7b1de09678e402b46a34336bbc2
                                                                                                  • Opcode Fuzzy Hash: 277fa1bb2a95ee371aaf55ffe14ccf934226233f806669ebef96016a06a007ab
                                                                                                  • Instruction Fuzzy Hash: DDB18F72844209EEDF149FA4DC88FFEB7B9EF44314F100966F505E2080EB759A88CB61
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 02C6AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 02C6ADA6
                                                                                                    • Part of subcall function 02C6AD08: gethostname.WS2_32(?,00000080), ref: 02C6AD1C
                                                                                                    • Part of subcall function 02C6AD08: lstrlenA.KERNEL32(00000000), ref: 02C6AD60
                                                                                                    • Part of subcall function 02C6AD08: lstrlenA.KERNEL32(00000000), ref: 02C6AD69
                                                                                                    • Part of subcall function 02C6AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02C6AD7F
                                                                                                    • Part of subcall function 02C630B5: gethostname.WS2_32(?,00000080), ref: 02C630D8
                                                                                                    • Part of subcall function 02C630B5: gethostbyname.WS2_32(?), ref: 02C630E2
                                                                                                  • wsprintfA.USER32 ref: 02C6AEA5
                                                                                                    • Part of subcall function 02C6A7A3: inet_ntoa.WS2_32(?), ref: 02C6A7A9
                                                                                                  • wsprintfA.USER32 ref: 02C6AE4F
                                                                                                  • wsprintfA.USER32 ref: 02C6AE5E
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02C6EF92
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(?), ref: 02C6EF99
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(00000000), ref: 02C6EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: efe8cebab4f3bab6e85230dcabd19a1cff8a432ec08760e55604ae80cef43d62
                                                                                                  • Instruction ID: 6b0d8fcd339dbaa623b14ceeaec471db8d401c91acbee929d066d26cf4ed24e3
                                                                                                  • Opcode Fuzzy Hash: efe8cebab4f3bab6e85230dcabd19a1cff8a432ec08760e55604ae80cef43d62
                                                                                                  • Instruction Fuzzy Hash: 02412FB690024CABEF25EFA1DC89EEE3BADFF08300F140426F915A2151EA71D654DF50
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02C62E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62E4F
                                                                                                  • htons.WS2_32(00000035), ref: 02C62E88
                                                                                                  • inet_addr.WS2_32(?), ref: 02C62E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 02C62EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,02C62F0F,?,02C620FF,02C72000), ref: 02C62EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: 5aef18c906d074278392165e4f956eac50610c723bcd66681cb3e05c65c9f6c4
                                                                                                  • Instruction ID: a4251f90cab8c545ff564a868ba0089202dbf16e345046cb4d8cb2fdce5c5d8d
                                                                                                  • Opcode Fuzzy Hash: 5aef18c906d074278392165e4f956eac50610c723bcd66681cb3e05c65c9f6c4
                                                                                                  • Instruction Fuzzy Hash: 9D31C272E4064AABDB209BF89C8CB7E77B8AF44366F140635FD14E7290DB30D6518B52
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,02C69DD7,?,00000022,?,?,00000000,00000001), ref: 02C69340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02C69DD7,?,00000022,?,?,00000000,00000001), ref: 02C6936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,02C69DD7,?,00000022,?,?,00000000,00000001), ref: 02C69375
                                                                                                  • wsprintfA.USER32 ref: 02C693CE
                                                                                                  • wsprintfA.USER32 ref: 02C6940C
                                                                                                  • wsprintfA.USER32 ref: 02C6948D
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02C694F1
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02C69526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02C69571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: runas
                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                  • Opcode ID: 2f6a1bf88fd7615138804160aca98f85f2447aa7d24eb6ca6ca50782bda99e96
                                                                                                  • Instruction ID: f9c9f199395a9dc6faf76cd69fe68578115b37b12896a314ee17399466726984
                                                                                                  • Opcode Fuzzy Hash: 2f6a1bf88fd7615138804160aca98f85f2447aa7d24eb6ca6ca50782bda99e96
                                                                                                  • Instruction Fuzzy Hash: 40A19CB2940248AFEB219FA1CC89FEE3BADFF44741F100126FA0592151E771DA48DFA1
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 02C6B467
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02C6EF92
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(?), ref: 02C6EF99
                                                                                                    • Part of subcall function 02C6EF7C: lstrlenA.KERNEL32(00000000), ref: 02C6EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: ef1fc9b4200e773cfaa44534e35734521b43c7333d74a1b59b507e2205e6f4d5
                                                                                                  • Instruction ID: 884878f86edc05477904a2c3777e89b2845e3ab2c1c3d9d78eab689b7dcbe9ab
                                                                                                  • Opcode Fuzzy Hash: ef1fc9b4200e773cfaa44534e35734521b43c7333d74a1b59b507e2205e6f4d5
                                                                                                  • Instruction Fuzzy Hash: 41414FB25401197FEF01ABA4DCC5DBF7B6DEF49648F140025FA05B6100DB71AE199BA2
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C62078
                                                                                                  • GetTickCount.KERNEL32 ref: 02C620D4
                                                                                                  • GetTickCount.KERNEL32 ref: 02C620DB
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6212B
                                                                                                  • GetTickCount.KERNEL32 ref: 02C62132
                                                                                                  • GetTickCount.KERNEL32 ref: 02C62142
                                                                                                    • Part of subcall function 02C6F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02C6E342,00000000,7686EA50,80000001,00000000,02C6E513,?,00000000,00000000,?,000000E4), ref: 02C6F089
                                                                                                    • Part of subcall function 02C6F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02C6E342,00000000,7686EA50,80000001,00000000,02C6E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02C6F093
                                                                                                    • Part of subcall function 02C6E854: lstrcpyA.KERNEL32(00000001,?,?,02C6D8DF,00000001,localcfg,except_info,00100000,02C70264), ref: 02C6E88B
                                                                                                    • Part of subcall function 02C6E854: lstrlenA.KERNEL32(00000001,?,02C6D8DF,00000001,localcfg,except_info,00100000,02C70264), ref: 02C6E899
                                                                                                    • Part of subcall function 02C61C5F: wsprintfA.USER32 ref: 02C61CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: d19e3b8cd4a1c128d12e8ea1a09f3a3ea53ae4392da1918670ed82af93624775
                                                                                                  • Instruction ID: b62110ea6950e9ca88bc1546fac0f6a3c6e9e57312cf7b57adf96f931456b303
                                                                                                  • Opcode Fuzzy Hash: d19e3b8cd4a1c128d12e8ea1a09f3a3ea53ae4392da1918670ed82af93624775
                                                                                                  • Instruction Fuzzy Hash: 2051F270D483465EE728EF24EDCDB363BE9EB50324F000A1EDE4586190DBB4D558DAA3
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C6A4C7: GetTickCount.KERNEL32 ref: 02C6A4D1
                                                                                                    • Part of subcall function 02C6A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02C6A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6C363
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6C378
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6C44D
                                                                                                  • InterlockedIncrement.KERNEL32(02C6C4E4), ref: 02C6C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,02C6B535,00000000,?,02C6C4E0), ref: 02C6C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,02C6C4E0,02C73588,02C68810), ref: 02C6C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: 478974d37081f3513ccaee3fa306ff07c7bd5a903b66ff9d6a9cf8fe92e6491a
                                                                                                  • Instruction ID: 00dc945da84c29944bf4bba5ea57d4fc1538af9e923559d14c7f9e5dc6da0eed
                                                                                                  • Opcode Fuzzy Hash: 478974d37081f3513ccaee3fa306ff07c7bd5a903b66ff9d6a9cf8fe92e6491a
                                                                                                  • Instruction Fuzzy Hash: 3D5138B1A00B418FD7249F6AC5C863ABBE9FB88304B54593ED18BC7A90D774FA44CB54
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02C6BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02C6BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02C6BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02C6BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02C6BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02C6BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                  • Opcode ID: 0b417ae1b05b261c84e39a7f8995dd593fc331aa45d712f7ea3afadf14ea870a
                                                                                                  • Instruction ID: a9f7147b380ec4f4cd6893b3f6613ab05e8844a1635453c5a3ac13fc11e530dd
                                                                                                  • Opcode Fuzzy Hash: 0b417ae1b05b261c84e39a7f8995dd593fc331aa45d712f7ea3afadf14ea870a
                                                                                                  • Instruction Fuzzy Hash: 0651B179A00716EFDB119B65C8C8B7EBBA9AF4434CF004065E801EB221E731EE41CF91
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66A7D
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(02C69E9D,02C69A60,?,?,?,02C722F8,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B4E
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02C69A60,?,?,02C69E9D), ref: 02C66B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,02C69A60,?,?,02C69E9D,?,?,?,?,?,02C69E9D,?,00000022,?), ref: 02C66B96
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188212458-0
                                                                                                  • Opcode ID: 6454de17a5741064d7059c1615510c9991cfe70743818af1c991c5ce454859e6
                                                                                                  • Instruction ID: 178da63d57f993a918410b54d655a8a31430094ba0a6fa23bf7b4d8f50d18f48
                                                                                                  • Opcode Fuzzy Hash: 6454de17a5741064d7059c1615510c9991cfe70743818af1c991c5ce454859e6
                                                                                                  • Instruction Fuzzy Hash: 1931B3B2D0014AEFDB019FA49C88BEFBB7DFB84310F244566E651A3201D7345A59DF61
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,02C6D7C3), ref: 02C66F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02C6D7C3), ref: 02C66FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02C66FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 02C6701F
                                                                                                  • wsprintfA.USER32 ref: 02C67036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: b3fc65a2448425c2113081bbdda54607e678759567f3d78126ce301b95ec5039
                                                                                                  • Instruction ID: 28f701f4c657b592f27daeb673ebdb43b613a0049f473fa26184d720128e7346
                                                                                                  • Opcode Fuzzy Hash: b3fc65a2448425c2113081bbdda54607e678759567f3d78126ce301b95ec5039
                                                                                                  • Instruction Fuzzy Hash: C7311876900208AFDB01DFA8D888BEA7BBCEF04314F148566F819DB100EB75D7188BA4
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02C722F8,000000E4,02C66DDC,000000C8), ref: 02C66CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02C66CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02C66D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02C66D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                  • Opcode ID: 723c48a5c375af469a2226d75ee96c9684e9ac45db02644903b2d262595aa712
                                                                                                  • Instruction ID: 154bff0a3b5968a81a8b2db9ad3f2a86021ed297841b9df84e022ec300b17e59
                                                                                                  • Opcode Fuzzy Hash: 723c48a5c375af469a2226d75ee96c9684e9ac45db02644903b2d262595aa712
                                                                                                  • Instruction Fuzzy Hash: AA215761A802807EF73156328CDCF777E4DCF82705F2C0555FD04A6080CB998A4983B7
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,02C69947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02C722F8), ref: 02C697B1
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02C722F8), ref: 02C697EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02C722F8), ref: 02C697F9
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02C722F8), ref: 02C69831
                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02C722F8), ref: 02C6984E
                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02C722F8), ref: 02C6985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: 6a960cab805af22a3a46fcac47039360f515589f16e3b0ea947cebcf5b0f06ce
                                                                                                  • Instruction ID: dd53bdf4804a60784cae87e493504325265531f33767158538e3beb05cba16f0
                                                                                                  • Opcode Fuzzy Hash: 6a960cab805af22a3a46fcac47039360f515589f16e3b0ea947cebcf5b0f06ce
                                                                                                  • Instruction Fuzzy Hash: AA210A71D41219ABDB119FA1DC89FFFBBBCEF09654F004561FA19E1040EB709654CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C6DD05: GetTickCount.KERNEL32 ref: 02C6DD0F
                                                                                                    • Part of subcall function 02C6DD05: InterlockedExchange.KERNEL32(02C736B4,00000001), ref: 02C6DD44
                                                                                                    • Part of subcall function 02C6DD05: GetCurrentThreadId.KERNEL32 ref: 02C6DD53
                                                                                                    • Part of subcall function 02C6DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02C6DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,02C61E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02C6EAAA,?,?), ref: 02C6E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02C6EAAA,?,?,00000001,?,02C61E84,?), ref: 02C6E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02C6EAAA,?,?,00000001,?,02C61E84,?,0000000A), ref: 02C6E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02C6EAAA,?,?,00000001,?,02C61E84,?), ref: 02C6E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 203944bccf2bd4f5a09ce54286681a3306345c49bab30a6924c80646721d076a
                                                                                                  • Instruction ID: b45b884706ff3669df25d664bb7b6cc76c0e9aae100fae13a375f86fadfa74c1
                                                                                                  • Opcode Fuzzy Hash: 203944bccf2bd4f5a09ce54286681a3306345c49bab30a6924c80646721d076a
                                                                                                  • Instruction Fuzzy Hash: B3512E7690020AAFCF11EFE8C988DAEBBF9FF48304F14456AE405A7650D735EA14DB50
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: 66a2951da36930d8bbfdf5b0ed894109fee9028325050d23336c5ec770205ebe
                                                                                                  • Instruction ID: 6ab567eca653ffcd585839080415099b55d3ec30f14739c8d999a256e9c646c7
                                                                                                  • Opcode Fuzzy Hash: 66a2951da36930d8bbfdf5b0ed894109fee9028325050d23336c5ec770205ebe
                                                                                                  • Instruction Fuzzy Hash: D4216F76504905FFDB115B71ED8CEAF3BAEEB84764B204916F502E1040EB359A14E7B4
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,02C722F8), ref: 02C6907B
                                                                                                  • wsprintfA.USER32 ref: 02C690E9
                                                                                                  • CreateFileA.KERNEL32(02C722F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02C6910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02C69122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02C6912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02C69134
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: 623a52feaaf88a00571f4292f882f03e7a9e7bbd79b84b0ae41ec47b95011211
                                                                                                  • Instruction ID: 7c53df2bceca891f70db3ab525be9b54c7d20026c3cbeac566751ac091a65208
                                                                                                  • Opcode Fuzzy Hash: 623a52feaaf88a00571f4292f882f03e7a9e7bbd79b84b0ae41ec47b95011211
                                                                                                  • Instruction Fuzzy Hash: 5611D6B6A405147BF7256636DC4DFBF3A6FDFC4B10F008565BB0AA1040EA704A159BA0
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02C6DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,02C6E538,?,771B0F10,?,00000000,?,02C6A445), ref: 02C6DD3B
                                                                                                  • InterlockedExchange.KERNEL32(02C736B4,00000001), ref: 02C6DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02C6DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: ceb7327fe9fd2d1ae3c618508fcfc4428882c3a6b6a0b549c027df0fb0c177b6
                                                                                                  • Instruction ID: 13c0b7367d8b91d922ab840d0e41bb6880a1e703644d00ba6863cdcd0a63b4da
                                                                                                  • Opcode Fuzzy Hash: ceb7327fe9fd2d1ae3c618508fcfc4428882c3a6b6a0b549c027df0fb0c177b6
                                                                                                  • Instruction Fuzzy Hash: CCF08272A842449FD7806B66ACC8B3D7BA5FB45762F100A5AE60AC3241C720506DDFB2
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 02C6AD1C
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 02C6AD60
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 02C6AD69
                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02C6AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 0bb72cabbd00f1a5f71e6a0f301cd37d80fa7dba7253158b17a37ff03277a418
                                                                                                  • Instruction ID: ad7fc25890c65ef2faddcd9b9394a36053d9506c9f1f6f4a6bf118bb85965e5e
                                                                                                  • Opcode Fuzzy Hash: 0bb72cabbd00f1a5f71e6a0f301cd37d80fa7dba7253158b17a37ff03277a418
                                                                                                  • Instruction Fuzzy Hash: FD012420C841895DDF314A38D8CCBB97F6AAFC775AF100056E4C0BB116EF24D28787A2
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02C698FD,00000001,00000100,02C722F8,02C6A3C7), ref: 02C64290
                                                                                                  • CloseHandle.KERNEL32(02C6A3C7), ref: 02C643AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 02C643AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID:
                                                                                                  • API String ID: 1371578007-0
                                                                                                  • Opcode ID: 633b5ad9c4b01280dc17b46529289e1d3abbc04211c43f1885173d253329f668
                                                                                                  • Instruction ID: f19071a719077b01edd5f42254f506ffe8cfa944bc26e1ae9638a41d5699084b
                                                                                                  • Opcode Fuzzy Hash: 633b5ad9c4b01280dc17b46529289e1d3abbc04211c43f1885173d253329f668
                                                                                                  • Instruction Fuzzy Hash: 794189B1C40209BADB20ABB1DD89FBFBFBDEF40324F1046A5F614A6180D7758650DBA1
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02C664CF,00000000), ref: 02C6609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,02C664CF,00000000), ref: 02C660C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 02C6614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02C6619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: df77ef372d742ab67206f41517f1ae10615d94a3d070e5a7c3fc5bde3e81ae79
                                                                                                  • Instruction ID: bff402d9f1deef77979f02150a14327c770c335fcc86f158823900fbb886732c
                                                                                                  • Opcode Fuzzy Hash: df77ef372d742ab67206f41517f1ae10615d94a3d070e5a7c3fc5bde3e81ae79
                                                                                                  • Instruction Fuzzy Hash: 99416D71E00106AFDB14CF65CCC8BB9B7B9EF44358F248169E815D7291D739EA45CB90
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c999cdbafd7cc05e2cc4b4e1210e48b70d1a0eba6e4160a36f77067381c97a24
                                                                                                  • Instruction ID: 63f5e364d7e5b280b3a4ac3d2f0d261eea0d9e9ffc75858cd2f957e907c4cc6f
                                                                                                  • Opcode Fuzzy Hash: c999cdbafd7cc05e2cc4b4e1210e48b70d1a0eba6e4160a36f77067381c97a24
                                                                                                  • Instruction Fuzzy Hash: D731B072A40309ABDB209FA5CCC5BBEB7F4FF48701F108456E944EA241E3B4D651DB61
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6272E
                                                                                                  • htons.WS2_32(00000001), ref: 02C62752
                                                                                                  • htons.WS2_32(0000000F), ref: 02C627D5
                                                                                                  • htons.WS2_32(00000001), ref: 02C627E3
                                                                                                  • sendto.WS2_32(?,02C72BF8,00000009,00000000,00000010,00000010), ref: 02C62802
                                                                                                    • Part of subcall function 02C6EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02C6EBFE,7FFF0001,?,02C6DB55,7FFF0001), ref: 02C6EBD3
                                                                                                    • Part of subcall function 02C6EBCC: RtlAllocateHeap.NTDLL(00000000,?,02C6DB55,7FFF0001), ref: 02C6EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1128258776-0
                                                                                                  • Opcode ID: 7da245f7392146de82fe19c7cb760fd65b3c2665b5af183aa6b08549213c5933
                                                                                                  • Instruction ID: e5b4df4aa07b8110ba498625ac3e7eef273417de96419ca3cbfe5f03c6ab3f75
                                                                                                  • Opcode Fuzzy Hash: 7da245f7392146de82fe19c7cb760fd65b3c2665b5af183aa6b08549213c5933
                                                                                                  • Instruction Fuzzy Hash: D7315434A843829FD7208F74D880F717B60EF59318F1A896DEC56DB302D6329886DB02
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02C722F8), ref: 02C6915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02C69166
                                                                                                  • CharToOemA.USER32(?,?), ref: 02C69174
                                                                                                  • wsprintfA.USER32 ref: 02C691A9
                                                                                                    • Part of subcall function 02C69064: GetTempPathA.KERNEL32(00000400,?,00000000,02C722F8), ref: 02C6907B
                                                                                                    • Part of subcall function 02C69064: wsprintfA.USER32 ref: 02C690E9
                                                                                                    • Part of subcall function 02C69064: CreateFileA.KERNEL32(02C722F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02C6910E
                                                                                                    • Part of subcall function 02C69064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02C69122
                                                                                                    • Part of subcall function 02C69064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02C6912D
                                                                                                    • Part of subcall function 02C69064: CloseHandle.KERNEL32(00000000), ref: 02C69134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02C691E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: b3ff7689a60b4a76c28ad9254b8d5839ec7e39d77f1fd829853507fd46a45d81
                                                                                                  • Instruction ID: a236669438ac58bb59c0a41b780bf1d98de1a9d9be45cdf2027a51edb621b25c
                                                                                                  • Opcode Fuzzy Hash: b3ff7689a60b4a76c28ad9254b8d5839ec7e39d77f1fd829853507fd46a45d81
                                                                                                  • Instruction Fuzzy Hash: D10152F69401587BDB20A6619D8DFEF7B7CDB95701F0005A1BB49E2040DA7097898F71
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02C62491,?,?,?,02C6E844,-00000030,?,?,?,00000001), ref: 02C62429
                                                                                                  • lstrlenA.KERNEL32(?,?,02C62491,?,?,?,02C6E844,-00000030,?,?,?,00000001,02C61E3D,00000001,localcfg,lid_file_upd), ref: 02C6243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 02C62452
                                                                                                  • lstrlenA.KERNEL32(?,?,02C62491,?,?,?,02C6E844,-00000030,?,?,?,00000001,02C61E3D,00000001,localcfg,lid_file_upd), ref: 02C62467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: 34972ee9907715cfb16cee91681b2fbe9cb932c38aaea64cd8c72015b2cf7c65
                                                                                                  • Instruction ID: 806b12a691843750d8de5b2bd5b8b677716152076a323ce2f30b543665bcf7bf
                                                                                                  • Opcode Fuzzy Hash: 34972ee9907715cfb16cee91681b2fbe9cb932c38aaea64cd8c72015b2cf7c65
                                                                                                  • Instruction Fuzzy Hash: B1011A71600218AFCF11EF69CC859EE7BA9EF443A4B01C426ED5997600E330EA548F91
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: 0b942b557a7e22f1d88bf13d0f9b94a75605e401068ba99ec8b975deed96e063
                                                                                                  • Instruction ID: d5dd14e75cfff1ff631719cb04124b0772ee51300313810c63bbfaee50001b7b
                                                                                                  • Opcode Fuzzy Hash: 0b942b557a7e22f1d88bf13d0f9b94a75605e401068ba99ec8b975deed96e063
                                                                                                  • Instruction Fuzzy Hash: 42419A729042989FDB22CFB88C88BEE3BED9F49311F240056F9A4D7241D675DA04CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C6DD05: GetTickCount.KERNEL32 ref: 02C6DD0F
                                                                                                    • Part of subcall function 02C6DD05: InterlockedExchange.KERNEL32(02C736B4,00000001), ref: 02C6DD44
                                                                                                    • Part of subcall function 02C6DD05: GetCurrentThreadId.KERNEL32 ref: 02C6DD53
                                                                                                  • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,02C65EC1), ref: 02C6E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,02C65EC1), ref: 02C6E6E9
                                                                                                  • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,771B0F10,00000000,?,02C65EC1), ref: 02C6E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: 89ABCDEF
                                                                                                  • API String ID: 3343386518-71641322
                                                                                                  • Opcode ID: 93b30255664c5a286cbd193b5c83548dcfeb4af041dc7206f32d350e6388e6d8
                                                                                                  • Instruction ID: 623e22573cce1ea29bc12d1df17a62d33fee82bb0be6db2b83c71d8b80e22bc4
                                                                                                  • Opcode Fuzzy Hash: 93b30255664c5a286cbd193b5c83548dcfeb4af041dc7206f32d350e6388e6d8
                                                                                                  • Instruction Fuzzy Hash: DB31DE39A0074ADBCB319F64D8C8F7637E9AB81724F00492BE9468B541D770E984CB91
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,02C6E2A3,00000000,00000000,00000000,00020106,00000000,02C6E2A3,00000000,000000E4), ref: 02C6E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(02C6E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02C722F8), ref: 02C6E127
                                                                                                  • RegDeleteValueA.ADVAPI32(02C6E2A3,?,?,?,?,?,000000C8,02C722F8), ref: 02C6E158
                                                                                                  • RegCloseKey.ADVAPI32(02C6E2A3,?,?,?,?,000000C8,02C722F8,?,?,?,?,?,?,?,?,02C6E2A3), ref: 02C6E161
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID:
                                                                                                  • API String ID: 2667537340-0
                                                                                                  • Opcode ID: 54dc2895bbee4a946294d9920cd27d96ce9037bc7b6e367caf2c2c94791e03fd
                                                                                                  • Instruction ID: 6d62c61e5ad48c30a24921626be06c3c1dc89ac075456436e81f7aee6027ff65
                                                                                                  • Opcode Fuzzy Hash: 54dc2895bbee4a946294d9920cd27d96ce9037bc7b6e367caf2c2c94791e03fd
                                                                                                  • Instruction Fuzzy Hash: AA218F71E00219BBDF209EA5DC88EEE7F79EF487A0F004062F904E6050E7318A15EB90
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,02C6A3C7,00000000,00000000,000007D0,00000001), ref: 02C63FB8
                                                                                                  • GetLastError.KERNEL32 ref: 02C63FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02C63FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C63FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 97e8b72dd3c45eedfc5e146ecd1bce914ad95e12d88ff80e6ded803a24803116
                                                                                                  • Instruction ID: 9ca5822ddbfc6412924b84eb90957b579a9bff7777ad2e65457871eeed9f1875
                                                                                                  • Opcode Fuzzy Hash: 97e8b72dd3c45eedfc5e146ecd1bce914ad95e12d88ff80e6ded803a24803116
                                                                                                  • Instruction Fuzzy Hash: 2E01D37291010AAFDF11DF94DD89BEF7BBCFB04766F0044A5F902E2040D7719A648BA2
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,02C6A3C7,00000000,00000000,000007D0,00000001), ref: 02C63F44
                                                                                                  • GetLastError.KERNEL32 ref: 02C63F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02C63F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C63F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: c29822d9edea1790d0ba94b6efbe6fe26a339907291cadadfd13d501b6a69b6e
                                                                                                  • Instruction ID: 18db4b60251ef2efd5cdd3ba1052939ce969099c0064999d3d7a64ba982e7729
                                                                                                  • Opcode Fuzzy Hash: c29822d9edea1790d0ba94b6efbe6fe26a339907291cadadfd13d501b6a69b6e
                                                                                                  • Instruction Fuzzy Hash: 9E01E272911149AFDF01DE90ED88BEF7BBCEB04766F1045A5FA01E2040D771DA248BB2
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,02C6C2E9,02C6C4E0,00000000,localcfg,?,02C6C4E0,02C73588,02C68810), ref: 02C6A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02C6A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 55457d5569f8b2184ff2ef24022f29dfc19daa5bf83a0227ccb754113cb38708
                                                                                                  • Instruction ID: 593dd63ee29a38fae97aff134f9a672029f832c0f2193e66de72da71b00e5e29
                                                                                                  • Opcode Fuzzy Hash: 55457d5569f8b2184ff2ef24022f29dfc19daa5bf83a0227ccb754113cb38708
                                                                                                  • Instruction Fuzzy Hash: 19E07D3324020457C7005BA6ACC8F7A3788FB8D7B1F010522FF04F3240C656A55583F2
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C64E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 02C64EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 02C64EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02C64EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 549e91f6769636b9b4c92ff2175842cd41b494375049c9f3f9e84929d3465810
                                                                                                  • Instruction ID: e37ed6c3913e7f8579274c5b70d020ffa83dae56dbe7baabeac3813572116410
                                                                                                  • Opcode Fuzzy Hash: 549e91f6769636b9b4c92ff2175842cd41b494375049c9f3f9e84929d3465810
                                                                                                  • Instruction Fuzzy Hash: 4BE0CD7774121457D73026FAACC8F77B749AB86371F010A32FB09D2140C696D45646F1
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C64BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 02C64BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,0301E18C,02C650F2), ref: 02C64BF9
                                                                                                  • InterlockedExchange.KERNEL32(0301E180,00000001), ref: 02C64C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 8981600860afb6e8721dd8c1476b75c0fc0b1f9c3a85a75170ddaaf9555aec4e
                                                                                                  • Instruction ID: 3ab57912eeefe7558ebcd5bb806beab1fbce5f74861169f482bdf54513b78aa0
                                                                                                  • Opcode Fuzzy Hash: 8981600860afb6e8721dd8c1476b75c0fc0b1f9c3a85a75170ddaaf9555aec4e
                                                                                                  • Instruction Fuzzy Hash: 56E0CD3768161567C73016B69CC4F76775DEBC5772F060572F708D2240C596945583F1
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02C63103
                                                                                                  • GetTickCount.KERNEL32 ref: 02C6310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 02C6311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02C63128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 5fd2dafdb1d9b1060cf1151d6493de5b2739dd9e6f118747eb1c59cc38b45022
                                                                                                  • Instruction ID: 5ae3026dada8d7a5bbcb28fa5bc811415fc1e5a346a8ccdea48c8db8330d97e5
                                                                                                  • Opcode Fuzzy Hash: 5fd2dafdb1d9b1060cf1151d6493de5b2739dd9e6f118747eb1c59cc38b45022
                                                                                                  • Instruction Fuzzy Hash: 9DE02B31744215AFDB002B76ADC9B696FAAEFC4B71F011872F201D3190CA904C548BB1
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: 93aaf3b766e9b8936a410ee72326bd4cbcbcad09fce156b83d1407f211997e91
                                                                                                  • Instruction ID: b11cfc05078f97074f520bb6490c91a1e4f9b3ca69c483f76f30c34838500061
                                                                                                  • Opcode Fuzzy Hash: 93aaf3b766e9b8936a410ee72326bd4cbcbcad09fce156b83d1407f211997e91
                                                                                                  • Instruction Fuzzy Hash: AF210632A10512AFCB20CF75C8C86BABBBAFF60714B250799D401DB101CB34EA48CB70
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02C6C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: fc3e9ae177609a7ad80ef2ec1ba887d1820861f9e07c4cb07ed31b129ae9bdf4
                                                                                                  • Instruction ID: 6d6ab6831a5979d84b8612e06c39b348de1ee971d776c4f41126e9ce0b0ee5b6
                                                                                                  • Opcode Fuzzy Hash: fc3e9ae177609a7ad80ef2ec1ba887d1820861f9e07c4cb07ed31b129ae9bdf4
                                                                                                  • Instruction Fuzzy Hash: 25119772500100FFDB429AA9CD44E567FA6FF88329B3481ACF6188E126D633D863EB50
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C630FA: GetTickCount.KERNEL32 ref: 02C63103
                                                                                                    • Part of subcall function 02C630FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02C63128
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02C63929
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02C63939
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                  • Opcode ID: 84e6d119f0bdc5cca7a46093a5896d177a6a1d4e23613ef35e341a06a72203d1
                                                                                                  • Instruction ID: f26966ce25fac1e447c9432a503f6b91008ce916cebd5fcccf407b0d0daf1101
                                                                                                  • Opcode Fuzzy Hash: 84e6d119f0bdc5cca7a46093a5896d177a6a1d4e23613ef35e341a06a72203d1
                                                                                                  • Instruction Fuzzy Hash: B9113671940244EFE720DF1AD489B68F3F5FB48B15F208A9EED4597280C770AA85DFA1
                                                                                                  APIs
                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02C6BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02C6ABB9
                                                                                                  • InterlockedIncrement.KERNEL32(02C73640), ref: 02C6ABE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 224340156-2903620461
                                                                                                  • Opcode ID: 246bf2382540323e74ea0ee2ed72454260972414a02e7cda9a77915b1fe04a2e
                                                                                                  • Instruction ID: 94a338b5a7d71ea2b2d30905645e3b496c7d4a190be415b3ca9fe6834db7a9f4
                                                                                                  • Opcode Fuzzy Hash: 246bf2382540323e74ea0ee2ed72454260972414a02e7cda9a77915b1fe04a2e
                                                                                                  • Instruction Fuzzy Hash: F401B1315083C5AFEB11CF18D885FA67BAABF85354F144894F5C09B213C3B0E645CBA1
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02C626C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 02C626E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: 40536b42eea3db731795d5e3335f48a74c735e48d6e8499066897a4b413a6579
                                                                                                  • Instruction ID: 66b7165567ee8fb6291a335f8697b0bb3704aa40ea0c09f2a7f8295164c3cf77
                                                                                                  • Opcode Fuzzy Hash: 40536b42eea3db731795d5e3335f48a74c735e48d6e8499066897a4b413a6579
                                                                                                  • Instruction Fuzzy Hash: 7AF082361482086FEB046FA0EC49EBA379DDB04350F104426F908CA090DB71D9509799
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,02C6EB54,_alldiv,02C6F0B7,80000001,00000000,00989680,00000000,?,?,?,02C6E342,00000000,7686EA50,80000001,00000000), ref: 02C6EAF2
                                                                                                  • GetProcAddress.KERNEL32(776F0000,00000000), ref: 02C6EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: 864960a07d5607e4c435ed2fde10dfc7192a7616a6d3eae6025135ffdb2f1073
                                                                                                  • Instruction ID: 4cf4114b8a370cfca67381aeb098e308079decc2dd61d5cea4a80ae319a09412
                                                                                                  • Opcode Fuzzy Hash: 864960a07d5607e4c435ed2fde10dfc7192a7616a6d3eae6025135ffdb2f1073
                                                                                                  • Instruction Fuzzy Hash: 34D0C938A903439B9F125F649E4EF1577ECBBC0701B404956A40AD3100E730D42CEB08
                                                                                                  APIs
                                                                                                    • Part of subcall function 02C62D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,02C62F01,?,02C620FF,02C72000), ref: 02C62D3A
                                                                                                    • Part of subcall function 02C62D21: LoadLibraryA.KERNEL32(?), ref: 02C62D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02C62F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 02C62F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000017.00000002.2485709368.0000000002C60000.00000040.00000400.00020000.00000000.sdmp, Offset: 02C60000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_23_2_2c60000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: f5fea7acef4febc0e962a8cc0ebad09997841358554202cdef357447c3a6921d
                                                                                                  • Instruction ID: 90231f3799bf2e14ae510a7353c98ba1c8a34f0e427dde8696587ba7ca580395
                                                                                                  • Opcode Fuzzy Hash: f5fea7acef4febc0e962a8cc0ebad09997841358554202cdef357447c3a6921d
                                                                                                  • Instruction Fuzzy Hash: 54519E7590025AAFDF01DF64D8C8AFABB75FF05304F1045A9EC96D7210E7329A29CB91