Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ODy57hA4Su.exe

Overview

General Information

Sample name:ODy57hA4Su.exe
renamed because original name is a hash value
Original sample name:8b9be712ba5f26a1f6369833d52193fb.exe
Analysis ID:1505456
MD5:8b9be712ba5f26a1f6369833d52193fb
SHA1:187b0a0888114923e4f611ed90402d7bf0e21733
SHA256:6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • svchost.exe (PID: 7772 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7780 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7916 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7008 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7924 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ODy57hA4Su.exe (PID: 8096 cmdline: "C:\Users\user\Desktop\ODy57hA4Su.exe" MD5: 8B9BE712BA5F26A1F6369833D52193FB)
    • cmd.exe (PID: 7348 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\puwycifc\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7528 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\puwycifc\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2088 cmdline: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3536 cmdline: "C:\Windows\System32\sc.exe" description puwycifc "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6668 cmdline: "C:\Windows\System32\sc.exe" start puwycifc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 6796 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • jhrsuqtz.exe (PID: 1244 cmdline: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d"C:\Users\user\Desktop\ODy57hA4Su.exe" MD5: F5B76C95C1D9FC0EC3E2E435EB8464A0)
    • svchost.exe (PID: 8172 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      4.2.ODy57hA4Su.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        4.2.ODy57hA4Su.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        4.2.ODy57hA4Su.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        16.2.jhrsuqtz.exe.700000.2.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          16.2.jhrsuqtz.exe.700000.2.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          System Summary

          barindex
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d"C:\Users\user\Desktop\ODy57hA4Su.exe", ParentImage: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe, ParentProcessId: 1244, ParentProcessName: jhrsuqtz.exe, ProcessCommandLine: svchost.exe, ProcessId: 8172, ProcessName: svchost.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\ODy57hA4Su.exe", ParentImage: C:\Users\user\Desktop\ODy57hA4Su.exe, ParentProcessId: 8096, ParentProcessName: ODy57hA4Su.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2088, ProcessName: sc.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 8172, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49705
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d"C:\Users\user\Desktop\ODy57hA4Su.exe", ParentImage: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe, ParentProcessId: 1244, ParentProcessName: jhrsuqtz.exe, ProcessCommandLine: svchost.exe, ProcessId: 8172, ProcessName: svchost.exe
          Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 8172, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\puwycifc
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\ODy57hA4Su.exe", ParentImage: C:\Users\user\Desktop\ODy57hA4Su.exe, ParentProcessId: 8096, ParentProcessName: ODy57hA4Su.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2088, ProcessName: sc.exe
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, ProcessId: 7772, ProcessName: svchost.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
          Source: jotunheim.name:443Avira URL Cloud: Label: malware
          Source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
          Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
          Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
          Source: ODy57hA4Su.exeReversingLabs: Detection: 67%
          Source: ODy57hA4Su.exeVirustotal: Detection: 46%Perma Link
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
          Source: C:\Users\user\AppData\Local\Temp\jhrsuqtz.exeJoe Sandbox ML: detected
          Source: ODy57hA4Su.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeUnpacked PE file: 4.2.ODy57hA4Su.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeUnpacked PE file: 16.2.jhrsuqtz.exe.400000.0.unpack
          Source: ODy57hA4Su.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Change of critical system settings

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\puwycifcJump to behavior

          Networking

          barindex
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
          Source: Joe Sandbox ViewIP Address: 67.195.228.109 67.195.228.109
          Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
          Source: Joe Sandbox ViewIP Address: 77.232.41.29 77.232.41.29
          Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
          Source: global trafficTCP traffic: 192.168.2.10:49705 -> 52.101.11.0:25
          Source: global trafficTCP traffic: 192.168.2.10:65451 -> 67.195.228.109:25
          Source: global trafficTCP traffic: 192.168.2.10:65452 -> 142.251.168.27:25
          Source: global trafficTCP traffic: 192.168.2.10:65455 -> 217.69.139.150:25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,4_2_00402A62
          Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
          Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
          Source: global trafficDNS traffic detected: DNS query: yahoo.com
          Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: global trafficDNS traffic detected: DNS query: smtp.google.com
          Source: global trafficDNS traffic detected: DNS query: mail.ru
          Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
          Source: svchost.exe, 00000003.00000002.2529599067.00000202C3D18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2529400595.00000202C3496000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.3.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65453 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65456 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65456
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65453

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ODy57hA4Su.exe PID: 8096, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: jhrsuqtz.exe PID: 1244, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8172, type: MEMORYSTR

          System Summary

          barindex
          Source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.3.ODy57hA4Su.exe.2080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.3.ODy57hA4Su.exe.2080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.3.jhrsuqtz.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.3.jhrsuqtz.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000010.00000002.1401015750.0000000000733000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,4_2_00408E26
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,4_2_00401280
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\puwycifc\Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0040C9134_2_0040C913
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0041A6304_2_0041A630
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0040C91316_2_0040C913
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0041A63016_2_0041A630
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073326016_2_00733260
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073364816_2_00733648
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073344F16_2_0073344F
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073383816_2_00733838
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007332C016_2_007332C0
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007334B816_2_007334B8
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007338A016_2_007338A0
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007336A916_2_007336A9
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073377016_2_00733770
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073332816_2_00733328
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073371016_2_00733710
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073351716_2_00733517
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073390116_2_00733901
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007333F016_2_007333F0
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007331F616_2_007331F6
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007337D816_2_007337D8
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_007335DF16_2_007335DF
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073358016_2_00733580
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0073338816_2_00733388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02EDC91319_2_02EDC913
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: String function: 004F27AB appears 35 times
          Source: ODy57hA4Su.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.3.ODy57hA4Su.exe.2080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.3.ODy57hA4Su.exe.2080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.3.jhrsuqtz.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.3.jhrsuqtz.exe.5d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.ODy57hA4Su.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000010.00000002.1401015750.0000000000733000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: ODy57hA4Su.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@29/5@9/5
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,4_2_00406A60
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0052A4B6 CreateToolhelp32Snapshot,Module32First,4_2_0052A4B6
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02ED9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_02ED9A6B
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3944:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile created: C:\Users\user\AppData\Local\Temp\jhrsuqtz.exeJump to behavior
          Source: ODy57hA4Su.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ODy57hA4Su.exeReversingLabs: Detection: 67%
          Source: ODy57hA4Su.exeVirustotal: Detection: 46%
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile read: C:\Users\user\Desktop\ODy57hA4Su.exeJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_4-14997
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_16-15951
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
          Source: unknownProcess created: C:\Users\user\Desktop\ODy57hA4Su.exe "C:\Users\user\Desktop\ODy57hA4Su.exe"
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\puwycifc\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\puwycifc\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description puwycifc "wifi internet conection"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start puwycifc
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d"C:\Users\user\Desktop\ODy57hA4Su.exe"
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\puwycifc\Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\puwycifc\Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description puwycifc "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start puwycifcJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeUnpacked PE file: 4.2.ODy57hA4Su.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeUnpacked PE file: 16.2.jhrsuqtz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeUnpacked PE file: 4.2.ODy57hA4Su.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeUnpacked PE file: 16.2.jhrsuqtz.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00406069
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0052D79E push 0000002Bh; iretd 4_2_0052D7A4
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_00737566 push 0000002Bh; iretd 16_2_0073756C
          Source: ODy57hA4Su.exeStatic PE information: section name: .text entropy: 7.4121914169616785

          Persistence and Installation Behavior

          barindex
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeFile created: C:\Users\user\AppData\Local\Temp\jhrsuqtz.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\puwycifcJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\ody57ha4su.exeJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00401000
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,19_2_02ED199C
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-16089
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-17285
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_19-7606
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_19-6142
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-15439
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_19-7325
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_16-16336
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_19-7443
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-15012
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_16-15968
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeAPI coverage: 6.4 %
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeAPI coverage: 5.0 %
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0041A630 GetSystemTimes followed by cmp: cmp dword ptr [00421ffch], 0ah and CTI: jne 0041A887h4_2_0041A630
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_0041A630 GetSystemTimes followed by cmp: cmp dword ptr [00421ffch], 0ah and CTI: jne 0041A887h16_2_0041A630
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,4_2_00401D96
          Source: svchost.exe, 00000001.00000002.2529772280.0000015D20254000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
          Source: svchost.exe, 00000001.00000002.2529919906.0000015D2027E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000001.00000002.2529575225.0000015D2022B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000001.00000002.2529772280.0000015D20254000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
          Source: svchost.exe, 00000001.00000002.2529575225.0000015D20239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}esD
          Source: svchost.exe, 00000001.00000002.2529393924.0000015D20202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: svchost.exe, 00000001.00000002.2530028168.0000015D20302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000001.00000002.2529772280.0000015D20254000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000013.00000002.2529242568.0000000003200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_19-7636
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_16-17315
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_4-16470
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00406069
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_004F092B mov eax, dword ptr fs:[00000030h]4_2_004F092B
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_004F0D90 mov eax, dword ptr fs:[00000030h]4_2_004F0D90
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00529D93 push dword ptr fs:[00000030h]4_2_00529D93
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_005B092B mov eax, dword ptr fs:[00000030h]16_2_005B092B
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_005B0D90 mov eax, dword ptr fs:[00000030h]16_2_005B0D90
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_00733B5B push dword ptr fs:[00000030h]16_2_00733B5B
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0040EBCC GetProcessHeap,RtlAllocateHeap,4_2_0040EBCC
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,4_2_00409A6B
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02ED9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_02ED9A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2ED0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2ED0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2ED0000Jump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D4C008Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\puwycifc\Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\puwycifc\Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description puwycifc "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start puwycifcJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,4_2_00407809
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00406EDD
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,4_2_0040405E
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,4_2_0040EC54
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,4_2_00407809
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,4_2_0040B211
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,4_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: svchost.exe, 00000002.00000002.2529932039.000002064CD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 00000002.00000002.2529932039.000002064CD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ODy57hA4Su.exe PID: 8096, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: jhrsuqtz.exe PID: 1244, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8172, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.3.jhrsuqtz.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ODy57hA4Su.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.5b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.ODy57hA4Su.exe.2080000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.700000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.jhrsuqtz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ODy57hA4Su.exe PID: 8096, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: jhrsuqtz.exe PID: 1244, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8172, type: MEMORYSTR
          Source: C:\Users\user\Desktop\ODy57hA4Su.exeCode function: 4_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,4_2_004088B0
          Source: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exeCode function: 16_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,16_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02ED88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,19_2_02ED88B0
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          1
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          4
          Disable or Modify Tools
          OS Credential Dumping12
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts41
          Native API
          1
          Valid Accounts
          1
          Valid Accounts
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory1
          Account Discovery
          Remote Desktop ProtocolData from Removable Media12
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter
          14
          Windows Service
          1
          Access Token Manipulation
          3
          Obfuscated Files or Information
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts3
          Service Execution
          Login Hook14
          Windows Service
          22
          Software Packing
          NTDS26
          System Information Discovery
          Distributed Component Object ModelInput Capture112
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
          Process Injection
          1
          DLL Side-Loading
          LSA Secrets251
          Security Software Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion
          Cached Domain Credentials22
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Masquerading
          DCSync1
          Process Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Valid Accounts
          Proc Filesystem1
          System Owner/User Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation
          /etc/passwd and /etc/shadow1
          System Network Configuration Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
          Virtualization/Sandbox Evasion
          Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
          Process Injection
          Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505456 Sample: ODy57hA4Su.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 51 yahoo.com 2->51 53 vanaheim.cn 2->53 55 6 other IPs or domains 2->55 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 10 other signatures 2->69 8 jhrsuqtz.exe 2->8         started        11 ODy57hA4Su.exe 2 2->11         started        14 svchost.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 77 Detected unpacking (changes PE section rights) 8->77 79 Detected unpacking (overwrites its own PE header) 8->79 81 Found API chain indicative of debugger detection 8->81 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\jhrsuqtz.exe, PE32 11->49 dropped 83 Uses netsh to modify the Windows network and firewall settings 11->83 85 Modifies the windows firewall 11->85 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 87 Changes security center settings (notifications, updates, antivirus, firewall) 14->87 29 MpCmdRun.exe 1 14->29         started        89 Query firmware table information (likely to detect VMs) 16->89 signatures6 process7 dnsIp8 57 vanaheim.cn 77.232.41.29, 443, 49706, 65453 EUT-ASEUTIPNetworkRU Russian Federation 18->57 59 mta5.am0.yahoodns.net 67.195.228.109, 25 YAHOO-GQ1US United States 18->59 61 3 other IPs or domains 18->61 71 Found API chain indicative of debugger detection 18->71 73 Deletes itself after installation 18->73 75 Adds extensions / path to Windows Defender exclusion list (Registry) 18->75 47 C:\Windows\SysWOW64\...\jhrsuqtz.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          ODy57hA4Su.exe68%ReversingLabsWin32.Trojan.GCleaner
          ODy57hA4Su.exe47%VirustotalBrowse
          ODy57hA4Su.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLink
          mxs.mail.ru0%VirustotalBrowse
          mta5.am0.yahoodns.net0%VirustotalBrowse
          microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
          vanaheim.cn16%VirustotalBrowse
          smtp.google.com0%VirustotalBrowse
          yahoo.com0%VirustotalBrowse
          mail.ru0%VirustotalBrowse
          google.com0%VirustotalBrowse
          SourceDetectionScannerLabelLink
          http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%URL Reputationsafe
          vanaheim.cn:443100%Avira URL Cloudphishing
          jotunheim.name:443100%Avira URL Cloudmalware
          vanaheim.cn:4438%VirustotalBrowse
          jotunheim.name:44313%VirustotalBrowse
          NameIPActiveMaliciousAntivirus DetectionReputation
          mxs.mail.ru
          217.69.139.150
          truefalseunknown
          mta5.am0.yahoodns.net
          67.195.228.109
          truefalseunknown
          microsoft-com.mail.protection.outlook.com
          52.101.11.0
          truefalseunknown
          vanaheim.cn
          77.232.41.29
          truetrueunknown
          smtp.google.com
          142.251.168.27
          truefalseunknown
          google.com
          unknown
          unknowntrueunknown
          yahoo.com
          unknown
          unknowntrueunknown
          mail.ru
          unknown
          unknowntrueunknown
          NameMaliciousAntivirus DetectionReputation
          vanaheim.cn:443true
          • 8%, Virustotal, Browse
          • Avira URL Cloud: phishing
          unknown
          jotunheim.name:443true
          • 13%, Virustotal, Browse
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 00000003.00000002.2529599067.00000202C3D18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2529400595.00000202C3496000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.3.drfalse
          • URL Reputation: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          52.101.11.0
          microsoft-com.mail.protection.outlook.comUnited States
          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          67.195.228.109
          mta5.am0.yahoodns.netUnited States
          36647YAHOO-GQ1USfalse
          142.251.168.27
          smtp.google.comUnited States
          15169GOOGLEUSfalse
          217.69.139.150
          mxs.mail.ruRussian Federation
          47764MAILRU-ASMailRuRUfalse
          77.232.41.29
          vanaheim.cnRussian Federation
          28968EUT-ASEUTIPNetworkRUtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1505456
          Start date and time:2024-09-06 09:46:18 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 30s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:ODy57hA4Su.exe
          renamed because original name is a hash value
          Original Sample Name:8b9be712ba5f26a1f6369833d52193fb.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@29/5@9/5
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 70
          • Number of non-executed functions: 261
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 20.70.246.20, 20.112.250.133, 20.76.201.171, 20.231.239.246, 20.236.44.162
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          TimeTypeDescription
          03:48:08API Interceptor2x Sleep call for process: svchost.exe modified
          03:48:12API Interceptor1x Sleep call for process: MpCmdRun.exe modified
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          52.101.11.0knkduwqg.exeGet hashmaliciousTofseeBrowse
            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
              SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                vyrcclmm.exeGet hashmaliciousTofseeBrowse
                  AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                      kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                        Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                          L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                            file.exeGet hashmaliciousTofseeBrowse
                              67.195.228.109Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                  file.exeGet hashmaliciousPhorpiexBrowse
                                    file.exeGet hashmaliciousPhorpiexBrowse
                                      RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                        gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                            l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                              document_excel.exeGet hashmaliciousUnknownBrowse
                                                data.log.exeGet hashmaliciousUnknownBrowse
                                                  217.69.139.150Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                        bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                              Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                      77.232.41.29Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                            knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                              foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    microsoft-com.mail.protection.outlook.comUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.42.0
                                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.42.0
                                                                                    mta5.am0.yahoodns.netigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.110
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.91
                                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.72
                                                                                    lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.91
                                                                                    I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.204.73
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.228.110
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 98.136.96.74
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.77
                                                                                    newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.204.77
                                                                                    vanaheim.cnUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    mxs.mail.ruUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    YAHOO-GQ1USUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.109
                                                                                    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 67.195.2.108
                                                                                    154.213.187.80-x86-2024-09-01T00_09_56.elfGet hashmaliciousMiraiBrowse
                                                                                    • 98.137.238.184
                                                                                    teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                    • 98.137.238.174
                                                                                    https://ashanioliver14.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                                                    • 67.195.160.105
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.109
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.110
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.106
                                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                                    • 67.195.228.84
                                                                                    MAILRU-ASMailRuRUUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 5.181.61.0
                                                                                    tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 5.181.61.0
                                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                    • 94.100.180.209
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.72
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 94.245.104.56
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 94.245.104.56
                                                                                    All-in-one Calculation Tool.xlsmGet hashmaliciousUnknownBrowse
                                                                                    • 52.111.243.31
                                                                                    All-in-one Calculation Tool.xlsmGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.57
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.57
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 94.245.104.56
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 20.75.60.91
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.51
                                                                                    EUT-ASEUTIPNetworkRUUc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.41.29
                                                                                    Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                    • 77.232.42.234
                                                                                    Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                    • 77.232.42.234
                                                                                    file.exeGet hashmaliciousCryptbotBrowse
                                                                                    • 77.232.42.234
                                                                                    No context
                                                                                    No context
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):999
                                                                                    Entropy (8bit):4.966299883488245
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                    MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                    SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                    SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                    SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                    Malicious:false
                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..
                                                                                    Process:C:\Users\user\Desktop\ODy57hA4Su.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):10770432
                                                                                    Entropy (8bit):5.558530187858237
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:snEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEQ:s
                                                                                    MD5:F5B76C95C1D9FC0EC3E2E435EB8464A0
                                                                                    SHA1:06336B251E7666FE9C624C63D9BA86791F3C6DAB
                                                                                    SHA-256:F5790AC483240F6D0D98FCB58CEB7ECC48FD8A973E14AE642117346E410308E7
                                                                                    SHA-512:E7C612535903A8354C52F2CDD90FEA29F34E5580C5236387495B636D88BF19471E5EADBC442F29C2795430360B0318F4B861BF1F60B19EA7AE7D5C679ADA0807
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.w.....................|.......|.......|...u...............}...|.......|.......|.......Rich............PE..L.....Le..........................................@.............................................................................<....P..pn...........................................................................................................text............................... ..`.rdata...&.......(..................@..@.data...`a....... ..................@....rsrc...pn...P...p..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):4926
                                                                                    Entropy (8bit):3.2447141402027047
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF7XM+AAHdKoqKFxcxkFNS:cEG+AAsoJjykcEXM+AAsoJjyknS
                                                                                    MD5:03849BCB19E53DF7423BF6F52DEA6161
                                                                                    SHA1:65282542A457FC2656A91139DC0F5342B4F95A36
                                                                                    SHA-256:1EEBFDD67DF2D1EBB98834FD1BA8393C42B34FF25353B00D029E23674AAFC9C8
                                                                                    SHA-512:59AB3038A7971AA52C0545A2049BF98FE3377CE0EFEF8F68270F6EABE77D6B4BE25E022C38CCD8F2D8EA88E40D12BCA99983C705EE1E8DF1E59D91B3EF551E9F
                                                                                    Malicious:false
                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):10770432
                                                                                    Entropy (8bit):5.558530187858237
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:snEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEQ:s
                                                                                    MD5:F5B76C95C1D9FC0EC3E2E435EB8464A0
                                                                                    SHA1:06336B251E7666FE9C624C63D9BA86791F3C6DAB
                                                                                    SHA-256:F5790AC483240F6D0D98FCB58CEB7ECC48FD8A973E14AE642117346E410308E7
                                                                                    SHA-512:E7C612535903A8354C52F2CDD90FEA29F34E5580C5236387495B636D88BF19471E5EADBC442F29C2795430360B0318F4B861BF1F60B19EA7AE7D5C679ADA0807
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.w.....................|.......|.......|...u...............}...|.......|.......|.......Rich............PE..L.....Le..........................................@.............................................................................<....P..pn...........................................................................................................text............................... ..`.rdata...&.......(..................@..@.data...`a....... ..................@....rsrc...pn...P...p..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):3773
                                                                                    Entropy (8bit):4.7109073551842435
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                    Malicious:false
                                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):6.567658781259732
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:ODy57hA4Su.exe
                                                                                    File size:219'136 bytes
                                                                                    MD5:8b9be712ba5f26a1f6369833d52193fb
                                                                                    SHA1:187b0a0888114923e4f611ed90402d7bf0e21733
                                                                                    SHA256:6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f
                                                                                    SHA512:33c457fab7b2910452de37d2a263d46b2391bb4b34b0c37793b6f5875180e92cb2caebfb2ab08e72393b0230407505c94eef6b41040c1500b2b4393fb3b58d08
                                                                                    SSDEEP:3072:YASCGfSRnbJBJ0IQALHFv0raVXyPg9a+lfB0pyTbQ:0fSRnbJBJTLlr04C6
                                                                                    TLSH:C3246B7032A19036EDA74F308570CA940D3BBCA2AA75818E3675F75E9F737D26B51312
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.w.....................|.......|.......|...u...............}...|.......|.......|.......Rich............PE..L.....Le...........
                                                                                    Icon Hash:73873bb18b9383ec
                                                                                    Entrypoint:0x401abc
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x654C961B [Thu Nov 9 08:19:39 2023 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:68652b48a737e9f2c13434df562b207d
                                                                                    Instruction
                                                                                    call 00007FDAF89B0A61h
                                                                                    jmp 00007FDAF89AC3FEh
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000328h
                                                                                    mov dword ptr [0041FB10h], eax
                                                                                    mov dword ptr [0041FB0Ch], ecx
                                                                                    mov dword ptr [0041FB08h], edx
                                                                                    mov dword ptr [0041FB04h], ebx
                                                                                    mov dword ptr [0041FB00h], esi
                                                                                    mov dword ptr [0041FAFCh], edi
                                                                                    mov word ptr [0041FB28h], ss
                                                                                    mov word ptr [0041FB1Ch], cs
                                                                                    mov word ptr [0041FAF8h], ds
                                                                                    mov word ptr [0041FAF4h], es
                                                                                    mov word ptr [0041FAF0h], fs
                                                                                    mov word ptr [0041FAECh], gs
                                                                                    pushfd
                                                                                    pop dword ptr [0041FB20h]
                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                    mov dword ptr [0041FB14h], eax
                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                    mov dword ptr [0041FB18h], eax
                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                    mov dword ptr [0041FB24h], eax
                                                                                    mov eax, dword ptr [ebp-00000320h]
                                                                                    mov dword ptr [0041FA60h], 00010001h
                                                                                    mov eax, dword ptr [0041FB18h]
                                                                                    mov dword ptr [0041FA14h], eax
                                                                                    mov dword ptr [0041FA08h], C0000409h
                                                                                    mov dword ptr [0041FA0Ch], 00000001h
                                                                                    mov eax, dword ptr [0041E004h]
                                                                                    mov dword ptr [ebp-00000328h], eax
                                                                                    mov eax, dword ptr [0041E008h]
                                                                                    mov dword ptr [ebp-00000324h], eax
                                                                                    call dword ptr [000000D8h]
                                                                                    Programming Language:
                                                                                    • [C++] VS2010 build 30319
                                                                                    • [ASM] VS2010 build 30319
                                                                                    • [ C ] VS2010 build 30319
                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                    • [RES] VS2010 build 30319
                                                                                    • [LNK] VS2010 build 30319
                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1cdb40x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x16e70.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x188.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x19a1f0x19c00bd40c9b4ab5d8dd51699ee5e0fe9bfabFalse0.7730108464805825data7.4121914169616785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x1b0000x26bc0x28001f20ea55c45480c2aaa811c1622e7519False0.33779296875data4.901974891539308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x1e0000x61600x20005522bd5cdd4c15915bebcb351be22c7eFalse0.1864013671875data2.1351772058530196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x250000x16e700x17000fdbdc2b5205391f6c3bf96a469d1e710False0.4806067425271739data5.530443203556076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    AFX_DIALOG_LAYOUT0x36bd80x2data5.0
                                                                                    LEBELIKOYALIPIDEKOMAKISIHU0x35bb80xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6010447273914463
                                                                                    VORAPABONADIDOS0x367b00x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.630648330058939
                                                                                    RT_CURSOR0x36be00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                    RT_CURSOR0x36d100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                    RT_ICON0x259800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.582089552238806
                                                                                    RT_ICON0x268280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6588447653429603
                                                                                    RT_ICON0x270d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7246543778801844
                                                                                    RT_ICON0x277980x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7666184971098265
                                                                                    RT_ICON0x27d000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5450207468879668
                                                                                    RT_ICON0x2a2a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6613508442776735
                                                                                    RT_ICON0x2b3500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.684016393442623
                                                                                    RT_ICON0x2bcd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8058510638297872
                                                                                    RT_ICON0x2c1b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.35287846481876334
                                                                                    RT_ICON0x2d0600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5518953068592057
                                                                                    RT_ICON0x2d9080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6209677419354839
                                                                                    RT_ICON0x2dfd00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6791907514450867
                                                                                    RT_ICON0x2e5380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.42738589211618255
                                                                                    RT_ICON0x30ae00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5209016393442623
                                                                                    RT_ICON0x314680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5070921985815603
                                                                                    RT_ICON0x319380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4064498933901919
                                                                                    RT_ICON0x327e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5640794223826715
                                                                                    RT_ICON0x330880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6273041474654378
                                                                                    RT_ICON0x337500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6351156069364162
                                                                                    RT_ICON0x33cb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4643527204502814
                                                                                    RT_ICON0x34d600x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4504098360655738
                                                                                    RT_ICON0x356e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5
                                                                                    RT_DIALOG0x394880x84data0.7651515151515151
                                                                                    RT_STRING0x395100x3c2data0.46153846153846156
                                                                                    RT_STRING0x398d80x638data0.43467336683417085
                                                                                    RT_STRING0x39f100x46data0.6714285714285714
                                                                                    RT_STRING0x39f580x8b6data0.41524663677130047
                                                                                    RT_STRING0x3a8100x64edata0.43246592317224286
                                                                                    RT_STRING0x3ae600x782data0.42351716961498437
                                                                                    RT_STRING0x3b5e80x728data0.42740174672489084
                                                                                    RT_STRING0x3bd100x15adata0.5086705202312138
                                                                                    RT_ACCELERATOR0x36bb00x28data1.025
                                                                                    RT_GROUP_CURSOR0x392b80x22data1.088235294117647
                                                                                    RT_GROUP_ICON0x318d00x68dataTurkishTurkey0.7019230769230769
                                                                                    RT_GROUP_ICON0x2c1400x76dataTurkishTurkey0.6610169491525424
                                                                                    RT_GROUP_ICON0x35b500x68dataTurkishTurkey0.7211538461538461
                                                                                    RT_VERSION0x392e00x1a8data0.589622641509434
                                                                                    DLLImport
                                                                                    KERNEL32.dllFillConsoleOutputCharacterA, GetNumaProcessorNode, DebugActiveProcessStop, GetDefaultCommConfigW, CallNamedPipeA, WriteConsoleOutputW, HeapAlloc, GlobalSize, GetEnvironmentStringsW, CreateDirectoryW, GetComputerNameW, GetSystemDefaultLCID, GetModuleHandleW, GetConsoleAliasesLengthA, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, SetConsoleMode, GetFileAttributesW, SetConsoleTitleA, GetShortPathNameA, InterlockedExchange, GetStartupInfoA, GetLastError, GetProcAddress, SetStdHandle, EnterCriticalSection, SearchPathA, BuildCommDCBW, GetNumaHighestNodeNumber, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, WritePrivateProfileStringA, QueryDosDeviceW, VirtualLock, FoldStringW, GetModuleFileNameA, FreeEnvironmentStringsW, FindAtomW, CopyFileExA, WriteConsoleW, CloseHandle, MultiByteToWideChar, EncodePointer, DecodePointer, ExitProcess, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, LeaveCriticalSection, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, Sleep, HeapSize, WideCharToMultiByte, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeW, HeapFree, RtlUnwind, ReadFile, HeapReAlloc, IsProcessorFeaturePresent, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CreateFileW
                                                                                    USER32.dllGetUserObjectInformationW
                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    TurkishTurkey
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Sep 6, 2024 09:47:25.890877008 CEST4970525192.168.2.1052.101.11.0
                                                                                    Sep 6, 2024 09:47:26.897068024 CEST4970525192.168.2.1052.101.11.0
                                                                                    Sep 6, 2024 09:47:28.912662029 CEST4970525192.168.2.1052.101.11.0
                                                                                    Sep 6, 2024 09:47:29.038562059 CEST49706443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:47:29.038590908 CEST4434970677.232.41.29192.168.2.10
                                                                                    Sep 6, 2024 09:47:29.038670063 CEST49706443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:47:32.912616968 CEST4970525192.168.2.1052.101.11.0
                                                                                    Sep 6, 2024 09:47:40.912640095 CEST4970525192.168.2.1052.101.11.0
                                                                                    Sep 6, 2024 09:47:45.898736954 CEST6545125192.168.2.1067.195.228.109
                                                                                    Sep 6, 2024 09:47:46.912719965 CEST6545125192.168.2.1067.195.228.109
                                                                                    Sep 6, 2024 09:47:48.912641048 CEST6545125192.168.2.1067.195.228.109
                                                                                    Sep 6, 2024 09:47:52.912672043 CEST6545125192.168.2.1067.195.228.109
                                                                                    Sep 6, 2024 09:48:00.912693024 CEST6545125192.168.2.1067.195.228.109
                                                                                    Sep 6, 2024 09:48:05.914643049 CEST6545225192.168.2.10142.251.168.27
                                                                                    Sep 6, 2024 09:48:06.912664890 CEST6545225192.168.2.10142.251.168.27
                                                                                    Sep 6, 2024 09:48:08.912739992 CEST6545225192.168.2.10142.251.168.27
                                                                                    Sep 6, 2024 09:48:09.053561926 CEST49706443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:09.053633928 CEST4434970677.232.41.29192.168.2.10
                                                                                    Sep 6, 2024 09:48:09.053709030 CEST49706443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:09.164203882 CEST65453443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:09.164256096 CEST4436545377.232.41.29192.168.2.10
                                                                                    Sep 6, 2024 09:48:09.164376974 CEST65453443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:12.912869930 CEST6545225192.168.2.10142.251.168.27
                                                                                    Sep 6, 2024 09:48:20.912738085 CEST6545225192.168.2.10142.251.168.27
                                                                                    Sep 6, 2024 09:48:26.553499937 CEST6545525192.168.2.10217.69.139.150
                                                                                    Sep 6, 2024 09:48:27.568968058 CEST6545525192.168.2.10217.69.139.150
                                                                                    Sep 6, 2024 09:48:29.584575891 CEST6545525192.168.2.10217.69.139.150
                                                                                    Sep 6, 2024 09:48:33.584621906 CEST6545525192.168.2.10217.69.139.150
                                                                                    Sep 6, 2024 09:48:41.584794044 CEST6545525192.168.2.10217.69.139.150
                                                                                    Sep 6, 2024 09:48:49.178486109 CEST65453443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:49.178565025 CEST4436545377.232.41.29192.168.2.10
                                                                                    Sep 6, 2024 09:48:49.178657055 CEST65453443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:49.288523912 CEST65456443192.168.2.1077.232.41.29
                                                                                    Sep 6, 2024 09:48:49.288599014 CEST4436545677.232.41.29192.168.2.10
                                                                                    Sep 6, 2024 09:48:49.288678885 CEST65456443192.168.2.1077.232.41.29
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Sep 6, 2024 09:47:25.859498978 CEST5993053192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:47:25.890256882 CEST53599301.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:47:28.835510969 CEST6199853192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:47:29.038001060 CEST53619981.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:47:33.779006004 CEST53547161.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:47:45.882472038 CEST6249953192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:47:45.889719009 CEST53624991.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:47:45.890409946 CEST6423153192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST53642311.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:48:05.897738934 CEST6453353192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:48:05.905121088 CEST53645331.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:48:05.906070948 CEST5476753192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST53547671.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:48:25.928958893 CEST6399653192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:48:26.531683922 CEST53639961.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:48:26.535339117 CEST5738553192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:48:26.552733898 CEST53573851.1.1.1192.168.2.10
                                                                                    Sep 6, 2024 09:49:19.190006018 CEST5875753192.168.2.101.1.1.1
                                                                                    Sep 6, 2024 09:49:19.221368074 CEST53587571.1.1.1192.168.2.10
                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Sep 6, 2024 09:47:25.859498978 CEST192.168.2.101.1.1.10x1ea5Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:28.835510969 CEST192.168.2.101.1.1.10xd8aeStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.882472038 CEST192.168.2.101.1.1.10x5e55Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.890409946 CEST192.168.2.101.1.1.10x72b8Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.897738934 CEST192.168.2.101.1.1.10x8320Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.906070948 CEST192.168.2.101.1.1.10x324Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:25.928958893 CEST192.168.2.101.1.1.10x8ebeStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:26.535339117 CEST192.168.2.101.1.1.10xd11fStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:49:19.190006018 CEST192.168.2.101.1.1.10xa80cStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Sep 6, 2024 09:47:25.890256882 CEST1.1.1.1192.168.2.100x1ea5No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:25.890256882 CEST1.1.1.1192.168.2.100x1ea5No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:25.890256882 CEST1.1.1.1192.168.2.100x1ea5No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:25.890256882 CEST1.1.1.1192.168.2.100x1ea5No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:29.038001060 CEST1.1.1.1192.168.2.100xd8aeNo error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.889719009 CEST1.1.1.1192.168.2.100x5e55No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.889719009 CEST1.1.1.1192.168.2.100x5e55No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.889719009 CEST1.1.1.1192.168.2.100x5e55No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:47:45.898046970 CEST1.1.1.1192.168.2.100x72b8No error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.905121088 CEST1.1.1.1192.168.2.100x8320No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST1.1.1.1192.168.2.100x324No error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST1.1.1.1192.168.2.100x324No error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST1.1.1.1192.168.2.100x324No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST1.1.1.1192.168.2.100x324No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:05.914035082 CEST1.1.1.1192.168.2.100x324No error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:26.531683922 CEST1.1.1.1192.168.2.100x8ebeNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:26.552733898 CEST1.1.1.1192.168.2.100xd11fNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:48:26.552733898 CEST1.1.1.1192.168.2.100xd11fNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:49:19.221368074 CEST1.1.1.1192.168.2.100xa80cNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:49:19.221368074 CEST1.1.1.1192.168.2.100xa80cNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:49:19.221368074 CEST1.1.1.1192.168.2.100xa80cNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                    Sep 6, 2024 09:49:19.221368074 CEST1.1.1.1192.168.2.100xa80cNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                                    Click to jump to process

                                                                                    Click to jump to process

                                                                                    Click to dive into process behavior distribution

                                                                                    Click to jump to process

                                                                                    Target ID:0
                                                                                    Start time:03:47:11
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                    Imagebase:0x7ff7df220000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Target ID:1
                                                                                    Start time:03:47:11
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                    Imagebase:0x7ff7df220000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Target ID:2
                                                                                    Start time:03:47:11
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                    Imagebase:0x7ff7df220000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Target ID:3
                                                                                    Start time:03:47:11
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                    Imagebase:0x7ff7df220000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Target ID:4
                                                                                    Start time:03:47:12
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Users\user\Desktop\ODy57hA4Su.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\ODy57hA4Su.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:219'136 bytes
                                                                                    MD5 hash:8B9BE712BA5F26A1F6369833D52193FB
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000004.00000003.1327897456.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Target ID:6
                                                                                    Start time:03:47:17
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\puwycifc\
                                                                                    Imagebase:0xd70000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:7
                                                                                    Start time:03:47:17
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:8
                                                                                    Start time:03:47:18
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\jhrsuqtz.exe" C:\Windows\SysWOW64\puwycifc\
                                                                                    Imagebase:0xd70000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:9
                                                                                    Start time:03:47:18
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:10
                                                                                    Start time:03:47:18
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" create puwycifc binPath= "C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d\"C:\Users\user\Desktop\ODy57hA4Su.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                    Imagebase:0xca0000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:11
                                                                                    Start time:03:47:19
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:12
                                                                                    Start time:03:47:19
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" description puwycifc "wifi internet conection"
                                                                                    Imagebase:0xca0000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:13
                                                                                    Start time:03:47:19
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:14
                                                                                    Start time:03:47:20
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" start puwycifc
                                                                                    Imagebase:0xca0000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:15
                                                                                    Start time:03:47:20
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:16
                                                                                    Start time:03:47:20
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe /d"C:\Users\user\Desktop\ODy57hA4Su.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:10'770'432 bytes
                                                                                    MD5 hash:F5B76C95C1D9FC0EC3E2E435EB8464A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.1401015750.0000000000733000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000003.1400257997.00000000005D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.1400962398.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Has exited:true

                                                                                    Target ID:17
                                                                                    Start time:03:47:20
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                    Imagebase:0x1160000
                                                                                    File size:82'432 bytes
                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:18
                                                                                    Start time:03:47:20
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:19
                                                                                    Start time:03:47:24
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:svchost.exe
                                                                                    Imagebase:0x50000
                                                                                    File size:46'504 bytes
                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Has exited:false

                                                                                    Target ID:21
                                                                                    Start time:03:48:12
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                    Imagebase:0x7ff6edd70000
                                                                                    File size:468'120 bytes
                                                                                    MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:22
                                                                                    Start time:03:48:12
                                                                                    Start date:06/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff620390000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:4%
                                                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                                                      Signature Coverage:26.5%
                                                                                      Total number of Nodes:1552
                                                                                      Total number of Limit Nodes:20
                                                                                      execution_graph 14982 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15100 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14982->15100 14984 409a95 14985 409aa3 GetModuleHandleA GetModuleFileNameA 14984->14985 14991 40a3c7 14984->14991 14999 409ac4 14985->14999 14986 40a41c CreateThread WSAStartup 15269 40e52e 14986->15269 16148 40405e CreateEventA 14986->16148 14988 409afd GetCommandLineA 14997 409b22 14988->14997 14989 40a406 DeleteFileA 14989->14991 14992 40a40d 14989->14992 14990 40a445 15288 40eaaf 14990->15288 14991->14986 14991->14989 14991->14992 14994 40a3ed GetLastError 14991->14994 14992->14986 14994->14992 14996 40a3f8 Sleep 14994->14996 14995 40a44d 15292 401d96 14995->15292 14996->14989 15002 409c0c 14997->15002 15011 409b47 14997->15011 14999->14988 15000 40a457 15340 4080c9 15000->15340 15101 4096aa 15002->15101 15008 40a1d2 15018 40a1e3 GetCommandLineA 15008->15018 15009 409c39 15012 40a167 GetModuleHandleA GetModuleFileNameA 15009->15012 15107 404280 CreateEventA 15009->15107 15014 409b96 lstrlenA 15011->15014 15017 409b58 15011->15017 15015 409c05 ExitProcess 15012->15015 15016 40a189 15012->15016 15014->15017 15016->15015 15026 40a1b2 GetDriveTypeA 15016->15026 15017->15015 15024 40675c 21 API calls 15017->15024 15043 40a205 15018->15043 15027 409be3 15024->15027 15026->15015 15028 40a1c5 15026->15028 15027->15015 15206 406a60 CreateFileA 15027->15206 15250 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15028->15250 15034 40a491 15035 40a49f GetTickCount 15034->15035 15037 40a4be Sleep 15034->15037 15042 40a4b7 GetTickCount 15034->15042 15386 40c913 15034->15386 15035->15034 15035->15037 15037->15034 15039 409ca0 GetTempPathA 15040 409e3e 15039->15040 15041 409cba 15039->15041 15046 409e6b GetEnvironmentVariableA 15040->15046 15050 409e04 15040->15050 15162 4099d2 lstrcpyA 15041->15162 15042->15037 15047 40a285 lstrlenA 15043->15047 15059 40a239 15043->15059 15046->15050 15051 409e7d 15046->15051 15047->15059 15245 40ec2e 15050->15245 15052 4099d2 16 API calls 15051->15052 15053 409e9d 15052->15053 15053->15050 15058 409eb0 lstrcpyA lstrlenA 15053->15058 15056 409d5f 15225 406cc9 15056->15225 15057 40a3c2 15262 4098f2 15057->15262 15062 409ef4 15058->15062 15258 406ec3 15059->15258 15066 406dc2 6 API calls 15062->15066 15067 409f03 15062->15067 15063 40a39d StartServiceCtrlDispatcherA 15063->15057 15065 40a35f 15065->15057 15065->15065 15071 40a37b 15065->15071 15066->15067 15069 409f32 RegOpenKeyExA 15067->15069 15068 409cf6 15169 409326 15068->15169 15070 409f48 RegSetValueExA RegCloseKey 15069->15070 15074 409f70 15069->15074 15070->15074 15071->15063 15080 409f9d GetModuleHandleA GetModuleFileNameA 15074->15080 15075 409e0c DeleteFileA 15075->15040 15076 409dde GetFileAttributesExA 15076->15075 15078 409df7 15076->15078 15078->15050 15079 409dff 15078->15079 15235 4096ff 15079->15235 15082 409fc2 15080->15082 15083 40a093 15080->15083 15082->15083 15088 409ff1 GetDriveTypeA 15082->15088 15084 40a103 CreateProcessA 15083->15084 15087 40a0a4 wsprintfA 15083->15087 15085 40a13a 15084->15085 15086 40a12a DeleteFileA 15084->15086 15085->15050 15093 4096ff 3 API calls 15085->15093 15086->15085 15241 402544 15087->15241 15088->15083 15091 40a00d 15088->15091 15095 40a02d lstrcatA 15091->15095 15093->15050 15096 40a046 15095->15096 15097 40a052 lstrcatA 15096->15097 15098 40a064 lstrcatA 15096->15098 15097->15098 15098->15083 15099 40a081 lstrcatA 15098->15099 15099->15083 15100->14984 15102 4096b9 15101->15102 15489 4073ff 15102->15489 15104 4096e2 15105 4096f7 15104->15105 15509 40704c 15104->15509 15105->15008 15105->15009 15108 4042a5 15107->15108 15109 40429d 15107->15109 15534 403ecd 15108->15534 15109->15012 15134 40675c 15109->15134 15111 4042b0 15538 404000 15111->15538 15114 4043c1 CloseHandle 15114->15109 15115 4042ce 15544 403f18 WriteFile 15115->15544 15120 4043ba CloseHandle 15120->15114 15121 404318 15122 403f18 4 API calls 15121->15122 15123 404331 15122->15123 15124 403f18 4 API calls 15123->15124 15125 40434a 15124->15125 15552 40ebcc GetProcessHeap RtlAllocateHeap 15125->15552 15128 403f18 4 API calls 15129 404389 15128->15129 15130 40ec2e codecvt 4 API calls 15129->15130 15131 40438f 15130->15131 15132 403f8c 4 API calls 15131->15132 15133 40439f CloseHandle CloseHandle 15132->15133 15133->15109 15135 406784 CreateFileA 15134->15135 15136 40677a SetFileAttributesA 15134->15136 15137 4067a4 CreateFileA 15135->15137 15138 4067b5 15135->15138 15136->15135 15137->15138 15139 4067c5 15138->15139 15140 4067ba SetFileAttributesA 15138->15140 15141 406977 15139->15141 15142 4067cf GetFileSize 15139->15142 15140->15139 15141->15012 15141->15039 15141->15040 15143 4067e5 15142->15143 15161 406965 15142->15161 15145 4067ed ReadFile 15143->15145 15143->15161 15144 40696e FindCloseChangeNotification 15144->15141 15146 406811 SetFilePointer 15145->15146 15145->15161 15147 40682a ReadFile 15146->15147 15146->15161 15148 406848 SetFilePointer 15147->15148 15147->15161 15149 406867 15148->15149 15148->15161 15150 4068d5 15149->15150 15151 406878 ReadFile 15149->15151 15150->15144 15153 40ebcc 4 API calls 15150->15153 15152 4068d0 15151->15152 15154 406891 15151->15154 15152->15150 15155 4068f8 15153->15155 15154->15151 15154->15152 15156 406900 SetFilePointer 15155->15156 15155->15161 15157 40695a 15156->15157 15158 40690d ReadFile 15156->15158 15160 40ec2e codecvt 4 API calls 15157->15160 15158->15157 15159 406922 15158->15159 15159->15144 15160->15161 15161->15144 15163 4099eb 15162->15163 15164 409a2f lstrcatA 15163->15164 15165 40ee2a 15164->15165 15166 409a4b lstrcatA 15165->15166 15167 406a60 13 API calls 15166->15167 15168 409a60 15167->15168 15168->15040 15168->15068 15219 406dc2 15168->15219 15558 401910 15169->15558 15172 40934a GetModuleHandleA GetModuleFileNameA 15174 40937f 15172->15174 15175 4093a4 15174->15175 15176 4093d9 15174->15176 15177 4093c3 wsprintfA 15175->15177 15178 409401 wsprintfA 15176->15178 15180 409415 15177->15180 15178->15180 15179 4094a0 15560 406edd 15179->15560 15180->15179 15183 406cc9 5 API calls 15180->15183 15182 4094ac 15184 40962f 15182->15184 15185 4094e8 RegOpenKeyExA 15182->15185 15189 409439 15183->15189 15191 409646 15184->15191 15588 401820 15184->15588 15187 409502 15185->15187 15188 4094fb 15185->15188 15194 40951f RegQueryValueExA 15187->15194 15188->15184 15193 40958a 15188->15193 15573 40ef1e lstrlenA 15189->15573 15200 4095d6 15191->15200 15568 4091eb 15191->15568 15193->15191 15198 409593 15193->15198 15195 409530 15194->15195 15196 409539 15194->15196 15199 40956e RegCloseKey 15195->15199 15201 409556 RegQueryValueExA 15196->15201 15197 409462 15202 40947e wsprintfA 15197->15202 15198->15200 15575 40f0e4 15198->15575 15199->15188 15200->15075 15200->15076 15201->15195 15201->15199 15202->15179 15204 4095bb 15204->15200 15582 4018e0 15204->15582 15207 406b8c GetLastError 15206->15207 15208 406a8f GetDiskFreeSpaceA 15206->15208 15217 406b86 15207->15217 15209 406ac5 15208->15209 15218 406ad7 15208->15218 15637 40eb0e 15209->15637 15213 406b56 FindCloseChangeNotification 15216 406b65 GetLastError CloseHandle 15213->15216 15213->15217 15214 406b36 GetLastError CloseHandle 15215 406b7f DeleteFileA 15214->15215 15215->15217 15216->15215 15217->15015 15631 406987 15218->15631 15220 406dd7 15219->15220 15224 406e24 15219->15224 15221 406cc9 5 API calls 15220->15221 15222 406ddc 15221->15222 15223 406e02 GetVolumeInformationA 15222->15223 15222->15224 15223->15224 15224->15056 15226 406cdc GetModuleHandleA GetProcAddress 15225->15226 15227 406dbe lstrcpyA lstrcatA lstrcatA 15225->15227 15228 406d12 GetSystemDirectoryA 15226->15228 15229 406cfd 15226->15229 15227->15068 15230 406d27 GetWindowsDirectoryA 15228->15230 15231 406d1e 15228->15231 15229->15228 15233 406d8b 15229->15233 15232 406d42 15230->15232 15231->15230 15231->15233 15234 40ef1e lstrlenA 15232->15234 15233->15227 15234->15233 15236 402544 15235->15236 15237 40972d RegOpenKeyExA 15236->15237 15238 409740 15237->15238 15239 409765 15237->15239 15240 40974f RegDeleteValueA RegCloseKey 15238->15240 15239->15050 15240->15239 15242 402554 lstrcatA 15241->15242 15243 40ee2a 15242->15243 15244 40a0ec lstrcatA 15243->15244 15244->15084 15246 40ec37 15245->15246 15247 40a15d 15245->15247 15645 40eba0 15246->15645 15247->15012 15247->15015 15251 402544 15250->15251 15252 40919e wsprintfA 15251->15252 15253 4091bb 15252->15253 15648 409064 GetTempPathA 15253->15648 15256 4091d5 ShellExecuteA 15257 4091e7 15256->15257 15257->15015 15259 406ecc 15258->15259 15261 406ed5 15258->15261 15260 406e36 2 API calls 15259->15260 15260->15261 15261->15065 15263 4098f6 15262->15263 15264 404280 30 API calls 15263->15264 15265 409904 Sleep 15263->15265 15266 409915 15263->15266 15264->15263 15265->15263 15265->15266 15268 409947 15266->15268 15655 40977c 15266->15655 15268->14991 15677 40dd05 GetTickCount 15269->15677 15271 40e538 15684 40dbcf 15271->15684 15273 40e544 15274 40e555 GetFileSize 15273->15274 15278 40e5b8 15273->15278 15275 40e5b1 CloseHandle 15274->15275 15276 40e566 15274->15276 15275->15278 15694 40db2e 15276->15694 15703 40e3ca RegOpenKeyExA 15278->15703 15280 40e576 ReadFile 15280->15275 15282 40e58d 15280->15282 15698 40e332 15282->15698 15283 40e5f2 15286 40e629 15283->15286 15287 40e3ca 19 API calls 15283->15287 15286->14990 15287->15286 15289 40eabe 15288->15289 15291 40eaba 15288->15291 15290 40dd05 6 API calls 15289->15290 15289->15291 15290->15291 15291->14995 15293 40ee2a 15292->15293 15294 401db4 GetVersionExA 15293->15294 15295 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15294->15295 15297 401e24 15295->15297 15298 401e16 GetCurrentProcess 15295->15298 15756 40e819 15297->15756 15298->15297 15300 401e3d 15301 40e819 11 API calls 15300->15301 15302 401e4e 15301->15302 15303 401e77 15302->15303 15763 40df70 15302->15763 15772 40ea84 15303->15772 15306 401e6c 15308 40df70 12 API calls 15306->15308 15308->15303 15309 40e819 11 API calls 15310 401e93 15309->15310 15776 40199c inet_addr LoadLibraryA 15310->15776 15313 40e819 11 API calls 15314 401eb9 15313->15314 15315 40f04e 4 API calls 15314->15315 15323 401ed8 15314->15323 15317 401ec9 15315->15317 15316 40e819 11 API calls 15319 401eee 15316->15319 15320 40ea84 30 API calls 15317->15320 15318 401f0a 15322 40e819 11 API calls 15318->15322 15319->15318 15789 401b71 15319->15789 15320->15323 15325 401f23 15322->15325 15323->15316 15324 401efd 15326 40ea84 30 API calls 15324->15326 15327 401f3f 15325->15327 15793 401bdf 15325->15793 15326->15318 15329 40e819 11 API calls 15327->15329 15331 401f5e 15329->15331 15332 401f77 15331->15332 15334 40ea84 30 API calls 15331->15334 15800 4030b5 15332->15800 15333 40ea84 30 API calls 15333->15327 15334->15332 15337 406ec3 2 API calls 15339 401f8e GetTickCount 15337->15339 15339->15000 15341 406ec3 2 API calls 15340->15341 15342 4080eb 15341->15342 15343 4080f9 15342->15343 15344 4080ef 15342->15344 15346 40704c 16 API calls 15343->15346 15848 407ee6 15344->15848 15347 408110 15346->15347 15349 408156 RegOpenKeyExA 15347->15349 15350 4080f4 15347->15350 15348 40675c 21 API calls 15353 408244 15348->15353 15349->15350 15351 40816d RegQueryValueExA 15349->15351 15350->15348 15358 408269 CreateThread 15350->15358 15352 4081f7 15351->15352 15355 40818d 15351->15355 15354 40820d RegCloseKey 15352->15354 15357 40ec2e codecvt 4 API calls 15352->15357 15356 40ec2e codecvt 4 API calls 15353->15356 15353->15358 15354->15350 15355->15352 15359 40ebcc 4 API calls 15355->15359 15356->15358 15364 4081dd 15357->15364 15365 405e6c 15358->15365 16177 40877e 15358->16177 15360 4081a0 15359->15360 15360->15354 15361 4081aa RegQueryValueExA 15360->15361 15361->15352 15362 4081c4 15361->15362 15363 40ebcc 4 API calls 15362->15363 15363->15364 15364->15354 15916 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15365->15916 15367 405e71 15917 40e654 15367->15917 15369 405ec1 15370 403132 15369->15370 15371 40df70 12 API calls 15370->15371 15372 40313b 15371->15372 15373 40c125 15372->15373 15928 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15373->15928 15375 40c12d 15376 40e654 13 API calls 15375->15376 15377 40c2bd 15376->15377 15378 40e654 13 API calls 15377->15378 15379 40c2c9 15378->15379 15380 40e654 13 API calls 15379->15380 15381 40a47a 15380->15381 15382 408db1 15381->15382 15383 408dbc 15382->15383 15384 40e654 13 API calls 15383->15384 15385 408dec Sleep 15384->15385 15385->15034 15387 40c92f 15386->15387 15388 40c93c 15387->15388 15929 40c517 15387->15929 15390 40e819 11 API calls 15388->15390 15422 40ca2b 15388->15422 15391 40c96a 15390->15391 15392 40e819 11 API calls 15391->15392 15393 40c97d 15392->15393 15394 40e819 11 API calls 15393->15394 15395 40c990 15394->15395 15396 40c9aa 15395->15396 15397 40ebcc 4 API calls 15395->15397 15396->15422 15946 402684 15396->15946 15397->15396 15402 40ca26 15953 40c8aa 15402->15953 15405 40ca44 15406 40ca4b closesocket 15405->15406 15407 40ca83 15405->15407 15406->15402 15408 40ea84 30 API calls 15407->15408 15409 40caac 15408->15409 15410 40f04e 4 API calls 15409->15410 15411 40cab2 15410->15411 15412 40ea84 30 API calls 15411->15412 15413 40caca 15412->15413 15414 40ea84 30 API calls 15413->15414 15415 40cad9 15414->15415 15961 40c65c 15415->15961 15418 40cb60 closesocket 15418->15422 15420 40dad2 closesocket 15421 40e318 23 API calls 15420->15421 15421->15422 15422->15034 15423 40df4c 20 API calls 15482 40cb70 15423->15482 15428 40e654 13 API calls 15428->15482 15434 40d569 closesocket Sleep 16008 40e318 15434->16008 15435 40d815 wsprintfA 15435->15482 15436 40cc1c GetTempPathA 15436->15482 15437 40ea84 30 API calls 15437->15482 15439 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15439->15482 15440 40c517 23 API calls 15440->15482 15441 40d582 ExitProcess 15442 40e8a1 30 API calls 15442->15482 15443 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15443->15482 15444 40cfe3 GetSystemDirectoryA 15444->15482 15445 40675c 21 API calls 15445->15482 15446 40d027 GetSystemDirectoryA 15446->15482 15447 40cfad GetEnvironmentVariableA 15447->15482 15448 40d105 lstrcatA 15448->15482 15449 40ef1e lstrlenA 15449->15482 15450 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15450->15482 15451 40cc9f CreateFileA 15452 40ccc6 WriteFile 15451->15452 15451->15482 15455 40cdcc CloseHandle 15452->15455 15456 40cced CloseHandle 15452->15456 15453 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15453->15482 15454 40d15b CreateFileA 15457 40d182 WriteFile CloseHandle 15454->15457 15454->15482 15455->15482 15462 40cd2f 15456->15462 15457->15482 15458 40cd16 wsprintfA 15458->15462 15459 40d149 SetFileAttributesA 15459->15454 15460 40d36e GetEnvironmentVariableA 15460->15482 15461 40d1bf SetFileAttributesA 15461->15482 15462->15458 15990 407fcf 15462->15990 15463 407ead 6 API calls 15463->15482 15464 40d22d GetEnvironmentVariableA 15464->15482 15466 40d3af lstrcatA 15469 40d3f2 CreateFileA 15466->15469 15466->15482 15468 407fcf 64 API calls 15468->15482 15470 40d415 WriteFile CloseHandle 15469->15470 15469->15482 15470->15482 15471 40cd81 WaitForSingleObject CloseHandle CloseHandle 15473 40f04e 4 API calls 15471->15473 15472 40cda5 15474 407ee6 64 API calls 15472->15474 15473->15472 15477 40cdbd DeleteFileA 15474->15477 15475 40d3e0 SetFileAttributesA 15475->15469 15476 40d26e lstrcatA 15479 40d2b1 CreateFileA 15476->15479 15476->15482 15477->15482 15478 40d4b1 CreateProcessA 15480 40d4e8 CloseHandle CloseHandle 15478->15480 15478->15482 15479->15482 15483 40d2d8 WriteFile CloseHandle 15479->15483 15480->15482 15481 40d452 SetFileAttributesA 15481->15482 15482->15420 15482->15423 15482->15428 15482->15434 15482->15435 15482->15436 15482->15437 15482->15439 15482->15440 15482->15442 15482->15443 15482->15444 15482->15445 15482->15446 15482->15447 15482->15448 15482->15449 15482->15450 15482->15451 15482->15453 15482->15454 15482->15459 15482->15460 15482->15461 15482->15463 15482->15464 15482->15466 15482->15468 15482->15469 15482->15475 15482->15476 15482->15478 15482->15479 15482->15481 15484 407ee6 64 API calls 15482->15484 15485 40d29f SetFileAttributesA 15482->15485 15488 40d31d SetFileAttributesA 15482->15488 15969 40c75d 15482->15969 15981 407e2f 15482->15981 16003 407ead 15482->16003 16013 4031d0 15482->16013 16030 403c09 15482->16030 16040 403a00 15482->16040 16044 40e7b4 15482->16044 16047 40c06c 15482->16047 16053 406f5f GetUserNameA 15482->16053 16064 40e854 15482->16064 16074 407dd6 15482->16074 15483->15482 15484->15482 15485->15479 15488->15482 15490 40741b 15489->15490 15491 406dc2 6 API calls 15490->15491 15492 40743f 15491->15492 15493 407469 RegOpenKeyExA 15492->15493 15494 4077f9 15493->15494 15504 407487 ___ascii_stricmp 15493->15504 15494->15104 15495 407703 RegEnumKeyA 15496 407714 RegCloseKey 15495->15496 15495->15504 15496->15494 15497 4074d2 RegOpenKeyExA 15497->15504 15498 40772c 15500 407742 RegCloseKey 15498->15500 15501 40774b 15498->15501 15499 407521 RegQueryValueExA 15499->15504 15500->15501 15502 4077ec RegCloseKey 15501->15502 15502->15494 15503 4076e4 RegCloseKey 15503->15504 15504->15495 15504->15497 15504->15498 15504->15499 15504->15503 15506 40f1a5 lstrlenA 15504->15506 15507 40777e GetFileAttributesExA 15504->15507 15508 407769 15504->15508 15505 4077e3 RegCloseKey 15505->15502 15506->15504 15507->15508 15508->15505 15510 407073 15509->15510 15511 4070b9 RegOpenKeyExA 15510->15511 15512 4070d0 15511->15512 15526 4071b8 15511->15526 15513 406dc2 6 API calls 15512->15513 15516 4070d5 15513->15516 15514 40719b RegEnumValueA 15515 4071af RegCloseKey 15514->15515 15514->15516 15515->15526 15516->15514 15518 4071d0 15516->15518 15532 40f1a5 lstrlenA 15516->15532 15519 407205 RegCloseKey 15518->15519 15520 407227 15518->15520 15519->15526 15521 4072b8 ___ascii_stricmp 15520->15521 15522 40728e RegCloseKey 15520->15522 15523 4072cd RegCloseKey 15521->15523 15524 4072dd 15521->15524 15522->15526 15523->15526 15525 407311 RegCloseKey 15524->15525 15528 407335 15524->15528 15525->15526 15526->15105 15527 4073d5 RegCloseKey 15529 4073e4 15527->15529 15528->15527 15530 40737e GetFileAttributesExA 15528->15530 15531 407397 15528->15531 15530->15531 15531->15527 15533 40f1c3 15532->15533 15533->15516 15535 403edc 15534->15535 15537 403ee2 15534->15537 15536 406dc2 6 API calls 15535->15536 15536->15537 15537->15111 15539 40400b CreateFileA 15538->15539 15540 40402c GetLastError 15539->15540 15542 404052 15539->15542 15541 404037 15540->15541 15540->15542 15541->15542 15543 404041 Sleep 15541->15543 15542->15109 15542->15114 15542->15115 15543->15539 15543->15542 15545 403f7c 15544->15545 15546 403f4e GetLastError 15544->15546 15548 403f8c ReadFile 15545->15548 15546->15545 15547 403f5b WaitForSingleObject GetOverlappedResult 15546->15547 15547->15545 15549 403fc2 GetLastError 15548->15549 15550 403ff0 15548->15550 15549->15550 15551 403fcf WaitForSingleObject GetOverlappedResult 15549->15551 15550->15120 15550->15121 15551->15550 15555 40eb74 15552->15555 15556 40eb7b GetProcessHeap HeapSize 15555->15556 15557 404350 15555->15557 15556->15557 15557->15128 15559 401924 GetVersionExA 15558->15559 15559->15172 15561 406eef AllocateAndInitializeSid 15560->15561 15567 406f55 15560->15567 15562 406f1c CheckTokenMembership 15561->15562 15565 406f44 15561->15565 15563 406f3b FreeSid 15562->15563 15564 406f2e 15562->15564 15563->15565 15564->15563 15565->15567 15594 406e36 GetUserNameW 15565->15594 15567->15182 15569 40920e 15568->15569 15572 409308 15568->15572 15569->15569 15570 4092f1 Sleep 15569->15570 15571 4092bf ShellExecuteA 15569->15571 15569->15572 15570->15569 15571->15569 15571->15572 15572->15200 15574 40ef32 15573->15574 15574->15197 15576 40f0f1 15575->15576 15577 40f0ed 15575->15577 15578 40f119 15576->15578 15579 40f0fa lstrlenA SysAllocStringByteLen 15576->15579 15577->15204 15581 40f11c MultiByteToWideChar 15578->15581 15580 40f117 15579->15580 15579->15581 15580->15204 15581->15580 15583 401820 17 API calls 15582->15583 15584 4018f2 15583->15584 15585 4018f9 15584->15585 15597 401280 15584->15597 15585->15200 15587 401908 15587->15200 15610 401000 15588->15610 15590 401839 15591 401851 GetCurrentProcess 15590->15591 15592 40183d 15590->15592 15593 401864 15591->15593 15592->15191 15593->15191 15595 406e5f LookupAccountNameW 15594->15595 15596 406e97 15594->15596 15595->15596 15596->15567 15599 4012e1 15597->15599 15598 401373 ShellExecuteExW 15600 4016f9 GetLastError 15598->15600 15606 4013a8 15598->15606 15599->15598 15599->15599 15609 401699 15600->15609 15601 401570 lstrlenW 15601->15606 15602 4015be GetStartupInfoW 15602->15606 15603 4015ff CreateProcessWithLogonW 15604 4016bf GetLastError 15603->15604 15605 40163f WaitForSingleObject 15603->15605 15604->15609 15605->15606 15607 401659 CloseHandle 15605->15607 15606->15601 15606->15602 15606->15603 15608 401668 CloseHandle 15606->15608 15606->15609 15607->15606 15608->15606 15609->15587 15611 40100d LoadLibraryA 15610->15611 15619 401023 15610->15619 15612 401021 15611->15612 15611->15619 15612->15590 15613 4010b5 GetProcAddress 15614 4010d1 GetProcAddress 15613->15614 15615 40127b 15613->15615 15614->15615 15616 4010f0 GetProcAddress 15614->15616 15615->15590 15616->15615 15617 401110 GetProcAddress 15616->15617 15617->15615 15618 401130 GetProcAddress 15617->15618 15618->15615 15620 40114f GetProcAddress 15618->15620 15619->15613 15630 4010ae 15619->15630 15620->15615 15621 40116f GetProcAddress 15620->15621 15621->15615 15622 40118f GetProcAddress 15621->15622 15622->15615 15623 4011ae GetProcAddress 15622->15623 15623->15615 15624 4011ce GetProcAddress 15623->15624 15624->15615 15625 4011ee GetProcAddress 15624->15625 15625->15615 15626 401209 GetProcAddress 15625->15626 15626->15615 15627 401225 GetProcAddress 15626->15627 15627->15615 15628 401241 GetProcAddress 15627->15628 15628->15615 15629 40125c GetProcAddress 15628->15629 15629->15615 15630->15590 15633 4069b9 WriteFile 15631->15633 15634 406a3c 15633->15634 15636 4069ff 15633->15636 15634->15213 15634->15214 15635 406a10 WriteFile 15635->15634 15635->15636 15636->15634 15636->15635 15638 40eb17 15637->15638 15639 40eb21 15637->15639 15641 40eae4 15638->15641 15639->15218 15642 40eb02 GetProcAddress 15641->15642 15643 40eaed LoadLibraryA 15641->15643 15642->15639 15643->15642 15644 40eb01 15643->15644 15644->15639 15646 40eba7 GetProcessHeap HeapSize 15645->15646 15647 40ebbf GetProcessHeap HeapFree 15645->15647 15646->15647 15647->15247 15649 40908d 15648->15649 15650 4090e2 wsprintfA 15649->15650 15651 40ee2a 15650->15651 15652 4090fd CreateFileA 15651->15652 15653 40911a lstrlenA WriteFile CloseHandle 15652->15653 15654 40913f 15652->15654 15653->15654 15654->15256 15654->15257 15656 40ee2a 15655->15656 15657 409794 CreateProcessA 15656->15657 15658 4097c2 15657->15658 15659 4097bb 15657->15659 15660 4097d4 GetThreadContext 15658->15660 15659->15268 15661 409801 15660->15661 15662 4097f5 15660->15662 15669 40637c 15661->15669 15663 4097f6 TerminateProcess 15662->15663 15663->15659 15665 409816 15665->15663 15666 40981e WriteProcessMemory 15665->15666 15666->15662 15667 40983b SetThreadContext 15666->15667 15667->15662 15668 409858 ResumeThread 15667->15668 15668->15659 15670 406386 15669->15670 15671 40638a GetModuleHandleA VirtualAlloc 15669->15671 15670->15665 15672 4063f5 15671->15672 15673 4063b6 15671->15673 15672->15665 15674 4063be VirtualAllocEx 15673->15674 15674->15672 15675 4063d6 15674->15675 15676 4063df WriteProcessMemory 15675->15676 15676->15672 15678 40dd41 InterlockedExchange 15677->15678 15679 40dd20 GetCurrentThreadId 15678->15679 15680 40dd4a 15678->15680 15681 40dd53 GetCurrentThreadId 15679->15681 15682 40dd2e GetTickCount 15679->15682 15680->15681 15681->15271 15682->15680 15683 40dd39 Sleep 15682->15683 15683->15678 15685 40dbf0 15684->15685 15717 40db67 GetEnvironmentVariableA 15685->15717 15687 40dc19 15688 40dcda 15687->15688 15689 40db67 3 API calls 15687->15689 15688->15273 15690 40dc5c 15689->15690 15690->15688 15691 40db67 3 API calls 15690->15691 15692 40dc9b 15691->15692 15692->15688 15693 40db67 3 API calls 15692->15693 15693->15688 15695 40db55 15694->15695 15696 40db3a 15694->15696 15695->15275 15695->15280 15721 40ebed 15696->15721 15730 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15698->15730 15700 40e3be 15700->15275 15701 40e342 15701->15700 15733 40de24 15701->15733 15704 40e528 15703->15704 15705 40e3f4 15703->15705 15704->15283 15706 40e434 RegQueryValueExA 15705->15706 15707 40e51d RegCloseKey 15706->15707 15708 40e458 15706->15708 15707->15704 15709 40e46e RegQueryValueExA 15708->15709 15709->15708 15710 40e488 15709->15710 15710->15707 15711 40db2e 8 API calls 15710->15711 15712 40e499 15711->15712 15712->15707 15713 40e4b9 RegQueryValueExA 15712->15713 15714 40e4e8 15712->15714 15713->15712 15713->15714 15714->15707 15715 40e332 14 API calls 15714->15715 15716 40e513 15715->15716 15716->15707 15718 40db89 lstrcpyA CreateFileA 15717->15718 15719 40dbca 15717->15719 15718->15687 15719->15687 15722 40ec01 15721->15722 15723 40ebf6 15721->15723 15725 40eba0 codecvt 2 API calls 15722->15725 15724 40ebcc 4 API calls 15723->15724 15726 40ebfe 15724->15726 15727 40ec0a GetProcessHeap HeapReAlloc 15725->15727 15726->15695 15728 40eb74 2 API calls 15727->15728 15729 40ec28 15728->15729 15729->15695 15744 40eb41 15730->15744 15734 40de3a 15733->15734 15740 40de4e 15734->15740 15748 40dd84 15734->15748 15737 40ebed 8 API calls 15742 40def6 15737->15742 15738 40de9e 15738->15737 15738->15740 15739 40de76 15752 40ddcf 15739->15752 15740->15701 15742->15740 15743 40ddcf lstrcmpA 15742->15743 15743->15740 15745 40eb54 15744->15745 15746 40eb4a 15744->15746 15745->15701 15747 40eae4 2 API calls 15746->15747 15747->15745 15749 40ddc5 15748->15749 15750 40dd96 15748->15750 15749->15738 15749->15739 15750->15749 15751 40ddad lstrcmpiA 15750->15751 15751->15749 15751->15750 15753 40dddd 15752->15753 15755 40de20 15752->15755 15754 40ddfa lstrcmpA 15753->15754 15753->15755 15754->15753 15755->15740 15757 40dd05 6 API calls 15756->15757 15758 40e821 15757->15758 15759 40dd84 lstrcmpiA 15758->15759 15760 40e82c 15759->15760 15761 40e844 15760->15761 15804 402480 15760->15804 15761->15300 15764 40dd05 6 API calls 15763->15764 15765 40df7c 15764->15765 15766 40dd84 lstrcmpiA 15765->15766 15769 40df89 15766->15769 15767 40dfc4 15767->15306 15768 40ddcf lstrcmpA 15768->15769 15769->15767 15769->15768 15770 40ec2e codecvt 4 API calls 15769->15770 15771 40dd84 lstrcmpiA 15769->15771 15770->15769 15771->15769 15773 40ea98 15772->15773 15813 40e8a1 15773->15813 15775 401e84 15775->15309 15777 4019d5 GetProcAddress GetProcAddress GetProcAddress 15776->15777 15780 4019ce 15776->15780 15778 401ab3 FreeLibrary 15777->15778 15779 401a04 15777->15779 15778->15780 15779->15778 15781 401a14 GetProcessHeap 15779->15781 15780->15313 15781->15780 15783 401a2e HeapAlloc 15781->15783 15783->15780 15784 401a42 15783->15784 15785 401a52 HeapReAlloc 15784->15785 15787 401a62 15784->15787 15785->15787 15786 401aa1 FreeLibrary 15786->15780 15787->15786 15788 401a96 HeapFree 15787->15788 15788->15786 15841 401ac3 LoadLibraryA 15789->15841 15792 401bcf 15792->15324 15794 401ac3 12 API calls 15793->15794 15795 401c09 15794->15795 15796 401c0d GetComputerNameA 15795->15796 15799 401c41 15795->15799 15797 401c45 GetVolumeInformationA 15796->15797 15798 401c1f 15796->15798 15797->15799 15798->15797 15798->15799 15799->15333 15801 40ee2a 15800->15801 15802 4030d0 gethostname gethostbyname 15801->15802 15803 401f82 15802->15803 15803->15337 15803->15339 15807 402419 lstrlenA 15804->15807 15806 402491 15806->15761 15808 402474 15807->15808 15809 40243d lstrlenA 15807->15809 15808->15806 15810 402464 lstrlenA 15809->15810 15811 40244e lstrcmpiA 15809->15811 15810->15808 15810->15809 15811->15810 15812 40245c 15811->15812 15812->15808 15812->15810 15814 40dd05 6 API calls 15813->15814 15815 40e8b4 15814->15815 15816 40dd84 lstrcmpiA 15815->15816 15817 40e8c0 15816->15817 15818 40e90a 15817->15818 15819 40e8c8 lstrcpynA 15817->15819 15821 402419 4 API calls 15818->15821 15829 40ea27 15818->15829 15820 40e8f5 15819->15820 15834 40df4c 15820->15834 15822 40e926 lstrlenA lstrlenA 15821->15822 15824 40e96a 15822->15824 15825 40e94c lstrlenA 15822->15825 15828 40ebcc 4 API calls 15824->15828 15824->15829 15825->15824 15826 40e901 15827 40dd84 lstrcmpiA 15826->15827 15827->15818 15830 40e98f 15828->15830 15829->15775 15830->15829 15831 40df4c 20 API calls 15830->15831 15832 40ea1e 15831->15832 15833 40ec2e codecvt 4 API calls 15832->15833 15833->15829 15835 40dd05 6 API calls 15834->15835 15836 40df51 15835->15836 15837 40f04e 4 API calls 15836->15837 15838 40df58 15837->15838 15839 40de24 10 API calls 15838->15839 15840 40df63 15839->15840 15840->15826 15842 401ae2 GetProcAddress 15841->15842 15846 401b68 GetComputerNameA GetVolumeInformationA 15841->15846 15843 401af5 15842->15843 15842->15846 15844 401b29 15843->15844 15845 40ebed 8 API calls 15843->15845 15844->15846 15847 40ec2e codecvt 4 API calls 15844->15847 15845->15843 15846->15792 15847->15846 15849 406ec3 2 API calls 15848->15849 15850 407ef4 15849->15850 15851 4073ff 17 API calls 15850->15851 15860 407fc9 15850->15860 15852 407f16 15851->15852 15852->15860 15861 407809 GetUserNameA 15852->15861 15854 407f63 15855 40ef1e lstrlenA 15854->15855 15854->15860 15856 407fa6 15855->15856 15857 40ef1e lstrlenA 15856->15857 15858 407fb7 15857->15858 15885 407a95 RegOpenKeyExA 15858->15885 15860->15350 15862 40783d LookupAccountNameA 15861->15862 15863 407a8d 15861->15863 15862->15863 15864 407874 GetLengthSid GetFileSecurityA 15862->15864 15863->15854 15864->15863 15865 4078a8 GetSecurityDescriptorOwner 15864->15865 15866 4078c5 EqualSid 15865->15866 15867 40791d GetSecurityDescriptorDacl 15865->15867 15866->15867 15868 4078dc LocalAlloc 15866->15868 15867->15863 15875 407941 15867->15875 15868->15867 15869 4078ef InitializeSecurityDescriptor 15868->15869 15871 407916 LocalFree 15869->15871 15872 4078fb SetSecurityDescriptorOwner 15869->15872 15870 40795b GetAce 15870->15875 15871->15867 15872->15871 15873 40790b SetFileSecurityA 15872->15873 15873->15871 15874 407980 EqualSid 15874->15875 15875->15863 15875->15870 15875->15874 15876 407a3d 15875->15876 15877 4079be EqualSid 15875->15877 15878 40799d DeleteAce 15875->15878 15876->15863 15879 407a43 LocalAlloc 15876->15879 15877->15875 15878->15875 15879->15863 15880 407a56 InitializeSecurityDescriptor 15879->15880 15881 407a62 SetSecurityDescriptorDacl 15880->15881 15882 407a86 LocalFree 15880->15882 15881->15882 15883 407a73 SetFileSecurityA 15881->15883 15882->15863 15883->15882 15884 407a83 15883->15884 15884->15882 15886 407ac4 15885->15886 15887 407acb GetUserNameA 15885->15887 15886->15860 15888 407da7 RegCloseKey 15887->15888 15889 407aed LookupAccountNameA 15887->15889 15888->15886 15889->15888 15890 407b24 RegGetKeySecurity 15889->15890 15890->15888 15891 407b49 GetSecurityDescriptorOwner 15890->15891 15892 407b63 EqualSid 15891->15892 15893 407bb8 GetSecurityDescriptorDacl 15891->15893 15892->15893 15894 407b74 LocalAlloc 15892->15894 15895 407da6 15893->15895 15902 407bdc 15893->15902 15894->15893 15896 407b8a InitializeSecurityDescriptor 15894->15896 15895->15888 15898 407bb1 LocalFree 15896->15898 15899 407b96 SetSecurityDescriptorOwner 15896->15899 15897 407bf8 GetAce 15897->15902 15898->15893 15899->15898 15900 407ba6 RegSetKeySecurity 15899->15900 15900->15898 15901 407c1d EqualSid 15901->15902 15902->15895 15902->15897 15902->15901 15903 407cd9 15902->15903 15904 407c5f EqualSid 15902->15904 15905 407c3a DeleteAce 15902->15905 15903->15895 15906 407d5a LocalAlloc 15903->15906 15907 407cf2 RegOpenKeyExA 15903->15907 15904->15902 15905->15902 15906->15895 15908 407d70 InitializeSecurityDescriptor 15906->15908 15907->15906 15913 407d0f 15907->15913 15909 407d7c SetSecurityDescriptorDacl 15908->15909 15910 407d9f LocalFree 15908->15910 15909->15910 15911 407d8c RegSetKeySecurity 15909->15911 15910->15895 15911->15910 15912 407d9c 15911->15912 15912->15910 15914 407d43 RegSetValueExA 15913->15914 15914->15906 15915 407d54 15914->15915 15915->15906 15916->15367 15918 40dd05 6 API calls 15917->15918 15921 40e65f 15918->15921 15919 40e6a5 15920 40ebcc 4 API calls 15919->15920 15923 40e6f5 15919->15923 15925 40e6b0 15920->15925 15921->15919 15922 40e68c lstrcmpA 15921->15922 15922->15921 15924 40e6b7 15923->15924 15927 40e71d lstrcmpA 15923->15927 15924->15369 15925->15923 15925->15924 15926 40e6e0 lstrcpynA 15925->15926 15926->15923 15927->15923 15928->15375 15930 40c525 15929->15930 15931 40c532 15929->15931 15930->15931 15934 40ec2e codecvt 4 API calls 15930->15934 15932 40c548 15931->15932 16081 40e7ff 15931->16081 15935 40e7ff lstrcmpiA 15932->15935 15942 40c54f 15932->15942 15934->15931 15936 40c615 15935->15936 15937 40ebcc 4 API calls 15936->15937 15936->15942 15937->15942 15938 40c5d1 15941 40ebcc 4 API calls 15938->15941 15940 40e819 11 API calls 15943 40c5b7 15940->15943 15941->15942 15942->15388 15944 40f04e 4 API calls 15943->15944 15945 40c5bf 15944->15945 15945->15932 15945->15938 15947 402692 inet_addr 15946->15947 15948 40268e 15946->15948 15947->15948 15949 40269e gethostbyname 15947->15949 15950 40f428 15948->15950 15949->15948 16084 40f315 15950->16084 15955 40c8d2 15953->15955 15954 40c907 15954->15422 15955->15954 15956 40c517 23 API calls 15955->15956 15956->15954 15957 40f43e 15958 40f473 recv 15957->15958 15959 40f458 15958->15959 15960 40f47c 15958->15960 15959->15958 15959->15960 15960->15405 15962 40c670 15961->15962 15963 40c67d 15961->15963 15964 40ebcc 4 API calls 15962->15964 15965 40ebcc 4 API calls 15963->15965 15966 40c699 15963->15966 15964->15963 15965->15966 15967 40c6f3 15966->15967 15968 40c73c send 15966->15968 15967->15418 15967->15482 15968->15967 15970 40c770 15969->15970 15971 40c77d 15969->15971 15973 40ebcc 4 API calls 15970->15973 15972 40c799 15971->15972 15974 40ebcc 4 API calls 15971->15974 15975 40c7b5 15972->15975 15976 40ebcc 4 API calls 15972->15976 15973->15971 15974->15972 15977 40f43e recv 15975->15977 15976->15975 15978 40c7cb 15977->15978 15979 40f43e recv 15978->15979 15980 40c7d3 15978->15980 15979->15980 15980->15482 16097 407db7 15981->16097 15984 407e70 15985 407e96 15984->15985 15987 40f04e 4 API calls 15984->15987 15985->15482 15986 40f04e 4 API calls 15988 407e4c 15986->15988 15987->15985 15988->15984 15989 40f04e 4 API calls 15988->15989 15989->15984 15991 406ec3 2 API calls 15990->15991 15992 407fdd 15991->15992 15993 4073ff 17 API calls 15992->15993 16002 4080c2 CreateProcessA 15992->16002 15994 407fff 15993->15994 15995 407809 21 API calls 15994->15995 15994->16002 15996 40804d 15995->15996 15997 40ef1e lstrlenA 15996->15997 15996->16002 15998 40809e 15997->15998 15999 40ef1e lstrlenA 15998->15999 16000 4080af 15999->16000 16001 407a95 24 API calls 16000->16001 16001->16002 16002->15471 16002->15472 16004 407db7 2 API calls 16003->16004 16005 407eb8 16004->16005 16006 40f04e 4 API calls 16005->16006 16007 407ece DeleteFileA 16006->16007 16007->15482 16009 40dd05 6 API calls 16008->16009 16010 40e31d 16009->16010 16101 40e177 16010->16101 16012 40e326 16012->15441 16014 4031f3 16013->16014 16024 4031ec 16013->16024 16015 40ebcc 4 API calls 16014->16015 16028 4031fc 16015->16028 16016 40344b 16017 403459 16016->16017 16018 40349d 16016->16018 16019 40f04e 4 API calls 16017->16019 16020 40ec2e codecvt 4 API calls 16018->16020 16021 40345f 16019->16021 16020->16024 16022 4030fa 4 API calls 16021->16022 16022->16024 16023 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 16023->16028 16024->15482 16025 40344d 16026 40ec2e codecvt 4 API calls 16025->16026 16026->16016 16028->16016 16028->16023 16028->16024 16028->16025 16028->16028 16029 403141 lstrcmpiA 16028->16029 16127 4030fa GetTickCount 16028->16127 16029->16028 16031 4030fa 4 API calls 16030->16031 16032 403c1a 16031->16032 16033 403ce6 16032->16033 16132 403a72 16032->16132 16033->15482 16036 403a72 9 API calls 16038 403c5e 16036->16038 16037 403a72 9 API calls 16037->16038 16038->16033 16038->16037 16039 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16038->16039 16039->16038 16041 403a10 16040->16041 16042 4030fa 4 API calls 16041->16042 16043 403a1a 16042->16043 16043->15482 16045 40dd05 6 API calls 16044->16045 16046 40e7be 16045->16046 16046->15482 16048 40c07e wsprintfA 16047->16048 16052 40c105 16047->16052 16141 40bfce GetTickCount wsprintfA 16048->16141 16050 40c0ef 16142 40bfce GetTickCount wsprintfA 16050->16142 16052->15482 16054 407047 16053->16054 16055 406f88 LookupAccountNameA 16053->16055 16054->15482 16057 407025 16055->16057 16058 406fcb 16055->16058 16059 406edd 5 API calls 16057->16059 16061 406fdb ConvertSidToStringSidA 16058->16061 16060 40702a wsprintfA 16059->16060 16060->16054 16061->16057 16062 406ff1 16061->16062 16063 407013 LocalFree 16062->16063 16063->16057 16065 40dd05 6 API calls 16064->16065 16066 40e85c 16065->16066 16067 40dd84 lstrcmpiA 16066->16067 16068 40e867 16067->16068 16069 40e885 lstrcpyA 16068->16069 16143 4024a5 16068->16143 16146 40dd69 16069->16146 16075 407db7 2 API calls 16074->16075 16076 407de1 16075->16076 16077 40f04e 4 API calls 16076->16077 16080 407e16 16076->16080 16078 407df2 16077->16078 16079 40f04e 4 API calls 16078->16079 16078->16080 16079->16080 16080->15482 16082 40dd84 lstrcmpiA 16081->16082 16083 40c58e 16082->16083 16083->15932 16083->15938 16083->15940 16085 40f33b 16084->16085 16093 40ca1d 16084->16093 16086 40f347 htons socket 16085->16086 16087 40f382 ioctlsocket 16086->16087 16088 40f374 closesocket 16086->16088 16089 40f3aa connect select 16087->16089 16090 40f39d 16087->16090 16088->16093 16092 40f3f2 __WSAFDIsSet 16089->16092 16089->16093 16091 40f39f closesocket 16090->16091 16091->16093 16092->16091 16094 40f403 ioctlsocket 16092->16094 16093->15402 16093->15957 16096 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16094->16096 16096->16093 16098 407dc8 InterlockedExchange 16097->16098 16099 407dc0 Sleep 16098->16099 16100 407dd4 16098->16100 16099->16098 16100->15984 16100->15986 16102 40e184 16101->16102 16103 40e2e4 16102->16103 16104 40e223 16102->16104 16117 40dfe2 16102->16117 16103->16012 16104->16103 16106 40dfe2 8 API calls 16104->16106 16110 40e23c 16106->16110 16107 40e1be 16107->16104 16108 40dbcf 3 API calls 16107->16108 16111 40e1d6 16108->16111 16109 40e21a CloseHandle 16109->16104 16110->16103 16121 40e095 RegCreateKeyExA 16110->16121 16111->16104 16111->16109 16112 40e1f9 WriteFile 16111->16112 16112->16109 16114 40e213 16112->16114 16114->16109 16115 40e2a3 16115->16103 16116 40e095 4 API calls 16115->16116 16116->16103 16118 40dffc 16117->16118 16120 40e024 16117->16120 16119 40db2e 8 API calls 16118->16119 16118->16120 16119->16120 16120->16107 16122 40e172 16121->16122 16125 40e0c0 16121->16125 16122->16115 16123 40e13d 16124 40e14e RegDeleteValueA RegCloseKey 16123->16124 16124->16122 16125->16123 16126 40e115 RegSetValueExA 16125->16126 16126->16123 16126->16125 16128 403122 InterlockedExchange 16127->16128 16129 40312e 16128->16129 16130 40310f GetTickCount 16128->16130 16129->16028 16130->16129 16131 40311a Sleep 16130->16131 16131->16128 16133 40f04e 4 API calls 16132->16133 16140 403a83 16133->16140 16134 403ac1 16134->16033 16134->16036 16135 403be6 16136 40ec2e codecvt 4 API calls 16135->16136 16136->16134 16137 403bc0 16137->16135 16139 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16137->16139 16138 403b66 lstrlenA 16138->16134 16138->16140 16139->16137 16140->16134 16140->16137 16140->16138 16141->16050 16142->16052 16144 402419 4 API calls 16143->16144 16145 4024b6 16144->16145 16145->16069 16147 40dd79 lstrlenA 16146->16147 16147->15482 16149 404084 16148->16149 16150 40407d 16148->16150 16151 403ecd 6 API calls 16149->16151 16152 40408f 16151->16152 16153 404000 3 API calls 16152->16153 16155 404095 16153->16155 16154 404130 16156 403ecd 6 API calls 16154->16156 16155->16154 16160 403f18 4 API calls 16155->16160 16157 404159 CreateNamedPipeA 16156->16157 16158 404167 Sleep 16157->16158 16159 404188 ConnectNamedPipe 16157->16159 16158->16154 16162 404176 CloseHandle 16158->16162 16161 404195 GetLastError 16159->16161 16173 4041ab 16159->16173 16163 4040da 16160->16163 16164 40425e DisconnectNamedPipe 16161->16164 16161->16173 16162->16159 16165 403f8c 4 API calls 16163->16165 16164->16159 16166 4040ec 16165->16166 16167 404127 CloseHandle 16166->16167 16168 404101 16166->16168 16167->16154 16169 403f18 4 API calls 16168->16169 16170 40411c ExitProcess 16169->16170 16171 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16171->16173 16172 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16172->16173 16173->16159 16173->16164 16173->16171 16173->16172 16174 40426a CloseHandle CloseHandle 16173->16174 16175 40e318 23 API calls 16174->16175 16176 40427b 16175->16176 16176->16176 16178 408791 16177->16178 16179 40879f 16177->16179 16180 40f04e 4 API calls 16178->16180 16181 4087bc 16179->16181 16182 40f04e 4 API calls 16179->16182 16180->16179 16183 40e819 11 API calls 16181->16183 16182->16181 16184 4087d7 16183->16184 16193 408803 16184->16193 16199 4026b2 gethostbyaddr 16184->16199 16187 4087eb 16189 40e8a1 30 API calls 16187->16189 16187->16193 16189->16193 16192 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16192->16193 16193->16192 16194 40e819 11 API calls 16193->16194 16195 4088a0 Sleep 16193->16195 16197 4026b2 2 API calls 16193->16197 16198 40e8a1 30 API calls 16193->16198 16204 408cee 16193->16204 16212 40c4d6 16193->16212 16215 40c4e2 16193->16215 16218 402011 16193->16218 16253 408328 16193->16253 16194->16193 16195->16193 16197->16193 16198->16193 16200 4026fb 16199->16200 16201 4026cd 16199->16201 16200->16187 16202 4026e1 inet_ntoa 16201->16202 16203 4026de 16201->16203 16202->16203 16203->16187 16205 408d02 GetTickCount 16204->16205 16206 408dae 16204->16206 16205->16206 16208 408d19 16205->16208 16206->16193 16207 408da1 GetTickCount 16207->16206 16208->16207 16211 408d89 16208->16211 16305 40a677 16208->16305 16308 40a688 16208->16308 16211->16207 16316 40c2dc 16212->16316 16216 40c2dc 124 API calls 16215->16216 16217 40c4ec 16216->16217 16217->16193 16219 402020 16218->16219 16220 40202e 16218->16220 16221 40f04e 4 API calls 16219->16221 16222 40204b 16220->16222 16223 40f04e 4 API calls 16220->16223 16221->16220 16224 40206e GetTickCount 16222->16224 16225 40f04e 4 API calls 16222->16225 16223->16222 16226 402090 16224->16226 16227 4020db GetTickCount 16224->16227 16230 402068 16225->16230 16228 4020d4 GetTickCount 16226->16228 16233 402684 2 API calls 16226->16233 16242 4020ce 16226->16242 16579 401978 16226->16579 16229 402132 GetTickCount GetTickCount 16227->16229 16237 4020e7 16227->16237 16228->16227 16231 40f04e 4 API calls 16229->16231 16230->16224 16234 402159 16231->16234 16232 40212b GetTickCount 16232->16229 16233->16226 16235 4021b4 16234->16235 16239 40e854 13 API calls 16234->16239 16238 40f04e 4 API calls 16235->16238 16237->16232 16244 401978 15 API calls 16237->16244 16245 402125 16237->16245 16584 402ef8 16237->16584 16241 4021d1 16238->16241 16243 40218e 16239->16243 16246 4021f2 16241->16246 16248 40ea84 30 API calls 16241->16248 16242->16228 16247 40e819 11 API calls 16243->16247 16244->16237 16245->16232 16246->16193 16249 40219c 16247->16249 16250 4021ec 16248->16250 16249->16235 16592 401c5f 16249->16592 16251 40f04e 4 API calls 16250->16251 16251->16246 16254 407dd6 6 API calls 16253->16254 16255 40833c 16254->16255 16256 408340 16255->16256 16257 406ec3 2 API calls 16255->16257 16256->16193 16258 40834f 16257->16258 16259 40835c 16258->16259 16262 40846b 16258->16262 16260 4073ff 17 API calls 16259->16260 16261 408373 16260->16261 16261->16256 16282 4083ea RegOpenKeyExA 16261->16282 16293 408450 16261->16293 16266 4084a7 RegOpenKeyExA 16262->16266 16262->16293 16263 408626 GetTempPathA 16295 408638 16263->16295 16264 40675c 21 API calls 16265 4085df 16264->16265 16265->16263 16276 408762 16265->16276 16265->16295 16268 4084c0 RegQueryValueExA 16266->16268 16270 40852f 16266->16270 16271 408521 RegCloseKey 16268->16271 16275 4084dd 16268->16275 16269 4086ad 16273 407e2f 6 API calls 16269->16273 16269->16276 16272 408564 RegOpenKeyExA 16270->16272 16284 4085a5 16270->16284 16271->16270 16274 408573 RegSetValueExA RegCloseKey 16272->16274 16272->16284 16285 4086bb 16273->16285 16274->16284 16275->16271 16277 40ebcc 4 API calls 16275->16277 16276->16256 16279 40ec2e codecvt 4 API calls 16276->16279 16281 4084f0 16277->16281 16278 40875b DeleteFileA 16278->16276 16279->16256 16281->16271 16283 4084f8 RegQueryValueExA 16281->16283 16286 4083fd RegQueryValueExA 16282->16286 16282->16293 16283->16271 16287 408515 16283->16287 16288 40ec2e codecvt 4 API calls 16284->16288 16284->16293 16285->16278 16289 4086e0 lstrcpyA lstrlenA 16285->16289 16290 40842d RegSetValueExA 16286->16290 16291 40841e 16286->16291 16292 40ec2e codecvt 4 API calls 16287->16292 16288->16293 16294 407fcf 64 API calls 16289->16294 16296 408447 RegCloseKey 16290->16296 16291->16290 16291->16296 16297 40851d 16292->16297 16293->16264 16293->16265 16298 408719 CreateProcessA 16294->16298 16664 406ba7 IsBadCodePtr 16295->16664 16296->16293 16297->16271 16299 40873d CloseHandle CloseHandle 16298->16299 16300 40874f 16298->16300 16299->16276 16301 407ee6 64 API calls 16300->16301 16302 408754 16301->16302 16303 407ead 6 API calls 16302->16303 16304 40875a 16303->16304 16304->16278 16311 40a63d 16305->16311 16307 40a685 16307->16208 16309 40a63d GetTickCount 16308->16309 16310 40a696 16309->16310 16310->16208 16312 40a645 16311->16312 16313 40a64d 16311->16313 16312->16307 16314 40a66e 16313->16314 16315 40a65e GetTickCount 16313->16315 16314->16307 16315->16314 16332 40a4c7 GetTickCount 16316->16332 16319 40c45e 16324 40c4d2 16319->16324 16325 40c4ab InterlockedIncrement CreateThread 16319->16325 16320 40c300 GetTickCount 16322 40c337 16320->16322 16321 40c326 16321->16322 16323 40c32b GetTickCount 16321->16323 16322->16319 16327 40c363 GetTickCount 16322->16327 16323->16322 16324->16193 16325->16324 16326 40c4cb CloseHandle 16325->16326 16337 40b535 16325->16337 16326->16324 16327->16319 16328 40c373 16327->16328 16329 40c378 GetTickCount 16328->16329 16330 40c37f 16328->16330 16329->16330 16331 40c43b GetTickCount 16330->16331 16331->16319 16333 40a4f7 InterlockedExchange 16332->16333 16334 40a500 16333->16334 16335 40a4e4 GetTickCount 16333->16335 16334->16319 16334->16320 16334->16321 16335->16334 16336 40a4ef Sleep 16335->16336 16336->16333 16338 40b566 16337->16338 16339 40ebcc 4 API calls 16338->16339 16340 40b587 16339->16340 16341 40ebcc 4 API calls 16340->16341 16368 40b590 16341->16368 16342 40bdcd InterlockedDecrement 16343 40bde2 16342->16343 16345 40ec2e codecvt 4 API calls 16343->16345 16346 40bdea 16345->16346 16347 40ec2e codecvt 4 API calls 16346->16347 16349 40bdf2 16347->16349 16348 40bdb7 Sleep 16348->16368 16350 40be05 16349->16350 16352 40ec2e codecvt 4 API calls 16349->16352 16351 40bdcc 16351->16342 16352->16350 16353 40ebed 8 API calls 16353->16368 16356 40b6b6 lstrlenA 16356->16368 16357 4030b5 2 API calls 16357->16368 16358 40b6ed lstrcpyA 16411 405ce1 16358->16411 16359 40e819 11 API calls 16359->16368 16362 40b731 lstrlenA 16362->16368 16363 40b71f lstrcmpA 16363->16362 16363->16368 16364 40b772 GetTickCount 16364->16368 16365 40bd49 InterlockedIncrement 16474 40a628 16365->16474 16368->16342 16368->16348 16368->16351 16368->16353 16368->16356 16368->16357 16368->16358 16368->16359 16368->16362 16368->16363 16368->16364 16368->16365 16369 40bc5b InterlockedIncrement 16368->16369 16370 40b7ce InterlockedIncrement 16368->16370 16371 4038f0 6 API calls 16368->16371 16374 40b912 GetTickCount 16368->16374 16375 40b826 InterlockedIncrement 16368->16375 16376 40b932 GetTickCount 16368->16376 16377 40bcdc closesocket 16368->16377 16380 40ab81 lstrcpynA InterlockedIncrement 16368->16380 16381 40a7c1 22 API calls 16368->16381 16382 40bba6 InterlockedIncrement 16368->16382 16385 40bc4c closesocket 16368->16385 16387 405ce1 22 API calls 16368->16387 16388 40ba71 wsprintfA 16368->16388 16389 405ded 12 API calls 16368->16389 16391 40ef1e lstrlenA 16368->16391 16392 40a688 GetTickCount 16368->16392 16393 403e10 16368->16393 16396 403e4f 16368->16396 16399 40384f 16368->16399 16419 40a7a3 inet_ntoa 16368->16419 16426 40abee 16368->16426 16438 401feb GetTickCount 16368->16438 16459 403cfb 16368->16459 16462 40ab81 16368->16462 16369->16368 16421 40acd7 16370->16421 16371->16368 16374->16368 16375->16364 16376->16368 16378 40bc6d InterlockedIncrement 16376->16378 16377->16368 16378->16368 16380->16368 16381->16368 16382->16368 16385->16368 16387->16368 16439 40a7c1 16388->16439 16389->16368 16391->16368 16392->16368 16394 4030fa 4 API calls 16393->16394 16395 403e1d 16394->16395 16395->16368 16397 4030fa 4 API calls 16396->16397 16398 403e5c 16397->16398 16398->16368 16400 4030fa 4 API calls 16399->16400 16402 403863 16400->16402 16401 4038b2 16401->16368 16402->16401 16403 4038b9 16402->16403 16404 403889 16402->16404 16483 4035f9 16403->16483 16477 403718 16404->16477 16409 4035f9 6 API calls 16409->16401 16410 403718 6 API calls 16410->16401 16412 405cf4 16411->16412 16413 405cec 16411->16413 16415 404bd1 4 API calls 16412->16415 16489 404bd1 GetTickCount 16413->16489 16416 405d02 16415->16416 16494 405472 16416->16494 16420 40a7b9 16419->16420 16420->16368 16422 40f315 14 API calls 16421->16422 16423 40aceb 16422->16423 16424 40acff 16423->16424 16425 40f315 14 API calls 16423->16425 16424->16368 16425->16424 16427 40abfb 16426->16427 16430 40ac65 16427->16430 16557 402f22 16427->16557 16429 40f315 14 API calls 16429->16430 16430->16429 16431 40ac8a 16430->16431 16432 40ac6f 16430->16432 16431->16368 16434 40ab81 2 API calls 16432->16434 16433 40ac23 16433->16430 16435 402684 2 API calls 16433->16435 16436 40ac81 16434->16436 16435->16433 16565 4038f0 16436->16565 16438->16368 16440 40a87d lstrlenA send 16439->16440 16441 40a7df 16439->16441 16442 40a899 16440->16442 16443 40a8bf 16440->16443 16441->16440 16447 40a7fa wsprintfA 16441->16447 16450 40a80a 16441->16450 16451 40a8f2 16441->16451 16444 40a8a5 wsprintfA 16442->16444 16453 40a89e 16442->16453 16445 40a8c4 send 16443->16445 16443->16451 16444->16453 16448 40a8d8 wsprintfA 16445->16448 16445->16451 16446 40a978 recv 16446->16451 16452 40a982 16446->16452 16447->16450 16448->16453 16449 40a9b0 wsprintfA 16449->16453 16450->16440 16451->16446 16451->16449 16451->16452 16452->16453 16454 4030b5 2 API calls 16452->16454 16453->16368 16455 40ab05 16454->16455 16456 40e819 11 API calls 16455->16456 16457 40ab17 16456->16457 16458 40a7a3 inet_ntoa 16457->16458 16458->16453 16460 4030fa 4 API calls 16459->16460 16461 403d0b 16460->16461 16461->16368 16463 40abe9 GetTickCount 16462->16463 16464 40ab8c 16462->16464 16467 40a51d 16463->16467 16464->16463 16465 40aba8 lstrcpynA 16464->16465 16466 40abe1 InterlockedIncrement 16464->16466 16465->16464 16466->16464 16468 40a4c7 4 API calls 16467->16468 16469 40a52c 16468->16469 16470 40a542 GetTickCount 16469->16470 16472 40a539 GetTickCount 16469->16472 16470->16472 16473 40a56c 16472->16473 16473->16368 16475 40a4c7 4 API calls 16474->16475 16476 40a633 16475->16476 16476->16368 16478 40f04e 4 API calls 16477->16478 16480 40372a 16478->16480 16479 403847 16479->16401 16479->16410 16480->16479 16481 4037b3 GetCurrentThreadId 16480->16481 16481->16480 16482 4037c8 GetCurrentThreadId 16481->16482 16482->16480 16484 40f04e 4 API calls 16483->16484 16488 40360c 16484->16488 16485 4036f1 16485->16401 16485->16409 16486 4036da GetCurrentThreadId 16486->16485 16487 4036e5 GetCurrentThreadId 16486->16487 16487->16485 16488->16485 16488->16486 16490 404bff InterlockedExchange 16489->16490 16491 404c08 16490->16491 16492 404bec GetTickCount 16490->16492 16491->16412 16492->16491 16493 404bf7 Sleep 16492->16493 16493->16490 16513 404763 16494->16513 16496 404ae6 8 API calls 16512 40548a 16496->16512 16497 405b58 16523 404699 16497->16523 16500 404763 lstrlenA 16501 405b6e 16500->16501 16544 404f9f 16501->16544 16503 405b79 16503->16368 16505 405549 lstrlenA 16505->16512 16507 40558d lstrcpynA 16507->16512 16508 405472 13 API calls 16508->16512 16509 405a9f lstrcpyA 16509->16512 16510 405935 lstrcpynA 16510->16512 16511 4058e7 lstrcpyA 16511->16512 16512->16496 16512->16497 16512->16507 16512->16508 16512->16509 16512->16510 16512->16511 16517 404ae6 16512->16517 16521 40ef7c lstrlenA lstrlenA lstrlenA 16512->16521 16515 40477a 16513->16515 16514 404859 16514->16512 16515->16514 16516 40480d lstrlenA 16515->16516 16516->16515 16518 404af3 16517->16518 16520 404b03 16517->16520 16519 40ebed 8 API calls 16518->16519 16519->16520 16520->16505 16522 40efb4 16521->16522 16522->16512 16549 4045b3 16523->16549 16526 4045b3 7 API calls 16527 4046c6 16526->16527 16528 4045b3 7 API calls 16527->16528 16529 4046d8 16528->16529 16530 4045b3 7 API calls 16529->16530 16531 4046ea 16530->16531 16532 4045b3 7 API calls 16531->16532 16533 4046ff 16532->16533 16534 4045b3 7 API calls 16533->16534 16535 404711 16534->16535 16536 4045b3 7 API calls 16535->16536 16537 404723 16536->16537 16538 40ef7c 3 API calls 16537->16538 16539 404735 16538->16539 16540 40ef7c 3 API calls 16539->16540 16541 40474a 16540->16541 16542 40ef7c 3 API calls 16541->16542 16543 40475c 16542->16543 16543->16500 16545 404fac 16544->16545 16548 404fb0 16544->16548 16545->16503 16546 404ffd 16546->16503 16547 404fd5 IsBadCodePtr 16547->16548 16548->16546 16548->16547 16550 4045c1 16549->16550 16551 4045c8 16549->16551 16552 40ebcc 4 API calls 16550->16552 16553 4045e1 16551->16553 16554 40ebcc 4 API calls 16551->16554 16552->16551 16555 404691 16553->16555 16556 40ef7c 3 API calls 16553->16556 16554->16553 16555->16526 16556->16553 16572 402d21 GetModuleHandleA 16557->16572 16560 402fcf GetProcessHeap HeapFree 16564 402f44 16560->16564 16561 402f85 16561->16560 16561->16561 16562 402f4f 16563 402f6b GetProcessHeap HeapFree 16562->16563 16563->16564 16564->16433 16566 403900 16565->16566 16567 403980 16565->16567 16568 4030fa 4 API calls 16566->16568 16567->16431 16571 40390a 16568->16571 16569 40391b GetCurrentThreadId 16569->16571 16570 403939 GetCurrentThreadId 16570->16571 16571->16567 16571->16569 16571->16570 16573 402d46 LoadLibraryA 16572->16573 16574 402d5b GetProcAddress 16572->16574 16573->16574 16576 402d54 16573->16576 16574->16576 16578 402d6b 16574->16578 16575 402d97 GetProcessHeap HeapAlloc 16575->16576 16575->16578 16576->16561 16576->16562 16576->16564 16577 402db5 lstrcpynA 16577->16578 16578->16575 16578->16576 16578->16577 16580 40f428 14 API calls 16579->16580 16581 40198a 16580->16581 16582 401990 closesocket 16581->16582 16583 401998 16581->16583 16582->16583 16583->16226 16585 402d21 6 API calls 16584->16585 16586 402f01 16585->16586 16589 402f0f 16586->16589 16600 402df2 GetModuleHandleA 16586->16600 16587 402684 2 API calls 16590 402f1d 16587->16590 16589->16587 16591 402f1f 16589->16591 16590->16237 16591->16237 16593 401c80 16592->16593 16594 401d1c 16593->16594 16595 401cc2 wsprintfA 16593->16595 16598 401d79 16593->16598 16594->16594 16597 401d47 wsprintfA 16594->16597 16596 402684 2 API calls 16595->16596 16596->16593 16599 402684 2 API calls 16597->16599 16598->16235 16599->16598 16601 402e10 LoadLibraryA 16600->16601 16602 402e0b 16600->16602 16603 402e17 16601->16603 16602->16601 16602->16603 16604 402ef1 16603->16604 16605 402e28 GetProcAddress 16603->16605 16604->16589 16605->16604 16606 402e3e GetProcessHeap HeapAlloc 16605->16606 16608 402e62 16606->16608 16607 402ede GetProcessHeap HeapFree 16607->16604 16608->16604 16608->16607 16609 402e7f htons inet_addr 16608->16609 16610 402ea5 gethostbyname 16608->16610 16612 402ceb 16608->16612 16609->16608 16609->16610 16610->16608 16613 402cf2 16612->16613 16615 402d1c 16613->16615 16616 402d0e Sleep 16613->16616 16617 402a62 GetProcessHeap HeapAlloc 16613->16617 16615->16608 16616->16613 16616->16615 16618 402a92 16617->16618 16619 402a99 socket 16617->16619 16618->16613 16620 402cd3 GetProcessHeap HeapFree 16619->16620 16621 402ab4 16619->16621 16620->16618 16621->16620 16635 402abd 16621->16635 16622 402adb htons 16637 4026ff 16622->16637 16624 402b04 select 16624->16635 16625 402cb3 GetProcessHeap HeapFree closesocket 16625->16618 16626 402b3f recv 16626->16635 16627 402b66 htons 16628 402ca4 16627->16628 16627->16635 16628->16625 16629 402b87 htons 16629->16628 16629->16635 16632 402bf3 GetProcessHeap HeapAlloc 16632->16635 16633 402c17 htons 16652 402871 16633->16652 16635->16622 16635->16624 16635->16625 16635->16626 16635->16627 16635->16628 16635->16629 16635->16632 16635->16633 16636 402c4d GetProcessHeap HeapFree 16635->16636 16644 402923 16635->16644 16656 402904 16635->16656 16636->16635 16638 40271d 16637->16638 16639 402717 16637->16639 16641 40272b GetTickCount htons 16638->16641 16640 40ebcc 4 API calls 16639->16640 16640->16638 16642 4027cc htons htons sendto 16641->16642 16643 40278a 16641->16643 16642->16635 16643->16642 16645 402944 16644->16645 16646 40293d 16644->16646 16660 402816 htons 16645->16660 16646->16635 16648 402871 htons 16651 402950 16648->16651 16649 4029bd htons htons htons 16649->16646 16650 4029f6 GetProcessHeap HeapAlloc 16649->16650 16650->16646 16650->16651 16651->16646 16651->16648 16651->16649 16653 402889 16652->16653 16654 4028e3 16652->16654 16653->16654 16655 4028c3 htons 16653->16655 16654->16635 16655->16653 16655->16654 16657 402921 16656->16657 16658 402908 16656->16658 16657->16635 16659 402909 GetProcessHeap HeapFree 16658->16659 16659->16657 16659->16659 16661 40286b 16660->16661 16662 402836 16660->16662 16661->16651 16662->16661 16663 40285c htons 16662->16663 16663->16661 16663->16662 16665 406bc0 16664->16665 16666 406bbc 16664->16666 16667 40ebcc 4 API calls 16665->16667 16669 406bd4 16665->16669 16666->16269 16668 406be4 16667->16668 16668->16669 16670 406c07 CreateFileA 16668->16670 16671 406bfc 16668->16671 16669->16269 16673 406c34 WriteFile 16670->16673 16674 406c2a 16670->16674 16672 40ec2e codecvt 4 API calls 16671->16672 16672->16669 16675 406c49 CloseHandle DeleteFileA 16673->16675 16676 406c5a CloseHandle 16673->16676 16677 40ec2e codecvt 4 API calls 16674->16677 16675->16674 16678 40ec2e codecvt 4 API calls 16676->16678 16677->16669 16678->16669 14939 529d16 14940 529d25 14939->14940 14943 52a4b6 14940->14943 14948 52a4d1 14943->14948 14944 52a4da CreateToolhelp32Snapshot 14945 52a4f6 Module32First 14944->14945 14944->14948 14946 52a505 14945->14946 14949 529d2e 14945->14949 14950 52a175 14946->14950 14948->14944 14948->14945 14951 52a1a0 14950->14951 14952 52a1b1 VirtualAlloc 14951->14952 14953 52a1e9 14951->14953 14952->14953 14953->14953 14954 4f0005 14959 4f092b GetPEB 14954->14959 14956 4f0030 14961 4f003c 14956->14961 14960 4f0972 14959->14960 14960->14956 14962 4f0049 14961->14962 14976 4f0e0f SetErrorMode SetErrorMode 14962->14976 14967 4f0265 14968 4f02ce VirtualProtect 14967->14968 14970 4f030b 14968->14970 14969 4f0439 VirtualFree 14973 4f05f4 LoadLibraryA 14969->14973 14975 4f04be 14969->14975 14970->14969 14971 4f04e3 LoadLibraryA 14971->14975 14974 4f08c7 14973->14974 14975->14971 14975->14973 14977 4f0223 14976->14977 14978 4f0d90 14977->14978 14979 4f0dad 14978->14979 14980 4f0dbb GetPEB 14979->14980 14981 4f0238 VirtualAlloc 14979->14981 14980->14981 14981->14967 14880 41aa10 14883 41a630 14880->14883 14882 41aa15 14884 41a658 14883->14884 14885 41a6e8 6 API calls 14884->14885 14886 41a7f9 14884->14886 14887 41a751 6 API calls 14885->14887 14889 41a84a GetSystemTimes 14886->14889 14890 41a83a GetUserObjectInformationW 14886->14890 14894 41a86c 14886->14894 14888 41a7c6 GetSystemDefaultLCID 14887->14888 14891 41a7e0 14888->14891 14892 41a7d5 RtlEnterCriticalSection 14888->14892 14889->14886 14893 41a86e 14889->14893 14890->14889 14891->14886 14896 41a7e9 LoadLibraryA 14891->14896 14892->14891 14893->14894 14895 41a877 FoldStringW 14893->14895 14897 41a891 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameW GetFileAttributesW GetConsoleAliasExesLengthW 14894->14897 14898 41a909 GlobalAlloc 14894->14898 14895->14894 14896->14886 14909 41a8ce 14897->14909 14900 41a926 14898->14900 14901 41a95c LoadLibraryW 14898->14901 14900->14901 14910 41a350 GetModuleHandleW GetProcAddress VirtualProtect 14901->14910 14903 41a96c 14911 41a5c0 14903->14911 14905 41a989 GlobalSize 14906 41a971 14905->14906 14906->14905 14907 41a9b3 InterlockedExchangeAdd 14906->14907 14908 41a9c9 14906->14908 14907->14906 14908->14882 14909->14898 14910->14903 14912 41a5e2 14911->14912 14913 41a5d6 QueryDosDeviceW 14911->14913 14922 41a4a0 14912->14922 14913->14912 14916 41a5f5 FreeEnvironmentStringsW 14917 41a5fd 14916->14917 14925 41a4e0 14917->14925 14920 41a614 RtlAllocateHeap GetNumaHighestNodeNumber 14921 41a628 14920->14921 14921->14906 14923 41a4b7 GetStartupInfoA LoadLibraryA 14922->14923 14924 41a4c9 14922->14924 14923->14924 14924->14916 14924->14917 14926 41a515 14925->14926 14927 41a504 BuildCommDCBW 14925->14927 14928 41a51d WritePrivateProfileStringA UnhandledExceptionFilter 14926->14928 14931 41a533 14926->14931 14927->14931 14928->14931 14929 41a593 14929->14920 14929->14921 14931->14929 14932 41a569 GetComputerNameW GetShortPathNameA 14931->14932 14933 41a4d0 14931->14933 14932->14931 14936 41a450 14933->14936 14937 41a47b 14936->14937 14938 41a46c VirtualLock 14936->14938 14937->14931 14938->14937 16679 4f0920 TerminateProcess
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                      • API String ID: 2089075347-2824936573
                                                                                      • Opcode ID: 5e9f80298255327e39bb5a43b3680402934ce1a896d3dc4b77bb4975c6ac572f
                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                      • Opcode Fuzzy Hash: 5e9f80298255327e39bb5a43b3680402934ce1a896d3dc4b77bb4975c6ac572f
                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 41a630-41a655 265 41a658-41a65e 264->265 266 41a660-41a66a 265->266 267 41a66f-41a679 265->267 266->267 268 41a67b-41a696 267->268 269 41a69c-41a6a3 267->269 268->269 269->265 270 41a6a5-41a6ad 269->270 271 41a6b0-41a6b6 270->271 273 41a6c4-41a6ce 271->273 274 41a6b8-41a6be 271->274 275 41a6d0 273->275 276 41a6d2-41a6d9 273->276 274->273 275->276 276->271 277 41a6db-41a6e2 276->277 278 41a6e8-41a7d3 InterlockedExchange SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaProcessorNode DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a81b-41a829 277->279 286 41a7e0-41a7e7 278->286 287 41a7d5-41a7da RtlEnterCriticalSection 278->287 280 41a830-41a838 279->280 284 41a84a-41a861 GetSystemTimes 280->284 285 41a83a-41a844 GetUserObjectInformationW 280->285 288 41a863-41a86a 284->288 289 41a86e-41a875 284->289 285->284 293 41a7f9-41a818 286->293 294 41a7e9-41a7f3 LoadLibraryA 286->294 287->286 288->280 290 41a86c 288->290 291 41a887-41a88f 289->291 292 41a877-41a881 FoldStringW 289->292 290->291 295 41a891-41a903 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameW GetFileAttributesW GetConsoleAliasExesLengthW 291->295 296 41a909-41a924 GlobalAlloc 291->296 292->291 293->279 294->293 295->296 299 41a926-41a931 296->299 300 41a95c-41a967 LoadLibraryW call 41a350 296->300 302 41a940-41a950 299->302 307 41a96c-41a97f call 41a5c0 300->307 305 41a952 302->305 306 41a957-41a95a 302->306 305->306 306->300 306->302 313 41a980-41a987 307->313 314 41a989-41a999 GlobalSize 313->314 315 41a99d-41a9a3 313->315 314->315 316 41a9a5 call 41a340 315->316 317 41a9aa-41a9b1 315->317 316->317 321 41a9c0-41a9c7 317->321 322 41a9b3-41a9ba InterlockedExchangeAdd 317->322 321->313 323 41a9c9-41a9d9 321->323 322->321 325 41a9e0-41a9e5 323->325 327 41a9e7-41a9ed 325->327 328 41a9ef-41a9f5 325->328 327->328 329 41a9f7-41aa0b 327->329 328->325 328->329
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A6EF
                                                                                      • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A6F7
                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A6FF
                                                                                      • FindAtomW.KERNEL32(00000000), ref: 0041A707
                                                                                      • SearchPathA.KERNEL32(0041C9B0,0041C998,0041C978,00000000,?,?), ref: 0041A72B
                                                                                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A735
                                                                                      • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A75D
                                                                                      • CopyFileExA.KERNEL32(0041C9DC,0041C9CC,00000000,00000000,00000000,00000000), ref: 0041A775
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0041A77B
                                                                                      • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A79A
                                                                                      • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A7A4
                                                                                      • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A7AC
                                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 0041A7C6
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0041A7DA
                                                                                      • LoadLibraryA.KERNEL32(00000000), ref: 0041A7F3
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A844
                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A859
                                                                                      • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A881
                                                                                      • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0041A8A0
                                                                                      • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A8AD
                                                                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A8B5
                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041A8BC
                                                                                      • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A8C2
                                                                                      • GlobalAlloc.KERNELBASE(00000000,00421FFC), ref: 0041A90C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358812255.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_415000_ODy57hA4Su.jbxd
                                                                                      Similarity
                                                                                      • API ID: Console$DefaultFileGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesCallCommComputerConfigCopyCriticalDebugEnterEnvironmentExchangeExesFindFoldInformationInterlockedLibraryLoadModeNameNamedNodeNumaObjectOutputPathPipeProcessProcessorSearchSectionSizeStopStringStringsTimesTitleUserWrite
                                                                                      • String ID: W9@$k`$}$
                                                                                      • API String ID: 414751691-3186663488
                                                                                      • Opcode ID: 3125ac5748dbd4fbce1368805dc9991385e2cf29a0c5f3b6033c5a1e3b709f57
                                                                                      • Instruction ID: 38aa9030d850b5c0fa977c86cdfdbc856e4cc6e92616535b5e60fdfa969bb4c8
                                                                                      • Opcode Fuzzy Hash: 3125ac5748dbd4fbce1368805dc9991385e2cf29a0c5f3b6033c5a1e3b709f57
                                                                                      • Instruction Fuzzy Hash: 90A127B1641310ABD320AB61DC4AFDB7B64EB4C715F01843AF669A61E0CBB85541CBEF

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 565 409326-409348 call 401910 GetVersionExA 568 409358-40935c 565->568 569 40934a-409356 565->569 570 409360-40937d GetModuleHandleA GetModuleFileNameA 568->570 569->570 571 409385-4093a2 570->571 572 40937f 570->572 573 4093a4-4093d7 call 402544 wsprintfA 571->573 574 4093d9-409412 call 402544 wsprintfA 571->574 572->571 579 409415-40942c call 40ee2a 573->579 574->579 582 4094a3-4094b3 call 406edd 579->582 583 40942e-409432 579->583 588 4094b9-4094f9 call 402544 RegOpenKeyExA 582->588 589 40962f-409632 582->589 583->582 585 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 583->585 585->582 600 409502-40952e call 402544 RegQueryValueExA 588->600 601 4094fb-409500 588->601 591 409634-409637 589->591 594 409639-40964a call 401820 591->594 595 40967b-409682 591->595 612 40964c-409662 594->612 613 40966d-409679 594->613 598 409683 call 4091eb 595->598 609 409688-409690 598->609 615 409530-409537 600->615 616 409539-409565 call 402544 RegQueryValueExA 600->616 605 40957a-40957f 601->605 610 409581-409584 605->610 611 40958a-40958d 605->611 618 409692 609->618 619 409698-4096a0 609->619 610->591 610->611 611->595 620 409593-40959a 611->620 621 409664-40966b 612->621 622 40962b-40962d 612->622 613->598 623 40956e-409577 RegCloseKey 615->623 616->623 633 409567 616->633 618->619 626 4096a2-4096a9 619->626 627 40961a-40961f 620->627 628 40959c-4095a1 620->628 621->622 622->626 623->605 631 409625 627->631 628->627 632 4095a3-4095c0 call 40f0e4 628->632 631->622 638 4095c2-4095db call 4018e0 632->638 639 40960c-409618 632->639 633->623 638->626 642 4095e1-4095f9 638->642 639->631 642->626 643 4095ff-409607 642->643 643->626
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                                      • API String ID: 3696105349-2220793183
                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 682 406a60-406a89 CreateFileA 683 406b8c-406ba1 GetLastError 682->683 684 406a8f-406ac3 GetDiskFreeSpaceA 682->684 685 406ba3-406ba6 683->685 686 406ac5-406adc call 40eb0e 684->686 687 406b1d-406b34 call 406987 684->687 686->687 692 406ade 686->692 693 406b56-406b63 FindCloseChangeNotification 687->693 694 406b36-406b54 GetLastError CloseHandle 687->694 698 406ae0-406ae5 692->698 699 406ae7-406afb call 40eca5 692->699 696 406b65-406b7d GetLastError CloseHandle 693->696 697 406b86-406b8a 693->697 695 406b7f-406b80 DeleteFileA 694->695 695->697 696->695 697->685 698->699 700 406afd-406aff 698->700 699->687 700->687 703 406b01 700->703 704 406b03-406b08 703->704 705 406b0a-406b17 call 40eca5 703->705 704->687 704->705 705->687
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1251348514-2980165447
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 862 4f092b-4f0970 GetPEB 863 4f0972-4f0978 862->863 864 4f098c-4f098e 863->864 865 4f097a-4f098a call 4f0d35 863->865 864->863 867 4f0990 864->867 865->864 870 4f0992-4f0994 865->870 869 4f0996-4f0998 867->869 871 4f0a3b-4f0a3e 869->871 870->869 872 4f099d-4f09d3 870->872 873 4f09dc-4f09ee call 4f0d0c 872->873 876 4f09d5-4f09d8 873->876 877 4f09f0-4f0a3a 873->877 876->873 877->871
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .$GetProcAddress.$l
                                                                                      • API String ID: 0-2784972518
                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction ID: ee8d9548c56cb374e40298a9480588cf3b25a9a1b09fae618662e7862dfbde42
                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction Fuzzy Hash: E3316EB6900609DFDB10CF99C880AAEBBF5FF48324F54404AD541A7312D7B5EA45CFA4
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0052A4DE
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 0052A4FE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, Offset: 00529000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_529000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: bba7b4a44bd498cfc9c4ebba674808dd3facb0fb5cbaff6b6734f397329b5a27
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: 30F068312007216FDB203BB5A88DA6B7AE8BF4A725F100529E642D14C0D7B0EC458652
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 332 4073ff-407419 333 40741b 332->333 334 40741d-407422 332->334 333->334 335 407424 334->335 336 407426-40742b 334->336 335->336 337 407430-407435 336->337 338 40742d 336->338 339 407437 337->339 340 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 337->340 338->337 339->340 345 407487-40749d call 40ee2a 340->345 346 4077f9-4077fe call 40ee2a 340->346 352 407703-40770e RegEnumKeyA 345->352 351 407801 346->351 355 407804-407808 351->355 353 4074a2-4074b1 call 406cad 352->353 354 407714-40771d RegCloseKey 352->354 358 4074b7-4074cc call 40f1a5 353->358 359 4076ed-407700 353->359 354->351 358->359 362 4074d2-4074f8 RegOpenKeyExA 358->362 359->352 363 407727-40772a 362->363 364 4074fe-407530 call 402544 RegQueryValueExA 362->364 365 407755-407764 call 40ee2a 363->365 366 40772c-407740 call 40ef00 363->366 364->363 372 407536-40753c 364->372 377 4076df-4076e2 365->377 374 407742-407745 RegCloseKey 366->374 375 40774b-40774e 366->375 376 40753f-407544 372->376 374->375 379 4077ec-4077f7 RegCloseKey 375->379 376->376 378 407546-40754b 376->378 377->359 380 4076e4-4076e7 RegCloseKey 377->380 378->365 381 407551-40756b call 40ee95 378->381 379->355 380->359 381->365 384 407571-407593 call 402544 call 40ee95 381->384 389 407753 384->389 390 407599-4075a0 384->390 389->365 391 4075a2-4075c6 call 40ef00 call 40ed03 390->391 392 4075c8-4075d7 call 40ed03 390->392 398 4075d8-4075da 391->398 392->398 400 4075dc 398->400 401 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 398->401 400->401 410 407626-40762b 401->410 410->410 411 40762d-407634 410->411 412 407637-40763c 411->412 412->412 413 40763e-407642 412->413 414 407644-407656 call 40ed77 413->414 415 40765c-407673 call 40ed23 413->415 414->415 420 407769-40777c call 40ef00 414->420 421 407680 415->421 422 407675-40767e 415->422 428 4077e3-4077e6 RegCloseKey 420->428 423 407683-40768e call 406cad 421->423 422->423 429 407722-407725 423->429 430 407694-4076bf call 40f1a5 call 406c96 423->430 428->379 431 4076dd 429->431 436 4076c1-4076c7 430->436 437 4076d8 430->437 431->377 436->437 438 4076c9-4076d2 436->438 437->431 438->437 439 40777e-407797 GetFileAttributesExA 438->439 440 407799 439->440 441 40779a-40779f 439->441 440->441 442 4077a1 441->442 443 4077a3-4077a8 441->443 442->443 444 4077c4-4077c8 443->444 445 4077aa-4077c0 call 40ee08 443->445 447 4077d7-4077dc 444->447 448 4077ca-4077d6 call 40ef00 444->448 445->444 451 4077e0-4077e2 447->451 452 4077de 447->452 448->447 451->428 452->451
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 454 40704c-407071 455 407073 454->455 456 407075-40707a 454->456 455->456 457 40707c 456->457 458 40707e-407083 456->458 457->458 459 407085 458->459 460 407087-40708c 458->460 459->460 461 407090-4070ca call 402544 RegOpenKeyExA 460->461 462 40708e 460->462 465 4070d0-4070f6 call 406dc2 461->465 466 4071b8-4071c8 call 40ee2a 461->466 462->461 471 40719b-4071a9 RegEnumValueA 465->471 472 4071cb-4071cf 466->472 473 4070fb-4070fd 471->473 474 4071af-4071b2 RegCloseKey 471->474 475 40716e-407194 473->475 476 4070ff-407102 473->476 474->466 475->471 476->475 477 407104-407107 476->477 477->475 478 407109-40710d 477->478 478->475 479 40710f-407133 call 402544 call 40eed1 478->479 484 4071d0-407203 call 402544 call 40ee95 call 40ee2a 479->484 485 407139-407145 call 406cad 479->485 500 407205-407212 RegCloseKey 484->500 501 407227-40722e 484->501 491 407147-40715c call 40f1a5 485->491 492 40715e-40716b call 40ee2a 485->492 491->484 491->492 492->475 502 407222-407225 500->502 503 407214-407221 call 40ef00 500->503 504 407230-407256 call 40ef00 call 40ed23 501->504 505 40725b-40728c call 402544 call 40ee95 call 40ee2a 501->505 502->472 503->502 504->505 516 407258 504->516 519 4072b8-4072cb call 40ed77 505->519 520 40728e-40729a RegCloseKey 505->520 516->505 526 4072dd-4072f4 call 40ed23 519->526 527 4072cd-4072d8 RegCloseKey 519->527 521 4072aa-4072b3 520->521 522 40729c-4072a9 call 40ef00 520->522 521->472 522->521 531 407301 526->531 532 4072f6-4072ff 526->532 527->472 533 407304-40730f call 406cad 531->533 532->533 536 407311-40731d RegCloseKey 533->536 537 407335-40735d call 406c96 533->537 538 40732d-407330 536->538 539 40731f-40732c call 40ef00 536->539 543 4073d5-4073e2 RegCloseKey 537->543 544 40735f-407365 537->544 538->521 539->538 547 4073f2-4073f7 543->547 548 4073e4-4073f1 call 40ef00 543->548 544->543 546 407367-407370 544->546 546->543 549 407372-40737c 546->549 548->547 551 40739d-4073a2 549->551 552 40737e-407395 GetFileAttributesExA 549->552 555 4073a4 551->555 556 4073a6-4073a9 551->556 552->551 554 407397 552->554 554->551 555->556 557 4073b9-4073bc 556->557 558 4073ab-4073b8 call 40ef00 556->558 560 4073cb-4073cd 557->560 561 4073be-4073ca call 40ef00 557->561 558->557 560->543 561->560
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.KERNELBASE(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.KERNELBASE(774D0F10,?,774D0F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                                      • API String ID: 4293430545-98143240
                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 644 40675c-406778 645 406784-4067a2 CreateFileA 644->645 646 40677a-40677e SetFileAttributesA 644->646 647 4067a4-4067b2 CreateFileA 645->647 648 4067b5-4067b8 645->648 646->645 647->648 649 4067c5-4067c9 648->649 650 4067ba-4067bf SetFileAttributesA 648->650 651 406977-406986 649->651 652 4067cf-4067df GetFileSize 649->652 650->649 653 4067e5-4067e7 652->653 654 40696b 652->654 653->654 656 4067ed-40680b ReadFile 653->656 655 40696e-406971 FindCloseChangeNotification 654->655 655->651 656->654 657 406811-406824 SetFilePointer 656->657 657->654 658 40682a-406842 ReadFile 657->658 658->654 659 406848-406861 SetFilePointer 658->659 659->654 660 406867-406876 659->660 661 4068d5-4068df 660->661 662 406878-40688f ReadFile 660->662 661->655 663 4068e5-4068eb 661->663 664 406891-40689e 662->664 665 4068d2 662->665 666 4068f0-4068fe call 40ebcc 663->666 667 4068ed 663->667 668 4068a0-4068b5 664->668 669 4068b7-4068ba 664->669 665->661 666->654 676 406900-40690b SetFilePointer 666->676 667->666 671 4068bd-4068c3 668->671 669->671 672 4068c5 671->672 673 4068c8-4068ce 671->673 672->673 673->662 675 4068d0 673->675 675->661 677 40695a-406969 call 40ec2e 676->677 678 40690d-406920 ReadFile 676->678 677->655 678->677 679 406922-406958 678->679 679->655
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,774D0F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,774D0F10,00000000), ref: 0040691C
                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,774D0F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 1400801100-0
                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 708 4f003c-4f0047 709 4f004c-4f0263 call 4f0a3f call 4f0e0f call 4f0d90 VirtualAlloc 708->709 710 4f0049 708->710 725 4f028b-4f0292 709->725 726 4f0265-4f0289 call 4f0a69 709->726 710->709 728 4f02a1-4f02b0 725->728 730 4f02ce-4f03c2 VirtualProtect call 4f0cce call 4f0ce7 726->730 728->730 731 4f02b2-4f02cc 728->731 737 4f03d1-4f03e0 730->737 731->728 738 4f0439-4f04b8 VirtualFree 737->738 739 4f03e2-4f0437 call 4f0ce7 737->739 741 4f04be-4f04cd 738->741 742 4f05f4-4f05fe 738->742 739->737 744 4f04d3-4f04dd 741->744 745 4f077f-4f0789 742->745 746 4f0604-4f060d 742->746 744->742 750 4f04e3-4f0505 LoadLibraryA 744->750 748 4f078b-4f07a3 745->748 749 4f07a6-4f07b0 745->749 746->745 751 4f0613-4f0637 746->751 748->749 752 4f086e-4f08be LoadLibraryA 749->752 753 4f07b6-4f07cb 749->753 754 4f0517-4f0520 750->754 755 4f0507-4f0515 750->755 756 4f063e-4f0648 751->756 760 4f08c7-4f08f9 752->760 757 4f07d2-4f07d5 753->757 758 4f0526-4f0547 754->758 755->758 756->745 759 4f064e-4f065a 756->759 761 4f07d7-4f07e0 757->761 762 4f0824-4f0833 757->762 763 4f054d-4f0550 758->763 759->745 764 4f0660-4f066a 759->764 765 4f08fb-4f0901 760->765 766 4f0902-4f091d 760->766 767 4f07e4-4f0822 761->767 768 4f07e2 761->768 772 4f0839-4f083c 762->772 769 4f0556-4f056b 763->769 770 4f05e0-4f05ef 763->770 771 4f067a-4f0689 764->771 765->766 767->757 768->762 773 4f056f-4f057a 769->773 774 4f056d 769->774 770->744 775 4f068f-4f06b2 771->775 776 4f0750-4f077a 771->776 772->752 777 4f083e-4f0847 772->777 783 4f057c-4f0599 773->783 784 4f059b-4f05bb 773->784 774->770 778 4f06ef-4f06fc 775->778 779 4f06b4-4f06ed 775->779 776->756 780 4f084b-4f086c 777->780 781 4f0849 777->781 785 4f06fe-4f0748 778->785 786 4f074b 778->786 779->778 780->772 781->752 791 4f05bd-4f05db 783->791 784->791 785->786 786->771 791->763
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004F024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: 83880b094ae64c264b2fc075c34aefdff4589c7d83e42e366babc69d92f96334
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: 6E527A74A01229DFDB64CF58C984BA9BBB1BF09304F1480DAE50DAB352DB34AE85DF15

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 792 41a933-41a93a 793 41a940-41a950 792->793 794 41a952 793->794 795 41a957-41a95a 793->795 794->795 795->793 796 41a95c-41a97f LoadLibraryW call 41a350 call 41a5c0 795->796 801 41a980-41a987 796->801 802 41a989-41a999 GlobalSize 801->802 803 41a99d-41a9a3 801->803 802->803 804 41a9a5 call 41a340 803->804 805 41a9aa-41a9b1 803->805 804->805 808 41a9c0-41a9c7 805->808 809 41a9b3-41a9ba InterlockedExchangeAdd 805->809 808->801 810 41a9c9-41a9d9 808->810 809->808 811 41a9e0-41a9e5 810->811 812 41a9e7-41a9ed 811->812 813 41a9ef-41a9f5 811->813 812->813 814 41a9f7-41aa0b 812->814 813->811 813->814
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNELBASE(0041CA40), ref: 0041A961
                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A98B
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041A9BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358812255.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_415000_ODy57hA4Su.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                      • String ID: k`$}$
                                                                                      • API String ID: 1230614907-956986773
                                                                                      • Opcode ID: d3d032c72053aceecd28de272ac849355dd5813b76bd1eed268e775e1403a36a
                                                                                      • Instruction ID: 87d718edd81fec5578da447485a1248bdf804c4c94e660229896a94c6f6a257a
                                                                                      • Opcode Fuzzy Hash: d3d032c72053aceecd28de272ac849355dd5813b76bd1eed268e775e1403a36a
                                                                                      • Instruction Fuzzy Hash: 33115B706552108BC7309B20DC42BDFB750EB49315F02483FE6A9862A1CB7854E18BDF

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4131120076-2980165447
                                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 831 41a350-41a445 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00421ED0), ref: 0041A3EE
                                                                                      • GetProcAddress.KERNEL32(00000000,00420640), ref: 0041A421
                                                                                      • VirtualProtect.KERNELBASE(00421D1C,00421FFC,00000040,?), ref: 0041A440
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358812255.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_415000_ODy57hA4Su.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 2099061454-3916222277
                                                                                      • Opcode ID: 301b48656fdeabb88a85c72d70f5d368dde583ca559c2ddd4d3b112bc4849b32
                                                                                      • Instruction ID: d1e14fb232e0ed7b86ecf6662b745481911f37886fb3b6d0d712552d8374243e
                                                                                      • Opcode Fuzzy Hash: 301b48656fdeabb88a85c72d70f5d368dde583ca559c2ddd4d3b112bc4849b32
                                                                                      • Instruction Fuzzy Hash: 9E113774728344DAD330CF64FD45B063AB5EBA4704F81503DD8088B2B2D7B61526C75E

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 832 404000-404008 833 40400b-40402a CreateFileA 832->833 834 404057 833->834 835 40402c-404035 GetLastError 833->835 838 404059-40405c 834->838 836 404052 835->836 837 404037-40403a 835->837 840 404054-404056 836->840 837->836 839 40403c-40403f 837->839 838->840 839->838 841 404041-404050 Sleep 839->841 841->833 841->836
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 408151869-2980165447
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 842 406987-4069b7 843 4069e0 842->843 844 4069b9-4069be 842->844 846 4069e4-4069fd WriteFile 843->846 844->843 845 4069c0-4069d0 844->845 847 4069d2 845->847 848 4069d5-4069de 845->848 849 406a4d-406a51 846->849 850 4069ff-406a02 846->850 847->848 848->846 851 406a53-406a56 849->851 852 406a59 849->852 850->849 853 406a04-406a08 850->853 851->852 854 406a5b-406a5f 852->854 855 406a0a-406a0d 853->855 856 406a3c-406a3e 853->856 857 406a10-406a2e WriteFile 855->857 856->854 858 406a40-406a4b 857->858 859 406a30-406a33 857->859 858->854 859->858 860 406a35-406a3a 859->860 860->856 860->857
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 879 4091eb-409208 880 409308 879->880 881 40920e-40921c call 40ed03 879->881 883 40930b-40930f 880->883 885 40921e-40922c call 40ed03 881->885 886 40923f-409249 881->886 885->886 893 40922e-409230 885->893 888 409250-409270 call 40ee08 886->888 889 40924b 886->889 894 409272-40927f 888->894 895 4092dd-4092e1 888->895 889->888 896 409233-409238 893->896 897 409281-409285 894->897 898 40929b-40929e 894->898 899 4092e3-4092e5 895->899 900 4092e7-4092e8 895->900 896->896 901 40923a-40923c 896->901 897->897 902 409287 897->902 904 4092a0 898->904 905 40928e-409293 898->905 899->900 903 4092ea-4092ef 899->903 900->895 901->886 902->898 908 4092f1-4092f6 Sleep 903->908 909 4092fc-409302 903->909 910 4092a8-4092ab 904->910 906 409295-409298 905->906 907 409289-40928c 905->907 906->910 911 40929a 906->911 907->905 907->911 908->909 909->880 909->881 912 4092a2-4092a5 910->912 913 4092ad-4092b0 910->913 911->898 914 4092b2 912->914 915 4092a7 912->915 913->914 916 4092bd 913->916 917 4092b5-4092b9 914->917 915->910 918 4092bf-4092db ShellExecuteA 916->918 917->917 919 4092bb 917->919 918->895 920 409310-409324 918->920 919->918 920->883
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-0
                                                                                      • Opcode ID: f879f8fadec04f6bf6b1199d3439cd872fe94bd0f9ee82a20ab95112746dcfee
                                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                      • Opcode Fuzzy Hash: f879f8fadec04f6bf6b1199d3439cd872fe94bd0f9ee82a20ab95112746dcfee
                                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,004F0223,?,?), ref: 004F0E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,004F0223,?,?), ref: 004F0E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: 0f54c85112c70c8300c1c69f5b337ed9408a1e8e4429274e0b8fc5c206ebf4b7
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 37D0123154512CB7D7002A94DC09BDE7B1CDF05B62F008411FB0DD9181C774994046E9
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID:
                                                                                      • API String ID: 1823874839-0
                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                      APIs
                                                                                      • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 004F0929
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 560597551-0
                                                                                      • Opcode ID: 3c70e2495a12ff6ae4c515c261271d7c947c2eb84b30f042f73628172fd7eedf
                                                                                      • Instruction ID: 1318691bb2f91343321d018af63213c0b44ed3bcc8f8abdb047d49f21bb7817d
                                                                                      • Opcode Fuzzy Hash: 3c70e2495a12ff6ae4c515c261271d7c947c2eb84b30f042f73628172fd7eedf
                                                                                      • Instruction Fuzzy Hash: 8190026828415071D920659C0C01B9501452742630F3407507130996D0D441A6005115
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0052A1C6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, Offset: 00529000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_529000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 1cb39530bc3e531852dc37a637de4558697bdbb93d05794b5fe6a9f2abb6df15
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: 5D113F79A00208EFDB01DF98C985E98BFF5AF08350F058094F9489B361D771EA50DF91
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-3791576231
                                                                                      • Opcode ID: 44f18751907ac83f0597d90c4008e51201f03a759b9f1f15cdb9985a75ef01ab
                                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                      • Opcode Fuzzy Hash: 44f18751907ac83f0597d90c4008e51201f03a759b9f1f15cdb9985a75ef01ab
                                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-1839596206
                                                                                      • Opcode ID: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2404124870-2980165447
                                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004F65F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004F6610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004F6631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004F6652
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 3d2a489c04368c9cbaf241e53be49382c160a194b09cb0f6ade92607c0483def
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: 9911777160021CBFEB115F65DC46FAB3FA8EF057A5F114025FA04E7251DBB5DD0086A8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3754425949-0
                                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359133797.0000000000529000.00000040.00000020.00020000.00000000.sdmp, Offset: 00529000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_529000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction ID: fc7c4541889a1a62e8f990618541f372558db32837fc29df7cb9c0da196cf9be
                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction Fuzzy Hash: 07117C72340110AFD744DE55EC81FA677EAFF8A320B298065ED08CB352E675EC01C760
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction ID: 2b3fd6cf4533f3a8e818fb1884d4457831b369b992358946cb87bab4cba5e53e
                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction Fuzzy Hash: 3701A7766016088FDF21CF64C904BBB33E5FBD6316F4544A6DA0697342E778A9418B94
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 004F9E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 004F9FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 004F9FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 004FA004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 004FA054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 004FA09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 004FA0D6
                                                                                      • lstrcpy.KERNEL32 ref: 004FA12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 004FA13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 004F9F13
                                                                                        • Part of subcall function 004F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 004F7081
                                                                                        • Part of subcall function 004F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uzbdhnkh,004F7043), ref: 004F6F4E
                                                                                        • Part of subcall function 004F6F30: GetProcAddress.KERNEL32(00000000), ref: 004F6F55
                                                                                        • Part of subcall function 004F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004F6F7B
                                                                                        • Part of subcall function 004F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004F6F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 004FA1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 004FA1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 004FA214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 004FA21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 004FA265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 004FA29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 004FA2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 004FA2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 004FA2F4
                                                                                      • wsprintfA.USER32 ref: 004FA31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 004FA345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 004FA364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 004FA387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 004FA398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 004FA1D1
                                                                                        • Part of subcall function 004F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 004F999D
                                                                                        • Part of subcall function 004F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 004F99BD
                                                                                        • Part of subcall function 004F9966: RegCloseKey.ADVAPI32(?), ref: 004F99C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 004FA3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 004FA3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 004FA41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: 2ffde47dd54e4c769b2d19119485e3fcddbc16ea6cd932aa3910f51df4df4fc8
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: 52F143B1D4025DAFDB11DBA19C49EFF77BCAB08304F0440AAE709E2141E7798A958F69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 004F7D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004F7D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 004F7DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 004F7DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 004F7DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004F7E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 004F7E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004F7E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F7E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: ea1d42171a28daf055a40cde6cb00c9ff3dc6cf8f1263e0251a775b1504ff7f1
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: 76A13F7190021DAFDB118FA5DD44FFFBBB9FB08344F14806AE605E6250DB798A85CB68
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004F7A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 004F7ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 004F7B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 004F7B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 004F7B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004F7B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 004F7B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004F7B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F7B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 004F7BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 004F7BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 004F7C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 004F7C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 004F7CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 004F7CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004F7CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: 3a77c08836b2857502a4331bd1c43677ec5dba8743c4b6fa9e450600431a176b
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 22814C7190425DAFDB11CFA5DD84FEFBBB8AF08304F04816AE605E6250D77D9A41CB68
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                                      • API String ID: 237177642-1678164370
                                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 004F865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 004F867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 004F86A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 004F86B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 237177642-3108538426
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: 13b6a96038e49e2e0561472811a8f5809e967612b16a72ff371618e4fa206fc4
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: EAC193B190014DBEEB11ABA5DD85EFF7BBCEB04304F14406BF704E6151EBB84A948B69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 004F1601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 004F17D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: 4f38943b211d619e45123ff6ecd7bcfd579e589b8859e339c5c43777515776ed
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: ECF17EB1508345DFD720DF64C888BABB7E4FB88305F10892EF695973A0D7B89944CB5A
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 004F76D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 004F7757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 004F778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004F78B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004F796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F79AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F7A56
                                                                                        • Part of subcall function 004FF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,004F772A,?), ref: 004FF414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004F79F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F7A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: b7d7fbb2bcfe76e1160e64506605014bfb8a98073b1c3a8017e003ac4af67037
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: 58C1907190410DAFEB119BA5DC45FFF7BB9EF44310F1040A6F604E6291EB7D9A848B68
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 004F2CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 004F2D07
                                                                                      • htons.WS2_32(00000000), ref: 004F2D42
                                                                                      • select.WS2_32 ref: 004F2D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 004F2DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004F2E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: fe4fb87d7601f2fd91a0b706c162eb07f145459fea63cb9560095bed5cc1e38f
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: AB61E071904309ABC3209F61DD08B7BBBF8FB48345F14481AFA8497251D7F9DC819BAA
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 004F95A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004F95D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004F95DC
                                                                                      • wsprintfA.USER32 ref: 004F9635
                                                                                      • wsprintfA.USER32 ref: 004F9673
                                                                                      • wsprintfA.USER32 ref: 004F96F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004F9758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004F978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004F97D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3696105349-2980165447
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: 98deaf7c5838cbf721e26b5b367791dc2f6e7d541a7b9671d3c0c5c237431ea8
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: EFA162B194020CFBEB21EFA1CC45FEB3BACAB05745F10402BFA1596151D7B9D9848BA9
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-142018493
                                                                                      • Opcode ID: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 004F202D
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 004F204F
                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 004F206A
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004F2071
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 004F2082
                                                                                      • GetTickCount.KERNEL32 ref: 004F2230
                                                                                        • Part of subcall function 004F1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 004F1E7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                      • API String ID: 4207808166-1391650218
                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction ID: b201ba42d2266534c8f949ccfebaff9bb139850c90abc1a8f922a605970e66d5
                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction Fuzzy Hash: 3651B37090034CAFE330AF668D85F777AECEB44708F00491EFB9682252D6BDA944876D
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-3679488032
                                                                                      • Opcode ID: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                      • Instruction ID: bd7dfe77e026ff01e11c6618f048304d5953ff5d6b37f7005ea1b6d17bf081bd
                                                                                      • Opcode Fuzzy Hash: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                      • Instruction Fuzzy Hash: 263197B25401197ADF016B96CCC2DFFBB6CEF49348B14052BF904B1182EB789A6587E9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 004F3068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 004F3078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 004F3095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 004F30B6
                                                                                      • htons.WS2_32(00000035), ref: 004F30EF
                                                                                      • inet_addr.WS2_32(?), ref: 004F30FA
                                                                                      • gethostbyname.WS2_32(?), ref: 004F310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 004F314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: 1b80e58119854fd95caef1ad574c322ffafcfe858b6fabc86d724f1e94225403
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: 7C317531A0060EABDB119FB49D48ABF7778AF05762F144126E618E7390DB78DA41CB5C
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                      • API String ID: 1082366364-2834986871
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2981417381-1403908072
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004F67C3
                                                                                      • htonl.WS2_32(?), ref: 004F67DF
                                                                                      • htonl.WS2_32(?), ref: 004F67EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 004F68F1
                                                                                      • ExitProcess.KERNEL32 ref: 004F69BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: 000b64f7a03637e269b0d8c612a2001354bdc82a721d6b8b29d726a0ec5003c4
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: 46615071940208AFDB609FB4DC45FEA77E9FF08300F14806AFA6DD2161DAB59994CF54
                                                                                      APIs
                                                                                      • htons.WS2_32(004FCC84), ref: 004FF5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 004FF5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 004FF5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: 1cb1a44a7499f170dc734182cf7d32bda00229a38ead1bb4a8ebfe62165e5797
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: 1C315E7190011CABDB10DFA5DC85DEF7BBCEF48310F10456AFA15D3150E7749A868BA9
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 004F2FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 004F2FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 004F2FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004F3000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 004F3007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 004F3032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 752f38ae74552d3b36b59895a24eed5170453ee010ae7f445c185af8568c9611
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: 8521627194162ABBCB219F55DC449BFBBB8EF08B51F104422FA05E7240D7B89E8197E8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uzbdhnkh,004F7043), ref: 004F6F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004F6F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004F6F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004F6F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\uzbdhnkh
                                                                                      • API String ID: 1082366364-1824400605
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: fbc83f6f683bc6f5d8e0667ec7e99a7ad985f1f877650edb813cd02fa6329aff
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: B52104217443487EF7225731AD89FFB2E4C8F52714F1840AAF704D5292DADD88DA827D
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3609698214-2980165447
                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 004F92E2
                                                                                      • wsprintfA.USER32 ref: 004F9350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004F9375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 004F9389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 004F9394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004F939B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: e57c8f7dead29f136ba56e90991f335a8b74234e30bce7290562de04d4912349
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: F51175B56401187BE7206732DC0EFFF3A6DDFC8B15F00806ABB05A5091EAB84A458669
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 004F9A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 004F9A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004F9A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 004F9A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 004F9AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 004F9AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: 5061966d04c3ade6eac9b78a4c1e3723a6885e93e111f1cfbbf2169db5174c06
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: 19212C71E0111DBBDB119BA1DC09FEF7BBCEF04750F404062BA19E1150EB758A44CAA8
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 004F1C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 004F1C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 004F1C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 004F1C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 004F1CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 004F1D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 004F1D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: 5e5a31f444ac4164fad746dd10f82749229f408dbe41f399d5a468b32378a64e
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: 4F313E31D0025DFFDB119FA4DC888BFBAB9EB45711B24447BE601A2220D7B95E80DB98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1586453840-2980165447
                                                                                      • Opcode ID: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1371578007-2980165447
                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004F6CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004F6D22
                                                                                      • GetLastError.KERNEL32 ref: 004F6DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 004F6DB5
                                                                                      • GetLastError.KERNEL32 ref: 004F6DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 004F6DE7
                                                                                      • GetLastError.KERNEL32 ref: 004F6DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: 5818ecba3b80d87adcd53d380b3a1b22c3901d8e57b31c1c1088cb5ae76473a8
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 8D31F076A0024DBFCB01DFA49D48AEF7F79EF48300F15816AE311E3221D7748A858B69
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,004FE50A,00000000,00000000,00000000,00020106,00000000,004FE50A,00000000,000000E4), ref: 004FE319
                                                                                      • RegSetValueExA.ADVAPI32(004FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 004FE38E
                                                                                      • RegDeleteValueA.ADVAPI32(004FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO), ref: 004FE3BF
                                                                                      • RegCloseKey.ADVAPI32(004FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO,004FE50A), ref: 004FE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop$DO
                                                                                      • API String ID: 2667537340-4234893205
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: 033a8570c2f0a12c211eac4fc2b39da4a029b890c7bf759ab30f60348c26398e
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: 29217F31A0021DABDF209FA5EC89EEF7F78EF08750F048022FA04E6161E2718A54D795
                                                                                      APIs
                                                                                      • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A50D
                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A525
                                                                                      • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A52D
                                                                                      • GetComputerNameW.KERNEL32(?,?), ref: 0041A577
                                                                                      • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A588
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358812255.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_415000_ODy57hA4Su.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$BuildCommComputerExceptionFilterPathPrivateProfileShortStringUnhandledWrite
                                                                                      • String ID: -
                                                                                      • API String ID: 2733835202-2547889144
                                                                                      • Opcode ID: dd34520314507014667174f0e6434c3dbda5242ed859e180898910edffc3a613
                                                                                      • Instruction ID: 3cde9b8d507e75d165a48e7d4f5241052d71a567071430f553e1f5bb8a0b190c
                                                                                      • Opcode Fuzzy Hash: dd34520314507014667174f0e6434c3dbda5242ed859e180898910edffc3a613
                                                                                      • Instruction Fuzzy Hash: C121E770545214BBEB209F64DC85FEE7BB5EB4C320F5041A9F6099A181CF785AC48F5A
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004F93C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004F93CD
                                                                                      • CharToOemA.USER32(?,?), ref: 004F93DB
                                                                                      • wsprintfA.USER32 ref: 004F9410
                                                                                        • Part of subcall function 004F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 004F92E2
                                                                                        • Part of subcall function 004F92CB: wsprintfA.USER32 ref: 004F9350
                                                                                        • Part of subcall function 004F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004F9375
                                                                                        • Part of subcall function 004F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 004F9389
                                                                                        • Part of subcall function 004F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 004F9394
                                                                                        • Part of subcall function 004F92CB: CloseHandle.KERNEL32(00000000), ref: 004F939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004F9448
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: dc98a73525188daaa68b68e0e676f8eb6908c8a93ecfbefd388ad01e7e2decb4
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: 830152F69001187BD721A7619D49FEF377CDB95705F0040A6BB49E2080DAB89AC58F75
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction ID: abe62a84cd552543387306661d6b7713cf87420bb1596c48ace48a0de67840f1
                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction Fuzzy Hash: EF71F9F190034CAADF219A54DC85BFF376A9B00349F244027FB0CA6191DB6D5DA8875F
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 004FDF6C: GetCurrentThreadId.KERNEL32 ref: 004FDFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 004FE8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,004F6128), ref: 004FE950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 004FE989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: 2312fd1faa4fb61235753830451277c640a72c4adca758d620778e074cbb9dc7
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: 6F31A371600709DBCB718F26C884F777BE4EB05712F10852BE75587661D3B8E880C76A
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: 7118eb35368bf444dc22d30405b066ddb8f8be7a6666ea8fdfc1b5fdcb8963d8
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: 7A218E7720411DBFDB109B71FC49EEF3FADDB49365B218426F602D1091EB799A009678
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,0040E538,?,774D0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004FC6B4
                                                                                      • InterlockedIncrement.KERNEL32(004FC74B), ref: 004FC715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,004FC747), ref: 004FC728
                                                                                      • CloseHandle.KERNEL32(00000000,?,004FC747,00413588,004F8A77), ref: 004FC733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: 1baa1e8a33070bf9f4f1f1e3df23bead3bfd7e010cf1ccaa7439cd7379f67a11
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: 86515CB1A04B499FD7249F29C6C452ABBE9FB48304B50593FE28BC7A90D778F844CB54
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 124786226-2980165447
                                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2667537340-2980165447
                                                                                      • Opcode ID: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004F71E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 004F7286
                                                                                      • wsprintfA.USER32 ref: 004F729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: bda2ee3966f3e839f10813a0e4ea6b2234f65371954c34e7729082207cf8e4f2
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: 93312D7290410CBFDB01DFA9DD45AEB7BACEF04314F14C066F959DB201EA79DA488B98
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 004FB51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004FB529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004FB548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 004FB590
                                                                                      • wsprintfA.USER32 ref: 004FB61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 2fe3ef36c844b5928c07eb47ceb0f482e766f23d7b6ba70341d9ca0295f94f8d
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: 40510DB1D0021DAACF14DFD5D8895FEBBB9EF49304F10816BE605A6150E7B84AC9CF98
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 004F6303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 004F632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004F63B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 004F6405
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: 79e5c7c47ad47ffcd8d22154af752f8fb427822527447ecedae1f5c54b7c3a9a
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: 5A416B71A00219ABDB14CF58C884ABAB7B8EF04318F26816AEE15D7390D779ED41CB58
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,774D0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,DO,00000000,00000000,00000000), ref: 004FE470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 004FE484
                                                                                        • Part of subcall function 004FE2FC: RegCreateKeyExA.ADVAPI32(80000001,004FE50A,00000000,00000000,00000000,00020106,00000000,004FE50A,00000000,000000E4), ref: 004FE319
                                                                                        • Part of subcall function 004FE2FC: RegSetValueExA.ADVAPI32(004FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 004FE38E
                                                                                        • Part of subcall function 004FE2FC: RegDeleteValueA.ADVAPI32(004FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO), ref: 004FE3BF
                                                                                        • Part of subcall function 004FE2FC: RegCloseKey.ADVAPI32(004FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO,004FE50A), ref: 004FE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop$DO
                                                                                      • API String ID: 4151426672-4234893205
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: 2243ee16565b54a06db42869e932ccad39558382e0132938269ee55100bc7ad1
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: 7341AD7590021CBADB206A578C46FFB3B5CDB04719F14806BFB09541A2E7B98650DA79
                                                                                      APIs
                                                                                        • Part of subcall function 004FDF6C: GetCurrentThreadId.KERNEL32 ref: 004FDFBA
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE7BF
                                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE7EA
                                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE819
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1396056608-2980165447
                                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction ID: 4cd32e913f89254808d1cb34a8a23a615734358c5e8914441b5a680cab90b221
                                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction Fuzzy Hash: 0521D8B1A403087AF22077239C07FBB3D5CDB65765F10002ABB09A52E3EA9D945085BD
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                      • CloseHandle.KERNEL32(00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3683885500-2980165447
                                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 004F76D9
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004F796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F797E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseEnumOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1332880857-2980165447
                                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction ID: 1b3ecd276ef450457476236e676d40991131170286f1dfa589fcebe27b7aac02
                                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction Fuzzy Hash: 3A11DF70A04109AFEB119FA9DC45EBFBFB8EF41314F140166F610E6291E6BC8D508B65
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 004F999D
                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 004F99BD
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004F99C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction ID: d2ae8455c005ecac14211c1267ad6c222b3d8847037c700753b84e348c758501
                                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction Fuzzy Hash: ACF0C2B2680208BBF7106B51AC07FEB3A2CDB94B14F100065FB05B5192F6E99E9086BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 3f57ddd7ce856b20265f54b178e08ab626aedde501f9a6e087a4f6c66af60312
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: C3E0C2306041118FCB009B2CF848AE637E4EF0A330F008282F140D32A0C7B8DCC09748
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004F41AB
                                                                                      • GetLastError.KERNEL32 ref: 004F41B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 004F41C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F41D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: c1ad0319f58c736313c7f55dcaf748ef48109260b895808148768c3e3d246e2f
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: E301ED7651110EABDF01DF90DE48BEF7B6CEB14355F104062FA01E2150DB749B948BB5
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004F421F
                                                                                      • GetLastError.KERNEL32 ref: 004F4229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 004F423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 20ab6485db327f38d1afdba8647025253439fb405e5ea3bd3ee04bab6cdd1b69
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: DF01E57251110DABDF01DF90ED84BEF7BACEB48395F1180A2FA01E2150DB749A548BBA
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 004FE066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: e7b54b269bd975ecf6c268b9c78e465f45b0432d8365167a536d7bc95e054224
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: 8DF068312007159FCB20CF16D884993B7E9FB05322B54872BE254C3170D7B8A895CB59
                                                                                      APIs
                                                                                      • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B03C,0041A971), ref: 0041A5DC
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B03C,0041A971), ref: 0041A5F7
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A61A
                                                                                      • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 0041A622
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358812255.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_415000_ODy57hA4Su.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                      • String ID:
                                                                                      • API String ID: 975556166-0
                                                                                      • Opcode ID: fc213b24a92c472580c126cfe80f9bbfcf6dd46c5811944ea437593e0904f25d
                                                                                      • Instruction ID: 494602ce712dfe78f3d2314fcb4a20314ccfb6bfbb70b33752429d16c64ce78c
                                                                                      • Opcode Fuzzy Hash: fc213b24a92c472580c126cfe80f9bbfcf6dd46c5811944ea437593e0904f25d
                                                                                      • Instruction Fuzzy Hash: 9AF08235785214ABEA30A764EC4AF963764E71C71AF908032F629962E0C7E419818B5E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4151426672-2980165447
                                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 004F83C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 004F8477
                                                                                        • Part of subcall function 004FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,004F1DCF,?), ref: 004FEEA8
                                                                                        • Part of subcall function 004FEE95: HeapFree.KERNEL32(00000000), ref: 004FEEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$CloseFreeOpenProcess
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1016092768-2980165447
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: 15eabb04d9a0f338da5f9a3b6ed7734192b326edac87b599bb9fee0eff06daab
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: 88414FB290010DBFEB10EBA59E81DFF776CEB04344F1444AFE704DA151FAB85A948B69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,004FE859,00000000,00020119,004FE859,PromptOnSecureDesktop), ref: 004FE64D
                                                                                      • RegCloseKey.ADVAPI32(004FE859,?,?,?,?,000000C8,000000E4), ref: 004FE787
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 47109696-2980165447
                                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction ID: 7bf0b80484dc1f10577ef00e1aefcc40991aee74db86b677bd639604d91b513e
                                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction Fuzzy Hash: 544136B2D0021DBFDF11EF95DC81DFEBBB9EB18305F144466FA00A6260E3759A158B64
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 004FAFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004FB00D
                                                                                        • Part of subcall function 004FAF6F: gethostname.WS2_32(?,00000080), ref: 004FAF83
                                                                                        • Part of subcall function 004FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 004FAFE6
                                                                                        • Part of subcall function 004F331C: gethostname.WS2_32(?,00000080), ref: 004F333F
                                                                                        • Part of subcall function 004F331C: gethostbyname.WS2_32(?), ref: 004F3349
                                                                                        • Part of subcall function 004FAA0A: inet_ntoa.WS2_32(00000000), ref: 004FAA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction ID: ce171d7b1d8faf3d4ffefc8ec69d7f5db91540ec8096925f34a2fdcfb3692a52
                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction Fuzzy Hash: C441F27290024CAFDB25EFA1DC45EEF376CFF04304F14442BBA1592152EA79DA548B59
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 004F9536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 004F955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: 93ddff0d47361538ec320533c38acb0d7229fd527ce85b28950f0aa9866c0a34
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: 0B410972C0839D7FEB378B68D89C7B73FA49B12314F1411A7D682572A2D67C4D82871A
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004FB9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 004FBA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 004FBA94
                                                                                      • GetTickCount.KERNEL32 ref: 004FBB79
                                                                                      • GetTickCount.KERNEL32 ref: 004FBB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 004FBE15
                                                                                      • closesocket.WS2_32(00000000), ref: 004FBEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: a9380e48b204f9793c8e0569ebe854eecdd0ec2e3877409a8ee24c83d275f561
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: D0316B7150024CDFDF25DFA5DC84AFA77A8EB49700F20405BFB2482161DB38DA85CB99
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 004F70BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 004F70F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: 3325a2a6d500b6316e92254cb11cee5939a818b4a82ea789fafef7d08fd46b3a
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 0C11E87290411CEBDF11CFD4DD84AEFB7BDEB04711F1441A6E601E6290D6789B88DBA4
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 004F2F88: GetModuleHandleA.KERNEL32(?), ref: 004F2FA1
                                                                                        • Part of subcall function 004F2F88: LoadLibraryA.KERNEL32(?), ref: 004F2FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F31DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 004F31E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1359005988.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_4f0000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: 8f056bec72f794e08633c106ef10aa4cfa7ac2e701ea5e72f38a866c3bc4f77a
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 8F51DC3190020AAFCF01DF64D8889FAB775FF05305F1440AAED96C7211EB36DA19CB98
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1358768698.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000004.00000002.1358768698.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_400000_ODy57hA4Su.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.6%
                                                                                      Dynamic/Decrypted Code Coverage:2.3%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:1571
                                                                                      Total number of Limit Nodes:15
                                                                                      execution_graph 15737 409961 RegisterServiceCtrlHandlerA 15738 40997d 15737->15738 15745 4099cb 15737->15745 15747 409892 15738->15747 15740 40999a 15741 4099ba 15740->15741 15742 409892 SetServiceStatus 15740->15742 15743 409892 SetServiceStatus 15741->15743 15741->15745 15744 4099aa 15742->15744 15743->15745 15744->15741 15750 4098f2 15744->15750 15748 4098c2 SetServiceStatus 15747->15748 15748->15740 15751 4098f6 15750->15751 15753 409904 Sleep 15751->15753 15755 409917 15751->15755 15758 404280 CreateEventA 15751->15758 15753->15751 15754 409915 15753->15754 15754->15755 15757 409947 15755->15757 15785 40977c 15755->15785 15757->15741 15759 4042a5 15758->15759 15765 40429d 15758->15765 15799 403ecd 15759->15799 15761 4042b0 15803 404000 15761->15803 15764 4043c1 CloseHandle 15764->15765 15765->15751 15766 4042ce 15809 403f18 WriteFile 15766->15809 15771 4043ba CloseHandle 15771->15764 15772 404318 15773 403f18 4 API calls 15772->15773 15774 404331 15773->15774 15775 403f18 4 API calls 15774->15775 15776 40434a 15775->15776 15817 40ebcc GetProcessHeap HeapAlloc 15776->15817 15779 403f18 4 API calls 15780 404389 15779->15780 15820 40ec2e 15780->15820 15783 403f8c 4 API calls 15784 40439f CloseHandle CloseHandle 15783->15784 15784->15765 15849 40ee2a 15785->15849 15788 4097c2 15790 4097d4 Wow64GetThreadContext 15788->15790 15789 4097bb 15789->15757 15791 409801 15790->15791 15792 4097f5 15790->15792 15851 40637c 15791->15851 15794 4097f6 TerminateProcess 15792->15794 15794->15789 15795 409816 15795->15794 15796 40981e WriteProcessMemory 15795->15796 15796->15792 15797 40983b Wow64SetThreadContext 15796->15797 15797->15792 15798 409858 ResumeThread 15797->15798 15798->15789 15800 403edc 15799->15800 15802 403ee2 15799->15802 15825 406dc2 15800->15825 15802->15761 15804 40400b CreateFileA 15803->15804 15805 404052 15804->15805 15806 40402c GetLastError 15804->15806 15805->15764 15805->15765 15805->15766 15806->15805 15807 404037 15806->15807 15807->15805 15808 404041 Sleep 15807->15808 15808->15804 15808->15805 15810 403f4e GetLastError 15809->15810 15812 403f7c 15809->15812 15811 403f5b WaitForSingleObject GetOverlappedResult 15810->15811 15810->15812 15811->15812 15813 403f8c ReadFile 15812->15813 15814 403fc2 GetLastError 15813->15814 15815 403ff0 15813->15815 15814->15815 15816 403fcf WaitForSingleObject GetOverlappedResult 15814->15816 15815->15771 15815->15772 15816->15815 15843 40eb74 15817->15843 15821 40ec37 15820->15821 15822 40438f 15820->15822 15846 40eba0 15821->15846 15822->15783 15826 406dd7 15825->15826 15830 406e24 15825->15830 15831 406cc9 15826->15831 15828 406ddc 15828->15828 15829 406e02 GetVolumeInformationA 15828->15829 15828->15830 15829->15830 15830->15802 15832 406cdc GetModuleHandleA GetProcAddress 15831->15832 15833 406dbe 15831->15833 15834 406d12 GetSystemDirectoryA 15832->15834 15835 406cfd 15832->15835 15833->15828 15836 406d27 GetWindowsDirectoryA 15834->15836 15837 406d1e 15834->15837 15835->15834 15839 406d8b 15835->15839 15838 406d42 15836->15838 15837->15836 15837->15839 15841 40ef1e lstrlenA 15838->15841 15839->15833 15842 40ef32 15841->15842 15842->15839 15844 40eb7b GetProcessHeap HeapSize 15843->15844 15845 404350 15843->15845 15844->15845 15845->15779 15847 40eba7 GetProcessHeap HeapSize 15846->15847 15848 40ebbf GetProcessHeap HeapFree 15846->15848 15847->15848 15848->15822 15850 409794 CreateProcessA 15849->15850 15850->15788 15850->15789 15852 406386 15851->15852 15853 40638a GetModuleHandleA VirtualAlloc 15851->15853 15852->15795 15854 4063f5 15853->15854 15855 4063b6 15853->15855 15854->15795 15856 4063be VirtualAllocEx 15855->15856 15856->15854 15857 4063d6 15856->15857 15858 4063df WriteProcessMemory 15857->15858 15858->15854 15937 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 16054 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15937->16054 15939 409a95 15940 409aa3 GetModuleHandleA GetModuleFileNameA 15939->15940 16021 40a3c7 15939->16021 15953 409ac4 15940->15953 15941 40a41c CreateThread WSAStartup 16165 40e52e 15941->16165 16993 40405e CreateEventA 15941->16993 15943 409afd GetCommandLineA 15951 409b22 15943->15951 15944 40a406 DeleteFileA 15945 40a40d 15944->15945 15944->16021 15945->15941 15946 40a445 16184 40eaaf 15946->16184 15948 40a3ed GetLastError 15948->15945 15950 40a3f8 Sleep 15948->15950 15949 40a44d 16188 401d96 15949->16188 15950->15944 15956 409c0c 15951->15956 15962 409b47 15951->15962 15953->15943 15954 40a457 16236 4080c9 15954->16236 16055 4096aa 15956->16055 15967 409b96 lstrlenA 15962->15967 15973 409b58 15962->15973 15963 40a1d2 15974 40a1e3 GetCommandLineA 15963->15974 15964 409c39 15968 40a167 GetModuleHandleA GetModuleFileNameA 15964->15968 15972 409c4b 15964->15972 15967->15973 15970 409c05 ExitProcess 15968->15970 15971 40a189 15968->15971 15971->15970 15982 40a1b2 GetDriveTypeA 15971->15982 15972->15968 15976 404280 30 API calls 15972->15976 15973->15970 15977 409bd2 15973->15977 16000 40a205 15974->16000 15979 409c5b 15976->15979 16067 40675c 15977->16067 15979->15968 15985 40675c 21 API calls 15979->15985 15982->15970 15984 40a1c5 15982->15984 16157 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15984->16157 15987 409c79 15985->15987 15987->15968 15994 409ca0 GetTempPathA 15987->15994 15995 409e3e 15987->15995 15988 409bff 15988->15970 15990 40a491 15991 40a49f GetTickCount 15990->15991 15992 40a4be Sleep 15990->15992 15999 40a4b7 GetTickCount 15990->15999 16282 40c913 15990->16282 15991->15990 15991->15992 15992->15990 15994->15995 15996 409cba 15994->15996 16003 409e6b GetEnvironmentVariableA 15995->16003 16005 409e04 15995->16005 16105 4099d2 lstrcpyA 15996->16105 15997 40ec2e codecvt 4 API calls 16001 40a15d 15997->16001 15999->15992 16004 40a285 lstrlenA 16000->16004 16012 40a239 16000->16012 16001->15968 16001->15970 16003->16005 16006 409e7d 16003->16006 16004->16012 16005->15997 16007 4099d2 16 API calls 16006->16007 16009 409e9d 16007->16009 16008 406dc2 6 API calls 16010 409d5f 16008->16010 16009->16005 16014 409eb0 lstrcpyA lstrlenA 16009->16014 16016 406cc9 5 API calls 16010->16016 16063 406ec3 16012->16063 16013 40a3c2 16017 4098f2 41 API calls 16013->16017 16015 409ef4 16014->16015 16018 406dc2 6 API calls 16015->16018 16022 409f03 16015->16022 16020 409d72 lstrcpyA lstrcatA lstrcatA 16016->16020 16017->16021 16018->16022 16019 40a39d StartServiceCtrlDispatcherA 16019->16013 16023 409cf6 16020->16023 16021->15941 16021->15944 16021->15945 16021->15948 16024 409f32 RegOpenKeyExA 16022->16024 16112 409326 16023->16112 16026 409f48 RegSetValueExA RegCloseKey 16024->16026 16029 409f70 16024->16029 16025 40a35f 16025->16013 16025->16019 16026->16029 16034 409f9d GetModuleHandleA GetModuleFileNameA 16029->16034 16030 409e0c DeleteFileA 16030->15995 16031 409dde GetFileAttributesExA 16031->16030 16033 409df7 16031->16033 16033->16005 16149 4096ff 16033->16149 16036 409fc2 16034->16036 16037 40a093 16034->16037 16036->16037 16043 409ff1 GetDriveTypeA 16036->16043 16038 40a103 CreateProcessA 16037->16038 16039 40a0a4 wsprintfA 16037->16039 16040 40a13a 16038->16040 16041 40a12a DeleteFileA 16038->16041 16155 402544 16039->16155 16040->16005 16047 4096ff 3 API calls 16040->16047 16041->16040 16043->16037 16045 40a00d 16043->16045 16049 40a02d lstrcatA 16045->16049 16046 40ee2a 16048 40a0ec lstrcatA 16046->16048 16047->16005 16048->16038 16050 40a046 16049->16050 16051 40a052 lstrcatA 16050->16051 16052 40a064 lstrcatA 16050->16052 16051->16052 16052->16037 16053 40a081 lstrcatA 16052->16053 16053->16037 16054->15939 16056 4096b9 16055->16056 16385 4073ff 16056->16385 16058 4096e2 16059 4096e9 16058->16059 16060 4096fa 16058->16060 16405 40704c 16059->16405 16060->15963 16060->15964 16062 4096f7 16062->16060 16064 406ed5 16063->16064 16065 406ecc 16063->16065 16064->16025 16430 406e36 GetUserNameW 16065->16430 16068 406784 CreateFileA 16067->16068 16069 40677a SetFileAttributesA 16067->16069 16070 4067a4 CreateFileA 16068->16070 16071 4067b5 16068->16071 16069->16068 16070->16071 16072 4067c5 16071->16072 16073 4067ba SetFileAttributesA 16071->16073 16074 406977 16072->16074 16075 4067cf GetFileSize 16072->16075 16073->16072 16074->15970 16092 406a60 CreateFileA 16074->16092 16076 4067e5 16075->16076 16090 406922 16075->16090 16078 4067ed ReadFile 16076->16078 16076->16090 16077 40696e CloseHandle 16077->16074 16079 406811 SetFilePointer 16078->16079 16078->16090 16080 40682a ReadFile 16079->16080 16079->16090 16081 406848 SetFilePointer 16080->16081 16080->16090 16086 406867 16081->16086 16081->16090 16082 4068d0 16082->16077 16084 40ebcc 4 API calls 16082->16084 16083 406878 ReadFile 16083->16082 16083->16086 16085 4068f8 16084->16085 16087 406900 SetFilePointer 16085->16087 16085->16090 16086->16082 16086->16083 16088 40695a 16087->16088 16089 40690d ReadFile 16087->16089 16091 40ec2e codecvt 4 API calls 16088->16091 16089->16088 16089->16090 16090->16077 16091->16090 16093 406b8c GetLastError 16092->16093 16094 406a8f GetDiskFreeSpaceA 16092->16094 16095 406b86 16093->16095 16096 406ac5 16094->16096 16104 406ad7 16094->16104 16095->15988 16433 40eb0e 16096->16433 16100 406b56 CloseHandle 16100->16095 16103 406b65 GetLastError CloseHandle 16100->16103 16101 406b36 GetLastError CloseHandle 16102 406b7f DeleteFileA 16101->16102 16102->16095 16103->16102 16437 406987 16104->16437 16106 4099eb 16105->16106 16107 409a2f lstrcatA 16106->16107 16108 40ee2a 16107->16108 16109 409a4b lstrcatA 16108->16109 16110 406a60 13 API calls 16109->16110 16111 409a60 16110->16111 16111->15995 16111->16008 16111->16023 16447 401910 16112->16447 16115 40934a GetModuleHandleA GetModuleFileNameA 16117 40937f 16115->16117 16118 4093a4 16117->16118 16119 4093d9 16117->16119 16121 4093c3 wsprintfA 16118->16121 16120 409401 wsprintfA 16119->16120 16123 409415 16120->16123 16121->16123 16122 4094a0 16449 406edd 16122->16449 16123->16122 16126 406cc9 5 API calls 16123->16126 16125 4094ac 16127 40962f 16125->16127 16128 4094e8 RegOpenKeyExA 16125->16128 16132 409439 16126->16132 16133 409646 16127->16133 16470 401820 16127->16470 16130 409502 16128->16130 16131 4094fb 16128->16131 16136 40951f RegQueryValueExA 16130->16136 16131->16127 16135 40958a 16131->16135 16137 40ef1e lstrlenA 16132->16137 16142 4095d6 16133->16142 16476 4091eb 16133->16476 16135->16133 16138 409593 16135->16138 16139 409530 16136->16139 16140 409539 16136->16140 16141 409462 16137->16141 16138->16142 16457 40f0e4 16138->16457 16143 40956e RegCloseKey 16139->16143 16144 409556 RegQueryValueExA 16140->16144 16145 40947e wsprintfA 16141->16145 16142->16030 16142->16031 16143->16131 16144->16139 16144->16143 16145->16122 16147 4095bb 16147->16142 16464 4018e0 16147->16464 16150 402544 16149->16150 16151 40972d RegOpenKeyExA 16150->16151 16152 409740 16151->16152 16153 409765 16151->16153 16154 40974f RegDeleteValueA RegCloseKey 16152->16154 16153->16005 16154->16153 16156 402554 lstrcatA 16155->16156 16156->16046 16158 402544 16157->16158 16159 40919e wsprintfA 16158->16159 16160 4091bb 16159->16160 16515 409064 GetTempPathA 16160->16515 16163 4091d5 ShellExecuteA 16164 4091e7 16163->16164 16164->15988 16522 40dd05 GetTickCount 16165->16522 16167 40e538 16529 40dbcf 16167->16529 16169 40e544 16170 40e555 GetFileSize 16169->16170 16175 40e5b8 16169->16175 16171 40e5b1 CloseHandle 16170->16171 16172 40e566 16170->16172 16171->16175 16539 40db2e 16172->16539 16548 40e3ca RegOpenKeyExA 16175->16548 16176 40e576 ReadFile 16176->16171 16177 40e58d 16176->16177 16543 40e332 16177->16543 16180 40e5f2 16182 40e3ca 19 API calls 16180->16182 16183 40e629 16180->16183 16182->16183 16183->15946 16185 40eabe 16184->16185 16187 40eaba 16184->16187 16186 40dd05 6 API calls 16185->16186 16185->16187 16186->16187 16187->15949 16189 40ee2a 16188->16189 16190 401db4 GetVersionExA 16189->16190 16191 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 16190->16191 16193 401e24 16191->16193 16194 401e16 GetCurrentProcess 16191->16194 16601 40e819 16193->16601 16194->16193 16196 401e3d 16197 40e819 11 API calls 16196->16197 16198 401e4e 16197->16198 16199 401e77 16198->16199 16608 40df70 16198->16608 16617 40ea84 16199->16617 16202 401e6c 16204 40df70 12 API calls 16202->16204 16204->16199 16205 40e819 11 API calls 16206 401e93 16205->16206 16621 40199c inet_addr LoadLibraryA 16206->16621 16209 40e819 11 API calls 16210 401eb9 16209->16210 16211 401ed8 16210->16211 16212 40f04e 4 API calls 16210->16212 16213 40e819 11 API calls 16211->16213 16214 401ec9 16212->16214 16215 401eee 16213->16215 16216 40ea84 30 API calls 16214->16216 16224 401f0a 16215->16224 16634 401b71 16215->16634 16216->16211 16218 40e819 11 API calls 16220 401f23 16218->16220 16219 401efd 16221 40ea84 30 API calls 16219->16221 16229 401f3f 16220->16229 16638 401bdf 16220->16638 16221->16224 16223 40e819 11 API calls 16226 401f5e 16223->16226 16224->16218 16228 401f77 16226->16228 16230 40ea84 30 API calls 16226->16230 16227 40ea84 30 API calls 16227->16229 16645 4030b5 16228->16645 16229->16223 16230->16228 16233 406ec3 2 API calls 16235 401f8e GetTickCount 16233->16235 16235->15954 16237 406ec3 2 API calls 16236->16237 16238 4080eb 16237->16238 16239 4080f9 16238->16239 16240 4080ef 16238->16240 16242 40704c 16 API calls 16239->16242 16693 407ee6 16240->16693 16244 408110 16242->16244 16243 408269 CreateThread 16261 405e6c 16243->16261 17022 40877e 16243->17022 16246 408156 RegOpenKeyExA 16244->16246 16247 4080f4 16244->16247 16245 40675c 21 API calls 16251 408244 16245->16251 16246->16247 16248 40816d RegQueryValueExA 16246->16248 16247->16243 16247->16245 16249 4081f7 16248->16249 16250 40818d 16248->16250 16252 40820d RegCloseKey 16249->16252 16254 40ec2e codecvt 4 API calls 16249->16254 16250->16249 16256 40ebcc 4 API calls 16250->16256 16251->16243 16253 40ec2e codecvt 4 API calls 16251->16253 16252->16247 16253->16243 16255 4081dd 16254->16255 16255->16252 16257 4081a0 16256->16257 16257->16252 16258 4081aa RegQueryValueExA 16257->16258 16258->16249 16259 4081c4 16258->16259 16260 40ebcc 4 API calls 16259->16260 16260->16255 16761 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 16261->16761 16263 405e71 16762 40e654 16263->16762 16265 405ec1 16266 403132 16265->16266 16267 40df70 12 API calls 16266->16267 16268 40313b 16267->16268 16269 40c125 16268->16269 16773 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 16269->16773 16271 40c12d 16272 40e654 13 API calls 16271->16272 16273 40c2bd 16272->16273 16274 40e654 13 API calls 16273->16274 16275 40c2c9 16274->16275 16276 40e654 13 API calls 16275->16276 16277 40a47a 16276->16277 16278 408db1 16277->16278 16279 408dbc 16278->16279 16280 40e654 13 API calls 16279->16280 16281 408dec Sleep 16280->16281 16281->15990 16283 40c92f 16282->16283 16284 40c93c 16283->16284 16774 40c517 16283->16774 16286 40ca2b 16284->16286 16287 40e819 11 API calls 16284->16287 16286->15990 16288 40c96a 16287->16288 16289 40e819 11 API calls 16288->16289 16290 40c97d 16289->16290 16291 40e819 11 API calls 16290->16291 16292 40c990 16291->16292 16293 40c9aa 16292->16293 16294 40ebcc 4 API calls 16292->16294 16293->16286 16791 402684 16293->16791 16294->16293 16299 40ca26 16798 40c8aa 16299->16798 16302 40ca44 16303 40ca4b closesocket 16302->16303 16304 40ca83 16302->16304 16303->16299 16305 40ea84 30 API calls 16304->16305 16306 40caac 16305->16306 16307 40f04e 4 API calls 16306->16307 16308 40cab2 16307->16308 16309 40ea84 30 API calls 16308->16309 16310 40caca 16309->16310 16311 40ea84 30 API calls 16310->16311 16312 40cad9 16311->16312 16806 40c65c 16312->16806 16315 40cb60 closesocket 16315->16286 16317 40dad2 closesocket 16318 40e318 23 API calls 16317->16318 16318->16286 16319 40df4c 20 API calls 16379 40cb70 16319->16379 16325 40e654 13 API calls 16325->16379 16330 40ea84 30 API calls 16330->16379 16331 40d569 closesocket Sleep 16853 40e318 16331->16853 16332 40d815 wsprintfA 16332->16379 16333 40cc1c GetTempPathA 16333->16379 16334 40c517 23 API calls 16334->16379 16336 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16336->16379 16337 407ead 6 API calls 16337->16379 16338 40e8a1 30 API calls 16338->16379 16339 40d582 ExitProcess 16340 40cfe3 GetSystemDirectoryA 16340->16379 16341 40cfad GetEnvironmentVariableA 16341->16379 16342 40675c 21 API calls 16342->16379 16343 40d027 GetSystemDirectoryA 16343->16379 16344 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 16344->16379 16345 40d105 lstrcatA 16345->16379 16346 40ef1e lstrlenA 16346->16379 16347 40cc9f CreateFileA 16349 40ccc6 WriteFile 16347->16349 16347->16379 16348 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16348->16379 16351 40cdcc CloseHandle 16349->16351 16352 40cced CloseHandle 16349->16352 16350 40d15b CreateFileA 16353 40d182 WriteFile CloseHandle 16350->16353 16350->16379 16351->16379 16359 40cd2f 16352->16359 16353->16379 16354 40cd16 wsprintfA 16354->16359 16355 40d149 SetFileAttributesA 16355->16350 16356 40d1bf SetFileAttributesA 16356->16379 16357 40d36e GetEnvironmentVariableA 16357->16379 16358 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 16358->16379 16359->16354 16835 407fcf 16359->16835 16360 40d22d GetEnvironmentVariableA 16360->16379 16361 40d3af lstrcatA 16363 40d3f2 CreateFileA 16361->16363 16361->16379 16366 40d415 WriteFile CloseHandle 16363->16366 16363->16379 16365 407fcf 64 API calls 16365->16379 16366->16379 16367 40cd81 WaitForSingleObject CloseHandle CloseHandle 16369 40f04e 4 API calls 16367->16369 16368 40cda5 16370 407ee6 64 API calls 16368->16370 16369->16368 16373 40cdbd DeleteFileA 16370->16373 16371 40d3e0 SetFileAttributesA 16371->16363 16372 40d26e lstrcatA 16375 40d2b1 CreateFileA 16372->16375 16372->16379 16373->16379 16374 40d4b1 CreateProcessA 16376 40d4e8 CloseHandle CloseHandle 16374->16376 16374->16379 16375->16379 16380 40d2d8 WriteFile CloseHandle 16375->16380 16376->16379 16377 407ee6 64 API calls 16377->16379 16378 40d452 SetFileAttributesA 16378->16379 16379->16317 16379->16319 16379->16325 16379->16330 16379->16331 16379->16332 16379->16333 16379->16334 16379->16336 16379->16337 16379->16338 16379->16340 16379->16341 16379->16342 16379->16343 16379->16344 16379->16345 16379->16346 16379->16347 16379->16348 16379->16350 16379->16355 16379->16356 16379->16357 16379->16358 16379->16360 16379->16361 16379->16363 16379->16365 16379->16371 16379->16372 16379->16374 16379->16375 16379->16377 16379->16378 16382 40d29f SetFileAttributesA 16379->16382 16384 40d31d SetFileAttributesA 16379->16384 16814 40c75d 16379->16814 16826 407e2f 16379->16826 16848 407ead 16379->16848 16858 4031d0 16379->16858 16875 403c09 16379->16875 16885 403a00 16379->16885 16889 40e7b4 16379->16889 16892 40c06c 16379->16892 16898 406f5f GetUserNameA 16379->16898 16909 40e854 16379->16909 16919 407dd6 16379->16919 16380->16379 16382->16375 16384->16379 16386 40741b 16385->16386 16387 406dc2 6 API calls 16386->16387 16388 40743f 16387->16388 16389 407469 RegOpenKeyExA 16388->16389 16390 407487 ___ascii_stricmp 16389->16390 16391 4077f9 16389->16391 16392 407703 RegEnumKeyA 16390->16392 16394 40f1a5 lstrlenA 16390->16394 16395 4074d2 RegOpenKeyExA 16390->16395 16396 40772c 16390->16396 16397 407521 RegQueryValueExA 16390->16397 16401 4076e4 RegCloseKey 16390->16401 16403 40777e GetFileAttributesExA 16390->16403 16404 407769 16390->16404 16391->16058 16392->16390 16393 407714 RegCloseKey 16392->16393 16393->16391 16394->16390 16395->16390 16398 407742 RegCloseKey 16396->16398 16399 40774b 16396->16399 16397->16390 16398->16399 16400 4077ec RegCloseKey 16399->16400 16400->16391 16401->16390 16402 4077e3 RegCloseKey 16402->16400 16403->16404 16404->16402 16406 407073 16405->16406 16407 4070b9 RegOpenKeyExA 16406->16407 16408 4070d0 16407->16408 16422 4071b8 16407->16422 16409 406dc2 6 API calls 16408->16409 16412 4070d5 16409->16412 16410 40719b RegEnumValueA 16411 4071af RegCloseKey 16410->16411 16410->16412 16411->16422 16412->16410 16414 4071d0 16412->16414 16428 40f1a5 lstrlenA 16412->16428 16415 407205 RegCloseKey 16414->16415 16416 407227 16414->16416 16415->16422 16417 4072b8 ___ascii_stricmp 16416->16417 16418 40728e RegCloseKey 16416->16418 16419 4072cd RegCloseKey 16417->16419 16420 4072dd 16417->16420 16418->16422 16419->16422 16421 407311 RegCloseKey 16420->16421 16424 407335 16420->16424 16421->16422 16422->16062 16423 4073d5 RegCloseKey 16425 4073e4 16423->16425 16424->16423 16426 40737e GetFileAttributesExA 16424->16426 16427 407397 16424->16427 16426->16427 16427->16423 16429 40f1c3 16428->16429 16429->16412 16431 406e97 16430->16431 16432 406e5f LookupAccountNameW 16430->16432 16431->16064 16432->16431 16434 40eb17 16433->16434 16436 40eb21 16433->16436 16443 40eae4 16434->16443 16436->16104 16439 4069b9 WriteFile 16437->16439 16440 406a3c 16439->16440 16442 4069ff 16439->16442 16440->16100 16440->16101 16441 406a10 WriteFile 16441->16440 16441->16442 16442->16440 16442->16441 16444 40eb02 GetProcAddress 16443->16444 16445 40eaed LoadLibraryA 16443->16445 16444->16436 16445->16444 16446 40eb01 16445->16446 16446->16436 16448 401924 GetVersionExA 16447->16448 16448->16115 16450 406f55 16449->16450 16451 406eef AllocateAndInitializeSid 16449->16451 16450->16125 16452 406f44 16451->16452 16453 406f1c CheckTokenMembership 16451->16453 16452->16450 16456 406e36 2 API calls 16452->16456 16454 406f3b FreeSid 16453->16454 16455 406f2e 16453->16455 16454->16452 16455->16454 16456->16450 16458 40f0f1 16457->16458 16459 40f0ed 16457->16459 16460 40f119 16458->16460 16461 40f0fa lstrlenA SysAllocStringByteLen 16458->16461 16459->16147 16463 40f11c MultiByteToWideChar 16460->16463 16462 40f117 16461->16462 16461->16463 16462->16147 16463->16462 16465 401820 17 API calls 16464->16465 16467 4018f2 16465->16467 16466 4018f9 16466->16142 16467->16466 16481 401280 16467->16481 16469 401908 16469->16142 16494 401000 16470->16494 16472 401839 16473 401851 GetCurrentProcess 16472->16473 16474 40183d 16472->16474 16475 401864 16473->16475 16474->16133 16475->16133 16478 40920e 16476->16478 16480 409308 16476->16480 16477 4092f1 Sleep 16477->16478 16478->16477 16478->16478 16479 4092bf ShellExecuteA 16478->16479 16478->16480 16479->16478 16479->16480 16480->16142 16484 4012e1 ShellExecuteExW 16481->16484 16483 4016f9 GetLastError 16485 401699 16483->16485 16484->16483 16491 4013a8 16484->16491 16485->16469 16486 401570 lstrlenW 16486->16491 16487 4015be GetStartupInfoW 16487->16491 16488 4015ff CreateProcessWithLogonW 16489 4016bf GetLastError 16488->16489 16490 40163f WaitForSingleObject 16488->16490 16489->16485 16490->16491 16492 401659 CloseHandle 16490->16492 16491->16485 16491->16486 16491->16487 16491->16488 16493 401668 CloseHandle 16491->16493 16492->16491 16493->16491 16495 40100d LoadLibraryA 16494->16495 16501 401023 16494->16501 16496 401021 16495->16496 16495->16501 16496->16472 16497 4010b5 GetProcAddress 16498 4010d1 GetProcAddress 16497->16498 16499 40127b 16497->16499 16498->16499 16500 4010f0 GetProcAddress 16498->16500 16499->16472 16500->16499 16502 401110 GetProcAddress 16500->16502 16501->16497 16513 4010ae 16501->16513 16502->16499 16503 401130 GetProcAddress 16502->16503 16503->16499 16504 40114f GetProcAddress 16503->16504 16504->16499 16505 40116f GetProcAddress 16504->16505 16505->16499 16506 40118f GetProcAddress 16505->16506 16506->16499 16507 4011ae GetProcAddress 16506->16507 16507->16499 16508 4011ce GetProcAddress 16507->16508 16508->16499 16509 4011ee GetProcAddress 16508->16509 16509->16499 16510 401209 GetProcAddress 16509->16510 16510->16499 16511 401225 GetProcAddress 16510->16511 16511->16499 16512 401241 GetProcAddress 16511->16512 16512->16499 16514 40125c GetProcAddress 16512->16514 16513->16472 16514->16499 16516 40908d 16515->16516 16517 4090e2 wsprintfA 16516->16517 16518 40ee2a 16517->16518 16519 4090fd CreateFileA 16518->16519 16520 40911a lstrlenA WriteFile CloseHandle 16519->16520 16521 40913f 16519->16521 16520->16521 16521->16163 16521->16164 16523 40dd41 InterlockedExchange 16522->16523 16524 40dd20 GetCurrentThreadId 16523->16524 16528 40dd4a 16523->16528 16525 40dd53 GetCurrentThreadId 16524->16525 16526 40dd2e GetTickCount 16524->16526 16525->16167 16527 40dd39 Sleep 16526->16527 16526->16528 16527->16523 16528->16525 16530 40dbf0 16529->16530 16562 40db67 GetEnvironmentVariableA 16530->16562 16532 40dc19 16533 40dcda 16532->16533 16534 40db67 3 API calls 16532->16534 16533->16169 16535 40dc5c 16534->16535 16535->16533 16536 40db67 3 API calls 16535->16536 16537 40dc9b 16536->16537 16537->16533 16538 40db67 3 API calls 16537->16538 16538->16533 16540 40db55 16539->16540 16541 40db3a 16539->16541 16540->16171 16540->16176 16566 40ebed 16541->16566 16575 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 16543->16575 16545 40e3be 16545->16171 16546 40e342 16546->16545 16578 40de24 16546->16578 16549 40e528 16548->16549 16550 40e3f4 16548->16550 16549->16180 16551 40e434 RegQueryValueExA 16550->16551 16552 40e458 16551->16552 16553 40e51d RegCloseKey 16551->16553 16554 40e46e RegQueryValueExA 16552->16554 16553->16549 16554->16552 16555 40e488 16554->16555 16555->16553 16556 40db2e 8 API calls 16555->16556 16557 40e499 16556->16557 16557->16553 16558 40e4b9 RegQueryValueExA 16557->16558 16559 40e4e8 16557->16559 16558->16557 16558->16559 16559->16553 16560 40e332 14 API calls 16559->16560 16561 40e513 16560->16561 16561->16553 16563 40db89 lstrcpyA CreateFileA 16562->16563 16564 40dbca 16562->16564 16563->16532 16564->16532 16567 40ec01 16566->16567 16568 40ebf6 16566->16568 16570 40eba0 codecvt 2 API calls 16567->16570 16569 40ebcc 4 API calls 16568->16569 16571 40ebfe 16569->16571 16572 40ec0a GetProcessHeap HeapReAlloc 16570->16572 16571->16540 16573 40eb74 2 API calls 16572->16573 16574 40ec28 16573->16574 16574->16540 16589 40eb41 16575->16589 16579 40de3a 16578->16579 16582 40de4e 16579->16582 16593 40dd84 16579->16593 16582->16546 16583 40de76 16597 40ddcf 16583->16597 16584 40ebed 8 API calls 16587 40def6 16584->16587 16585 40de9e 16585->16582 16585->16584 16587->16582 16588 40ddcf lstrcmpA 16587->16588 16588->16582 16590 40eb54 16589->16590 16591 40eb4a 16589->16591 16590->16546 16592 40eae4 2 API calls 16591->16592 16592->16590 16594 40ddc5 16593->16594 16595 40dd96 16593->16595 16594->16583 16594->16585 16595->16594 16596 40ddad lstrcmpiA 16595->16596 16596->16594 16596->16595 16598 40de20 16597->16598 16599 40dddd 16597->16599 16598->16582 16599->16598 16600 40ddfa lstrcmpA 16599->16600 16600->16599 16602 40dd05 6 API calls 16601->16602 16603 40e821 16602->16603 16604 40dd84 lstrcmpiA 16603->16604 16605 40e82c 16604->16605 16606 40e844 16605->16606 16649 402480 16605->16649 16606->16196 16609 40dd05 6 API calls 16608->16609 16610 40df7c 16609->16610 16611 40dd84 lstrcmpiA 16610->16611 16613 40df89 16611->16613 16612 40ddcf lstrcmpA 16612->16613 16613->16612 16614 40ec2e codecvt 4 API calls 16613->16614 16615 40dd84 lstrcmpiA 16613->16615 16616 40dfc4 16613->16616 16614->16613 16615->16613 16616->16202 16618 40ea98 16617->16618 16658 40e8a1 16618->16658 16620 401e84 16620->16205 16622 4019d5 GetProcAddress GetProcAddress GetProcAddress 16621->16622 16623 4019ce 16621->16623 16624 401ab3 FreeLibrary 16622->16624 16625 401a04 16622->16625 16623->16209 16624->16623 16625->16624 16626 401a14 GetProcessHeap 16625->16626 16626->16623 16628 401a2e HeapAlloc 16626->16628 16628->16623 16629 401a42 16628->16629 16630 401a52 HeapReAlloc 16629->16630 16632 401a62 16629->16632 16630->16632 16631 401aa1 FreeLibrary 16631->16623 16632->16631 16633 401a96 HeapFree 16632->16633 16633->16631 16686 401ac3 LoadLibraryA 16634->16686 16637 401bcf 16637->16219 16639 401ac3 12 API calls 16638->16639 16640 401c09 16639->16640 16641 401c41 16640->16641 16642 401c0d GetComputerNameA 16640->16642 16641->16227 16643 401c45 GetVolumeInformationA 16642->16643 16644 401c1f 16642->16644 16643->16641 16644->16641 16644->16643 16646 40ee2a 16645->16646 16647 4030d0 gethostname gethostbyname 16646->16647 16648 401f82 16647->16648 16648->16233 16648->16235 16652 402419 lstrlenA 16649->16652 16651 402491 16651->16606 16653 402474 16652->16653 16654 40243d lstrlenA 16652->16654 16653->16651 16655 402464 lstrlenA 16654->16655 16656 40244e lstrcmpiA 16654->16656 16655->16653 16655->16654 16656->16655 16657 40245c 16656->16657 16657->16653 16657->16655 16659 40dd05 6 API calls 16658->16659 16660 40e8b4 16659->16660 16661 40dd84 lstrcmpiA 16660->16661 16662 40e8c0 16661->16662 16663 40e90a 16662->16663 16664 40e8c8 lstrcpynA 16662->16664 16665 402419 4 API calls 16663->16665 16674 40ea27 16663->16674 16666 40e8f5 16664->16666 16667 40e926 lstrlenA lstrlenA 16665->16667 16679 40df4c 16666->16679 16669 40e96a 16667->16669 16670 40e94c lstrlenA 16667->16670 16673 40ebcc 4 API calls 16669->16673 16669->16674 16670->16669 16671 40e901 16672 40dd84 lstrcmpiA 16671->16672 16672->16663 16675 40e98f 16673->16675 16674->16620 16675->16674 16676 40df4c 20 API calls 16675->16676 16677 40ea1e 16676->16677 16678 40ec2e codecvt 4 API calls 16677->16678 16678->16674 16680 40dd05 6 API calls 16679->16680 16681 40df51 16680->16681 16682 40f04e 4 API calls 16681->16682 16683 40df58 16682->16683 16684 40de24 10 API calls 16683->16684 16685 40df63 16684->16685 16685->16671 16687 401ae2 GetProcAddress 16686->16687 16692 401b68 GetComputerNameA GetVolumeInformationA 16686->16692 16688 401af5 16687->16688 16687->16692 16689 40ebed 8 API calls 16688->16689 16690 401b29 16688->16690 16689->16688 16690->16690 16691 40ec2e codecvt 4 API calls 16690->16691 16690->16692 16691->16692 16692->16637 16694 406ec3 2 API calls 16693->16694 16695 407ef4 16694->16695 16696 4073ff 17 API calls 16695->16696 16705 407fc9 16695->16705 16697 407f16 16696->16697 16697->16705 16706 407809 GetUserNameA 16697->16706 16699 407f63 16700 40ef1e lstrlenA 16699->16700 16699->16705 16701 407fa6 16700->16701 16702 40ef1e lstrlenA 16701->16702 16703 407fb7 16702->16703 16730 407a95 RegOpenKeyExA 16703->16730 16705->16247 16707 40783d LookupAccountNameA 16706->16707 16708 407a8d 16706->16708 16707->16708 16709 407874 GetLengthSid GetFileSecurityA 16707->16709 16708->16699 16709->16708 16710 4078a8 GetSecurityDescriptorOwner 16709->16710 16711 4078c5 EqualSid 16710->16711 16712 40791d GetSecurityDescriptorDacl 16710->16712 16711->16712 16713 4078dc LocalAlloc 16711->16713 16712->16708 16719 407941 16712->16719 16713->16712 16714 4078ef InitializeSecurityDescriptor 16713->16714 16715 407916 LocalFree 16714->16715 16716 4078fb SetSecurityDescriptorOwner 16714->16716 16715->16712 16716->16715 16718 40790b SetFileSecurityA 16716->16718 16717 40795b GetAce 16717->16719 16718->16715 16719->16708 16719->16717 16720 407980 EqualSid 16719->16720 16721 407a3d 16719->16721 16722 4079be EqualSid 16719->16722 16723 40799d DeleteAce 16719->16723 16720->16719 16721->16708 16724 407a43 LocalAlloc 16721->16724 16722->16719 16723->16719 16724->16708 16725 407a56 InitializeSecurityDescriptor 16724->16725 16726 407a62 SetSecurityDescriptorDacl 16725->16726 16727 407a86 LocalFree 16725->16727 16726->16727 16728 407a73 SetFileSecurityA 16726->16728 16727->16708 16728->16727 16729 407a83 16728->16729 16729->16727 16731 407ac4 16730->16731 16732 407acb GetUserNameA 16730->16732 16731->16705 16733 407da7 RegCloseKey 16732->16733 16734 407aed LookupAccountNameA 16732->16734 16733->16731 16734->16733 16735 407b24 RegGetKeySecurity 16734->16735 16735->16733 16736 407b49 GetSecurityDescriptorOwner 16735->16736 16737 407b63 EqualSid 16736->16737 16738 407bb8 GetSecurityDescriptorDacl 16736->16738 16737->16738 16740 407b74 LocalAlloc 16737->16740 16739 407da6 16738->16739 16747 407bdc 16738->16747 16739->16733 16740->16738 16741 407b8a InitializeSecurityDescriptor 16740->16741 16742 407bb1 LocalFree 16741->16742 16743 407b96 SetSecurityDescriptorOwner 16741->16743 16742->16738 16743->16742 16745 407ba6 RegSetKeySecurity 16743->16745 16744 407bf8 GetAce 16744->16747 16745->16742 16746 407c1d EqualSid 16746->16747 16747->16739 16747->16744 16747->16746 16748 407cd9 16747->16748 16749 407c5f EqualSid 16747->16749 16750 407c3a DeleteAce 16747->16750 16748->16739 16751 407d5a LocalAlloc 16748->16751 16753 407cf2 RegOpenKeyExA 16748->16753 16749->16747 16750->16747 16751->16739 16752 407d70 InitializeSecurityDescriptor 16751->16752 16754 407d7c SetSecurityDescriptorDacl 16752->16754 16755 407d9f LocalFree 16752->16755 16753->16751 16758 407d0f 16753->16758 16754->16755 16756 407d8c RegSetKeySecurity 16754->16756 16755->16739 16756->16755 16757 407d9c 16756->16757 16757->16755 16759 407d43 RegSetValueExA 16758->16759 16759->16751 16760 407d54 16759->16760 16760->16751 16761->16263 16763 40dd05 6 API calls 16762->16763 16766 40e65f 16763->16766 16764 40e6a5 16765 40ebcc 4 API calls 16764->16765 16771 40e6f5 16764->16771 16768 40e6b0 16765->16768 16766->16764 16767 40e68c lstrcmpA 16766->16767 16767->16766 16769 40e6b7 16768->16769 16770 40e6e0 lstrcpynA 16768->16770 16768->16771 16769->16265 16770->16771 16771->16769 16772 40e71d lstrcmpA 16771->16772 16772->16771 16773->16271 16775 40c525 16774->16775 16776 40c532 16774->16776 16775->16776 16778 40ec2e codecvt 4 API calls 16775->16778 16777 40c548 16776->16777 16926 40e7ff 16776->16926 16780 40e7ff lstrcmpiA 16777->16780 16788 40c54f 16777->16788 16778->16776 16781 40c615 16780->16781 16784 40ebcc 4 API calls 16781->16784 16781->16788 16782 40c5d1 16786 40ebcc 4 API calls 16782->16786 16784->16788 16785 40e819 11 API calls 16787 40c5b7 16785->16787 16786->16788 16789 40f04e 4 API calls 16787->16789 16788->16284 16790 40c5bf 16789->16790 16790->16777 16790->16782 16792 402692 inet_addr 16791->16792 16793 40268e 16791->16793 16792->16793 16794 40269e gethostbyname 16792->16794 16795 40f428 16793->16795 16794->16793 16929 40f315 16795->16929 16800 40c8d2 16798->16800 16799 40c907 16799->16286 16800->16799 16801 40c517 23 API calls 16800->16801 16801->16799 16802 40f43e 16803 40f473 recv 16802->16803 16804 40f458 16803->16804 16805 40f47c 16803->16805 16804->16803 16804->16805 16805->16302 16807 40c670 16806->16807 16809 40c67d 16806->16809 16808 40ebcc 4 API calls 16807->16808 16808->16809 16810 40ebcc 4 API calls 16809->16810 16812 40c699 16809->16812 16810->16812 16811 40c6f3 16811->16315 16811->16379 16812->16811 16813 40c73c send 16812->16813 16813->16811 16815 40c770 16814->16815 16816 40c77d 16814->16816 16817 40ebcc 4 API calls 16815->16817 16818 40c799 16816->16818 16819 40ebcc 4 API calls 16816->16819 16817->16816 16820 40c7b5 16818->16820 16821 40ebcc 4 API calls 16818->16821 16819->16818 16822 40f43e recv 16820->16822 16821->16820 16823 40c7cb 16822->16823 16824 40f43e recv 16823->16824 16825 40c7d3 16823->16825 16824->16825 16825->16379 16942 407db7 16826->16942 16829 407e70 16831 407e96 16829->16831 16833 40f04e 4 API calls 16829->16833 16830 40f04e 4 API calls 16832 407e4c 16830->16832 16831->16379 16832->16829 16834 40f04e 4 API calls 16832->16834 16833->16831 16834->16829 16836 406ec3 2 API calls 16835->16836 16837 407fdd 16836->16837 16838 4073ff 17 API calls 16837->16838 16847 4080c2 CreateProcessA 16837->16847 16839 407fff 16838->16839 16840 407809 21 API calls 16839->16840 16839->16847 16841 40804d 16840->16841 16842 40ef1e lstrlenA 16841->16842 16841->16847 16843 40809e 16842->16843 16844 40ef1e lstrlenA 16843->16844 16845 4080af 16844->16845 16846 407a95 24 API calls 16845->16846 16846->16847 16847->16367 16847->16368 16849 407db7 2 API calls 16848->16849 16850 407eb8 16849->16850 16851 40f04e 4 API calls 16850->16851 16852 407ece DeleteFileA 16851->16852 16852->16379 16854 40dd05 6 API calls 16853->16854 16855 40e31d 16854->16855 16946 40e177 16855->16946 16857 40e326 16857->16339 16859 4031f3 16858->16859 16869 4031ec 16858->16869 16860 40ebcc 4 API calls 16859->16860 16874 4031fc 16860->16874 16861 40344b 16862 403459 16861->16862 16863 40349d 16861->16863 16864 40f04e 4 API calls 16862->16864 16865 40ec2e codecvt 4 API calls 16863->16865 16866 40345f 16864->16866 16865->16869 16867 4030fa 4 API calls 16866->16867 16867->16869 16868 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 16868->16874 16869->16379 16870 40344d 16871 40ec2e codecvt 4 API calls 16870->16871 16871->16861 16873 403141 lstrcmpiA 16873->16874 16874->16861 16874->16868 16874->16869 16874->16870 16874->16873 16972 4030fa GetTickCount 16874->16972 16876 4030fa 4 API calls 16875->16876 16877 403c1a 16876->16877 16881 403ce6 16877->16881 16977 403a72 16877->16977 16880 403a72 9 API calls 16884 403c5e 16880->16884 16881->16379 16882 403a72 9 API calls 16882->16884 16883 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16883->16884 16884->16881 16884->16882 16884->16883 16886 403a10 16885->16886 16887 4030fa 4 API calls 16886->16887 16888 403a1a 16887->16888 16888->16379 16890 40dd05 6 API calls 16889->16890 16891 40e7be 16890->16891 16891->16379 16893 40c105 16892->16893 16894 40c07e wsprintfA 16892->16894 16893->16379 16986 40bfce GetTickCount wsprintfA 16894->16986 16896 40c0ef 16987 40bfce GetTickCount wsprintfA 16896->16987 16899 407047 16898->16899 16900 406f88 LookupAccountNameA 16898->16900 16899->16379 16902 407025 16900->16902 16903 406fcb 16900->16903 16904 406edd 5 API calls 16902->16904 16906 406fdb ConvertSidToStringSidA 16903->16906 16905 40702a wsprintfA 16904->16905 16905->16899 16906->16902 16907 406ff1 16906->16907 16908 407013 LocalFree 16907->16908 16908->16902 16910 40dd05 6 API calls 16909->16910 16911 40e85c 16910->16911 16912 40dd84 lstrcmpiA 16911->16912 16913 40e867 16912->16913 16914 40e885 lstrcpyA 16913->16914 16988 4024a5 16913->16988 16991 40dd69 16914->16991 16920 407db7 2 API calls 16919->16920 16921 407de1 16920->16921 16922 407e16 16921->16922 16923 40f04e 4 API calls 16921->16923 16922->16379 16924 407df2 16923->16924 16924->16922 16925 40f04e 4 API calls 16924->16925 16925->16922 16927 40dd84 lstrcmpiA 16926->16927 16928 40c58e 16927->16928 16928->16777 16928->16782 16928->16785 16930 40ca1d 16929->16930 16931 40f33b 16929->16931 16930->16299 16930->16802 16932 40f347 htons socket 16931->16932 16933 40f382 ioctlsocket 16932->16933 16934 40f374 closesocket 16932->16934 16935 40f3aa connect select 16933->16935 16936 40f39d 16933->16936 16934->16930 16935->16930 16938 40f3f2 __WSAFDIsSet 16935->16938 16937 40f39f closesocket 16936->16937 16937->16930 16938->16937 16939 40f403 ioctlsocket 16938->16939 16941 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16939->16941 16941->16930 16943 407dc8 InterlockedExchange 16942->16943 16944 407dc0 Sleep 16943->16944 16945 407dd4 16943->16945 16944->16943 16945->16829 16945->16830 16947 40e184 16946->16947 16948 40e2e4 16947->16948 16949 40e223 16947->16949 16962 40dfe2 16947->16962 16948->16857 16949->16948 16951 40dfe2 8 API calls 16949->16951 16955 40e23c 16951->16955 16952 40e1be 16952->16949 16953 40dbcf 3 API calls 16952->16953 16956 40e1d6 16953->16956 16954 40e21a CloseHandle 16954->16949 16955->16948 16966 40e095 RegCreateKeyExA 16955->16966 16956->16949 16956->16954 16957 40e1f9 WriteFile 16956->16957 16957->16954 16959 40e213 16957->16959 16959->16954 16960 40e2a3 16960->16948 16961 40e095 4 API calls 16960->16961 16961->16948 16963 40dffc 16962->16963 16965 40e024 16962->16965 16964 40db2e 8 API calls 16963->16964 16963->16965 16964->16965 16965->16952 16967 40e172 16966->16967 16969 40e0c0 16966->16969 16967->16960 16968 40e13d 16970 40e14e RegDeleteValueA RegCloseKey 16968->16970 16969->16968 16971 40e115 RegSetValueExA 16969->16971 16970->16967 16971->16968 16971->16969 16973 403122 InterlockedExchange 16972->16973 16974 40312e 16973->16974 16975 40310f GetTickCount 16973->16975 16974->16874 16975->16974 16976 40311a Sleep 16975->16976 16976->16973 16978 40f04e 4 API calls 16977->16978 16985 403a83 16978->16985 16979 403ac1 16979->16880 16979->16881 16980 403be6 16982 40ec2e codecvt 4 API calls 16980->16982 16981 403bc0 16981->16980 16983 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16981->16983 16982->16979 16983->16981 16984 403b66 lstrlenA 16984->16979 16984->16985 16985->16979 16985->16981 16985->16984 16986->16896 16987->16893 16989 402419 4 API calls 16988->16989 16990 4024b6 16989->16990 16990->16914 16992 40dd79 lstrlenA 16991->16992 16992->16379 16994 404084 16993->16994 16995 40407d 16993->16995 16996 403ecd 6 API calls 16994->16996 16997 40408f 16996->16997 16998 404000 3 API calls 16997->16998 17000 404095 16998->17000 16999 404130 17001 403ecd 6 API calls 16999->17001 17000->16999 17005 403f18 4 API calls 17000->17005 17002 404159 CreateNamedPipeA 17001->17002 17003 404167 Sleep 17002->17003 17004 404188 ConnectNamedPipe 17002->17004 17003->16999 17006 404176 CloseHandle 17003->17006 17008 404195 GetLastError 17004->17008 17018 4041ab 17004->17018 17007 4040da 17005->17007 17006->17004 17009 403f8c 4 API calls 17007->17009 17010 40425e DisconnectNamedPipe 17008->17010 17008->17018 17011 4040ec 17009->17011 17010->17004 17012 404127 CloseHandle 17011->17012 17014 404101 17011->17014 17012->16999 17013 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 17013->17018 17015 403f18 4 API calls 17014->17015 17016 40411c ExitProcess 17015->17016 17017 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 17017->17018 17018->17004 17018->17010 17018->17013 17018->17017 17019 40426a CloseHandle CloseHandle 17018->17019 17020 40e318 23 API calls 17019->17020 17021 40427b 17020->17021 17021->17021 17023 408791 17022->17023 17024 40879f 17022->17024 17025 40f04e 4 API calls 17023->17025 17026 4087bc 17024->17026 17027 40f04e 4 API calls 17024->17027 17025->17024 17028 40e819 11 API calls 17026->17028 17027->17026 17029 4087d7 17028->17029 17042 408803 17029->17042 17044 4026b2 gethostbyaddr 17029->17044 17032 4087eb 17034 40e8a1 30 API calls 17032->17034 17032->17042 17034->17042 17037 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 17037->17042 17038 40e819 11 API calls 17038->17042 17039 4088a0 Sleep 17039->17042 17041 4026b2 2 API calls 17041->17042 17042->17037 17042->17038 17042->17039 17042->17041 17043 40e8a1 30 API calls 17042->17043 17049 408cee 17042->17049 17057 40c4d6 17042->17057 17060 40c4e2 17042->17060 17063 402011 17042->17063 17098 408328 17042->17098 17043->17042 17045 4026fb 17044->17045 17046 4026cd 17044->17046 17045->17032 17047 4026e1 inet_ntoa 17046->17047 17048 4026de 17046->17048 17047->17048 17048->17032 17050 408d02 GetTickCount 17049->17050 17051 408dae 17049->17051 17050->17051 17052 408d19 17050->17052 17051->17042 17053 408da1 GetTickCount 17052->17053 17056 408d89 17052->17056 17150 40a677 17052->17150 17153 40a688 17052->17153 17053->17051 17056->17053 17161 40c2dc 17057->17161 17061 40c2dc 124 API calls 17060->17061 17062 40c4ec 17061->17062 17062->17042 17064 402020 17063->17064 17065 40202e 17063->17065 17066 40f04e 4 API calls 17064->17066 17067 40204b 17065->17067 17068 40f04e 4 API calls 17065->17068 17066->17065 17069 40206e GetTickCount 17067->17069 17070 40f04e 4 API calls 17067->17070 17068->17067 17071 402090 17069->17071 17072 4020db GetTickCount 17069->17072 17074 402068 17070->17074 17075 4020d4 GetTickCount 17071->17075 17078 402684 2 API calls 17071->17078 17087 4020ce 17071->17087 17424 401978 17071->17424 17073 402132 GetTickCount GetTickCount 17072->17073 17084 4020e7 17072->17084 17076 40f04e 4 API calls 17073->17076 17074->17069 17075->17072 17079 402159 17076->17079 17077 40212b GetTickCount 17077->17073 17078->17071 17080 4021b4 17079->17080 17083 40e854 13 API calls 17079->17083 17082 40f04e 4 API calls 17080->17082 17086 4021d1 17082->17086 17088 40218e 17083->17088 17084->17077 17089 401978 15 API calls 17084->17089 17090 402125 17084->17090 17429 402ef8 17084->17429 17091 4021f2 17086->17091 17093 40ea84 30 API calls 17086->17093 17087->17075 17092 40e819 11 API calls 17088->17092 17089->17084 17090->17077 17091->17042 17094 40219c 17092->17094 17095 4021ec 17093->17095 17094->17080 17437 401c5f 17094->17437 17096 40f04e 4 API calls 17095->17096 17096->17091 17099 407dd6 6 API calls 17098->17099 17100 40833c 17099->17100 17101 408340 17100->17101 17102 406ec3 2 API calls 17100->17102 17101->17042 17103 40834f 17102->17103 17104 40835c 17103->17104 17108 40846b 17103->17108 17105 4073ff 17 API calls 17104->17105 17106 408373 17105->17106 17106->17101 17128 4083ea RegOpenKeyExA 17106->17128 17135 408450 17106->17135 17107 40675c 21 API calls 17113 4085df 17107->17113 17110 4084a7 RegOpenKeyExA 17108->17110 17108->17135 17109 408626 GetTempPathA 17137 408638 17109->17137 17112 4084c0 RegQueryValueExA 17110->17112 17118 40852f 17110->17118 17114 408521 RegCloseKey 17112->17114 17115 4084dd 17112->17115 17113->17109 17116 408762 17113->17116 17113->17137 17114->17118 17115->17114 17124 40ebcc 4 API calls 17115->17124 17116->17101 17123 40ec2e codecvt 4 API calls 17116->17123 17117 4086ad 17117->17116 17120 407e2f 6 API calls 17117->17120 17119 408564 RegOpenKeyExA 17118->17119 17130 4085a5 17118->17130 17121 408573 RegSetValueExA RegCloseKey 17119->17121 17119->17130 17127 4086bb 17120->17127 17121->17130 17122 40875b DeleteFileA 17122->17116 17123->17101 17126 4084f0 17124->17126 17126->17114 17129 4084f8 RegQueryValueExA 17126->17129 17127->17122 17136 4086e0 lstrcpyA lstrlenA 17127->17136 17132 4083fd RegQueryValueExA 17128->17132 17128->17135 17129->17114 17133 408515 17129->17133 17131 40ec2e codecvt 4 API calls 17130->17131 17130->17135 17131->17135 17138 40842d RegSetValueExA 17132->17138 17139 40841e 17132->17139 17134 40ec2e codecvt 4 API calls 17133->17134 17140 40851d 17134->17140 17135->17107 17135->17113 17141 407fcf 64 API calls 17136->17141 17509 406ba7 IsBadCodePtr 17137->17509 17142 408447 RegCloseKey 17138->17142 17139->17138 17139->17142 17140->17114 17143 408719 CreateProcessA 17141->17143 17142->17135 17144 40873d CloseHandle CloseHandle 17143->17144 17145 40874f 17143->17145 17144->17116 17146 407ee6 64 API calls 17145->17146 17147 408754 17146->17147 17148 407ead 6 API calls 17147->17148 17149 40875a 17148->17149 17149->17122 17156 40a63d 17150->17156 17152 40a685 17152->17052 17154 40a63d GetTickCount 17153->17154 17155 40a696 17154->17155 17155->17052 17157 40a645 17156->17157 17158 40a64d 17156->17158 17157->17152 17159 40a66e 17158->17159 17160 40a65e GetTickCount 17158->17160 17159->17152 17160->17159 17177 40a4c7 GetTickCount 17161->17177 17164 40c300 GetTickCount 17166 40c337 17164->17166 17165 40c326 17165->17166 17167 40c32b GetTickCount 17165->17167 17171 40c363 GetTickCount 17166->17171 17172 40c45e 17166->17172 17167->17166 17168 40c4d2 17168->17042 17169 40c4ab InterlockedIncrement CreateThread 17169->17168 17170 40c4cb CloseHandle 17169->17170 17182 40b535 17169->17182 17170->17168 17171->17172 17173 40c373 17171->17173 17172->17168 17172->17169 17174 40c378 GetTickCount 17173->17174 17175 40c37f 17173->17175 17174->17175 17176 40c43b GetTickCount 17175->17176 17176->17172 17178 40a4f7 InterlockedExchange 17177->17178 17179 40a500 17178->17179 17180 40a4e4 GetTickCount 17178->17180 17179->17164 17179->17165 17179->17172 17180->17179 17181 40a4ef Sleep 17180->17181 17181->17178 17183 40b566 17182->17183 17184 40ebcc 4 API calls 17183->17184 17185 40b587 17184->17185 17186 40ebcc 4 API calls 17185->17186 17236 40b590 17186->17236 17187 40bdcd InterlockedDecrement 17188 40bde2 17187->17188 17190 40ec2e codecvt 4 API calls 17188->17190 17191 40bdea 17190->17191 17193 40ec2e codecvt 4 API calls 17191->17193 17192 40bdb7 Sleep 17192->17236 17194 40bdf2 17193->17194 17195 40be05 17194->17195 17197 40ec2e codecvt 4 API calls 17194->17197 17196 40bdcc 17196->17187 17197->17195 17198 40ebed 8 API calls 17198->17236 17201 40b6b6 lstrlenA 17201->17236 17202 4030b5 2 API calls 17202->17236 17203 40e819 11 API calls 17203->17236 17204 40b6ed lstrcpyA 17256 405ce1 17204->17256 17207 40b731 lstrlenA 17207->17236 17208 40b71f lstrcmpA 17208->17207 17208->17236 17209 40b772 GetTickCount 17209->17236 17210 40bd49 InterlockedIncrement 17319 40a628 17210->17319 17213 40b7ce InterlockedIncrement 17266 40acd7 17213->17266 17214 4038f0 6 API calls 17214->17236 17215 40bc5b InterlockedIncrement 17215->17236 17218 40b912 GetTickCount 17218->17236 17219 40b826 InterlockedIncrement 17219->17209 17220 40b932 GetTickCount 17222 40bc6d InterlockedIncrement 17220->17222 17220->17236 17221 40bcdc closesocket 17221->17236 17222->17236 17224 40bba6 InterlockedIncrement 17224->17236 17227 40a7c1 22 API calls 17227->17236 17228 40bc4c closesocket 17228->17236 17230 40ba71 wsprintfA 17284 40a7c1 17230->17284 17231 405ded 12 API calls 17231->17236 17232 405ce1 22 API calls 17232->17236 17234 40ab81 lstrcpynA InterlockedIncrement 17234->17236 17235 40ef1e lstrlenA 17235->17236 17236->17187 17236->17192 17236->17196 17236->17198 17236->17201 17236->17202 17236->17203 17236->17204 17236->17207 17236->17208 17236->17209 17236->17210 17236->17213 17236->17214 17236->17215 17236->17218 17236->17219 17236->17220 17236->17221 17236->17224 17236->17227 17236->17228 17236->17230 17236->17231 17236->17232 17236->17234 17236->17235 17237 40a688 GetTickCount 17236->17237 17238 403e10 17236->17238 17241 403e4f 17236->17241 17244 40384f 17236->17244 17264 40a7a3 inet_ntoa 17236->17264 17271 40abee 17236->17271 17283 401feb GetTickCount 17236->17283 17304 403cfb 17236->17304 17307 40ab81 17236->17307 17237->17236 17239 4030fa 4 API calls 17238->17239 17240 403e1d 17239->17240 17240->17236 17242 4030fa 4 API calls 17241->17242 17243 403e5c 17242->17243 17243->17236 17245 4030fa 4 API calls 17244->17245 17247 403863 17245->17247 17246 4038b2 17246->17236 17247->17246 17248 4038b9 17247->17248 17249 403889 17247->17249 17328 4035f9 17248->17328 17322 403718 17249->17322 17254 403718 6 API calls 17254->17246 17255 4035f9 6 API calls 17255->17246 17257 405cf4 17256->17257 17258 405cec 17256->17258 17260 404bd1 4 API calls 17257->17260 17334 404bd1 GetTickCount 17258->17334 17261 405d02 17260->17261 17339 405472 17261->17339 17265 40a7b9 17264->17265 17265->17236 17267 40f315 14 API calls 17266->17267 17268 40aceb 17267->17268 17269 40acff 17268->17269 17270 40f315 14 API calls 17268->17270 17269->17236 17270->17269 17272 40abfb 17271->17272 17275 40ac65 17272->17275 17402 402f22 17272->17402 17274 40f315 14 API calls 17274->17275 17275->17274 17276 40ac8a 17275->17276 17277 40ac6f 17275->17277 17276->17236 17279 40ab81 2 API calls 17277->17279 17278 40ac23 17278->17275 17280 402684 2 API calls 17278->17280 17281 40ac81 17279->17281 17280->17278 17410 4038f0 17281->17410 17283->17236 17285 40a87d lstrlenA send 17284->17285 17286 40a7df 17284->17286 17287 40a899 17285->17287 17288 40a8bf 17285->17288 17286->17285 17289 40a8f2 17286->17289 17293 40a7fa wsprintfA 17286->17293 17296 40a80a 17286->17296 17290 40a8a5 wsprintfA 17287->17290 17303 40a89e 17287->17303 17288->17289 17291 40a8c4 send 17288->17291 17292 40a978 recv 17289->17292 17295 40a9b0 wsprintfA 17289->17295 17297 40a982 17289->17297 17290->17303 17291->17289 17294 40a8d8 wsprintfA 17291->17294 17292->17289 17292->17297 17293->17296 17294->17303 17295->17303 17296->17285 17298 4030b5 2 API calls 17297->17298 17297->17303 17299 40ab05 17298->17299 17300 40e819 11 API calls 17299->17300 17301 40ab17 17300->17301 17302 40a7a3 inet_ntoa 17301->17302 17302->17303 17303->17236 17305 4030fa 4 API calls 17304->17305 17306 403d0b 17305->17306 17306->17236 17309 40abe9 GetTickCount 17307->17309 17310 40ab8c 17307->17310 17308 40aba8 lstrcpynA 17308->17310 17312 40a51d 17309->17312 17310->17308 17310->17309 17311 40abe1 InterlockedIncrement 17310->17311 17311->17310 17313 40a4c7 4 API calls 17312->17313 17314 40a52c 17313->17314 17315 40a542 GetTickCount 17314->17315 17317 40a539 GetTickCount 17314->17317 17315->17317 17318 40a56c 17317->17318 17318->17236 17320 40a4c7 4 API calls 17319->17320 17321 40a633 17320->17321 17321->17236 17323 40f04e 4 API calls 17322->17323 17325 40372a 17323->17325 17324 403847 17324->17246 17324->17254 17325->17324 17326 4037b3 GetCurrentThreadId 17325->17326 17326->17325 17327 4037c8 GetCurrentThreadId 17326->17327 17327->17325 17329 40f04e 4 API calls 17328->17329 17333 40360c 17329->17333 17330 4036f1 17330->17246 17330->17255 17331 4036da GetCurrentThreadId 17331->17330 17332 4036e5 GetCurrentThreadId 17331->17332 17332->17330 17333->17330 17333->17331 17335 404bff InterlockedExchange 17334->17335 17336 404c08 17335->17336 17337 404bec GetTickCount 17335->17337 17336->17257 17337->17336 17338 404bf7 Sleep 17337->17338 17338->17335 17358 404763 17339->17358 17341 405b58 17368 404699 17341->17368 17344 404763 lstrlenA 17345 405b6e 17344->17345 17389 404f9f 17345->17389 17347 405b79 17347->17236 17349 405549 lstrlenA 17350 40548a 17349->17350 17350->17341 17352 404ae6 8 API calls 17350->17352 17353 40558d lstrcpynA 17350->17353 17354 405a9f lstrcpyA 17350->17354 17355 405472 13 API calls 17350->17355 17356 405935 lstrcpynA 17350->17356 17357 4058e7 lstrcpyA 17350->17357 17362 404ae6 17350->17362 17366 40ef7c lstrlenA lstrlenA lstrlenA 17350->17366 17352->17350 17353->17350 17354->17350 17355->17350 17356->17350 17357->17350 17361 40477a 17358->17361 17359 404859 17359->17350 17360 40480d lstrlenA 17360->17361 17361->17359 17361->17360 17363 404af3 17362->17363 17365 404b03 17362->17365 17364 40ebed 8 API calls 17363->17364 17364->17365 17365->17349 17367 40efb4 17366->17367 17367->17350 17394 4045b3 17368->17394 17371 4045b3 7 API calls 17372 4046c6 17371->17372 17373 4045b3 7 API calls 17372->17373 17374 4046d8 17373->17374 17375 4045b3 7 API calls 17374->17375 17376 4046ea 17375->17376 17377 4045b3 7 API calls 17376->17377 17378 4046ff 17377->17378 17379 4045b3 7 API calls 17378->17379 17380 404711 17379->17380 17381 4045b3 7 API calls 17380->17381 17382 404723 17381->17382 17383 40ef7c 3 API calls 17382->17383 17384 404735 17383->17384 17385 40ef7c 3 API calls 17384->17385 17386 40474a 17385->17386 17387 40ef7c 3 API calls 17386->17387 17388 40475c 17387->17388 17388->17344 17390 404fac 17389->17390 17392 404fb0 17389->17392 17390->17347 17391 404ffd 17391->17347 17392->17391 17393 404fd5 IsBadCodePtr 17392->17393 17393->17392 17395 4045c1 17394->17395 17396 4045c8 17394->17396 17397 40ebcc 4 API calls 17395->17397 17398 40ebcc 4 API calls 17396->17398 17400 4045e1 17396->17400 17397->17396 17398->17400 17399 404691 17399->17371 17400->17399 17401 40ef7c 3 API calls 17400->17401 17401->17400 17417 402d21 GetModuleHandleA 17402->17417 17405 402f4f 17407 402f6b GetProcessHeap HeapFree 17405->17407 17406 402fcf GetProcessHeap HeapFree 17409 402f44 17406->17409 17407->17409 17408 402f85 17408->17406 17409->17278 17411 403900 17410->17411 17412 403980 17410->17412 17413 4030fa 4 API calls 17411->17413 17412->17276 17416 40390a 17413->17416 17414 40391b GetCurrentThreadId 17414->17416 17415 403939 GetCurrentThreadId 17415->17416 17416->17412 17416->17414 17416->17415 17418 402d46 LoadLibraryA 17417->17418 17419 402d5b GetProcAddress 17417->17419 17418->17419 17420 402d54 17418->17420 17419->17420 17421 402d6b 17419->17421 17420->17405 17420->17408 17420->17409 17421->17420 17422 402d97 GetProcessHeap HeapAlloc 17421->17422 17423 402db5 lstrcpynA 17421->17423 17422->17420 17422->17421 17423->17421 17425 40f428 14 API calls 17424->17425 17426 40198a 17425->17426 17427 401990 closesocket 17426->17427 17428 401998 17426->17428 17427->17428 17428->17071 17430 402d21 6 API calls 17429->17430 17431 402f01 17430->17431 17432 402f0f 17431->17432 17445 402df2 GetModuleHandleA 17431->17445 17433 402684 2 API calls 17432->17433 17436 402f1f 17432->17436 17435 402f1d 17433->17435 17435->17084 17436->17084 17438 401c80 17437->17438 17439 401cc2 wsprintfA 17438->17439 17441 401d1c 17438->17441 17444 401d79 17438->17444 17440 402684 2 API calls 17439->17440 17440->17438 17442 401d47 wsprintfA 17441->17442 17443 402684 2 API calls 17442->17443 17443->17444 17444->17080 17446 402e10 LoadLibraryA 17445->17446 17447 402e0b 17445->17447 17448 402e17 17446->17448 17447->17446 17447->17448 17449 402ef1 17448->17449 17450 402e28 GetProcAddress 17448->17450 17449->17432 17450->17449 17451 402e3e GetProcessHeap HeapAlloc 17450->17451 17453 402e62 17451->17453 17452 402ede GetProcessHeap HeapFree 17452->17449 17453->17449 17453->17452 17454 402e7f htons inet_addr 17453->17454 17455 402ea5 gethostbyname 17453->17455 17457 402ceb 17453->17457 17454->17453 17454->17455 17455->17453 17458 402cf2 17457->17458 17460 402d1c 17458->17460 17461 402d0e Sleep 17458->17461 17462 402a62 GetProcessHeap HeapAlloc 17458->17462 17460->17453 17461->17458 17461->17460 17463 402a92 17462->17463 17464 402a99 socket 17462->17464 17463->17458 17465 402cd3 GetProcessHeap HeapFree 17464->17465 17466 402ab4 17464->17466 17465->17463 17466->17465 17470 402abd 17466->17470 17467 402adb htons 17482 4026ff 17467->17482 17469 402b04 select 17469->17470 17470->17467 17470->17469 17471 402ca4 17470->17471 17472 402cb3 GetProcessHeap HeapFree closesocket 17470->17472 17473 402b3f recv 17470->17473 17474 402b66 htons 17470->17474 17475 402b87 htons 17470->17475 17478 402bf3 GetProcessHeap HeapAlloc 17470->17478 17479 402c17 htons 17470->17479 17481 402c4d GetProcessHeap HeapFree 17470->17481 17489 402923 17470->17489 17501 402904 17470->17501 17471->17472 17472->17463 17473->17470 17474->17470 17474->17471 17475->17470 17475->17471 17478->17470 17497 402871 17479->17497 17481->17470 17483 402717 17482->17483 17485 40271d 17482->17485 17484 40ebcc 4 API calls 17483->17484 17484->17485 17486 40272b GetTickCount htons 17485->17486 17487 4027cc htons htons sendto 17486->17487 17488 40278a 17486->17488 17487->17470 17488->17487 17490 402944 17489->17490 17491 40293d 17489->17491 17505 402816 htons 17490->17505 17491->17470 17493 402871 htons 17496 402950 17493->17496 17494 4029bd htons htons htons 17494->17491 17495 4029f6 GetProcessHeap HeapAlloc 17494->17495 17495->17491 17495->17496 17496->17491 17496->17493 17496->17494 17498 4028e3 17497->17498 17500 402889 17497->17500 17498->17470 17499 4028c3 htons 17499->17498 17499->17500 17500->17498 17500->17499 17502 402921 17501->17502 17503 402908 17501->17503 17502->17470 17504 402909 GetProcessHeap HeapFree 17503->17504 17504->17502 17504->17504 17506 40286b 17505->17506 17507 402836 17505->17507 17506->17496 17507->17506 17508 40285c htons 17507->17508 17508->17506 17508->17507 17510 406bc0 17509->17510 17511 406bbc 17509->17511 17512 40ebcc 4 API calls 17510->17512 17514 406bd4 17510->17514 17511->17117 17513 406be4 17512->17513 17513->17514 17515 406c07 CreateFileA 17513->17515 17516 406bfc 17513->17516 17514->17117 17518 406c34 WriteFile 17515->17518 17519 406c2a 17515->17519 17517 40ec2e codecvt 4 API calls 17516->17517 17517->17514 17521 406c49 CloseHandle DeleteFileA 17518->17521 17522 406c5a CloseHandle 17518->17522 17520 40ec2e codecvt 4 API calls 17519->17520 17520->17514 17521->17519 17523 40ec2e codecvt 4 API calls 17522->17523 17523->17514 15859 41aa10 15862 41a630 15859->15862 15861 41aa15 15863 41a658 15862->15863 15864 41a6e8 6 API calls 15863->15864 15872 41a7f9 15863->15872 15865 41a751 6 API calls 15864->15865 15866 41a7c6 GetSystemDefaultLCID 15865->15866 15869 41a7e0 15866->15869 15870 41a7d5 RtlEnterCriticalSection 15866->15870 15867 41a84a GetSystemTimes 15871 41a86e 15867->15871 15867->15872 15868 41a83a GetUserObjectInformationW 15868->15867 15869->15872 15873 41a7e9 LoadLibraryA 15869->15873 15870->15869 15874 41a86c 15871->15874 15875 41a877 FoldStringW 15871->15875 15872->15867 15872->15868 15872->15874 15873->15872 15876 41a891 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameW GetFileAttributesW GetConsoleAliasExesLengthW 15874->15876 15877 41a909 GlobalAlloc 15874->15877 15875->15874 15888 41a8ce 15876->15888 15879 41a926 15877->15879 15880 41a95c LoadLibraryW 15877->15880 15879->15880 15889 41a350 GetModuleHandleW GetProcAddress VirtualProtect 15880->15889 15882 41a96c 15890 41a5c0 15882->15890 15884 41a989 GlobalSize 15885 41a971 15884->15885 15885->15884 15886 41a9b3 InterlockedExchangeAdd 15885->15886 15887 41a9c9 15885->15887 15886->15885 15887->15861 15888->15877 15889->15882 15891 41a5e2 15890->15891 15892 41a5d6 QueryDosDeviceW 15890->15892 15901 41a4a0 15891->15901 15892->15891 15895 41a5f5 FreeEnvironmentStringsW 15896 41a5fd 15895->15896 15904 41a4e0 15896->15904 15899 41a614 RtlAllocateHeap GetNumaHighestNodeNumber 15900 41a628 15899->15900 15900->15885 15902 41a4b7 GetStartupInfoA LoadLibraryA 15901->15902 15903 41a4c9 15901->15903 15902->15903 15903->15895 15903->15896 15905 41a515 15904->15905 15906 41a504 BuildCommDCBW 15904->15906 15907 41a533 15905->15907 15908 41a51d WritePrivateProfileStringA UnhandledExceptionFilter 15905->15908 15906->15907 15910 41a593 15907->15910 15911 41a569 GetComputerNameW GetShortPathNameA 15907->15911 15912 41a4d0 15907->15912 15908->15907 15910->15899 15910->15900 15911->15907 15915 41a450 15912->15915 15916 41a47b 15915->15916 15917 41a46c VirtualLock 15915->15917 15916->15907 15917->15916 17524 5b0005 17529 5b092b GetPEB 17524->17529 17526 5b0030 17531 5b003c 17526->17531 17530 5b0972 17529->17530 17530->17526 17532 5b0049 17531->17532 17546 5b0e0f SetErrorMode SetErrorMode 17532->17546 17537 5b0265 17538 5b02ce VirtualProtect 17537->17538 17540 5b030b 17538->17540 17539 5b0439 VirtualFree 17542 5b04be 17539->17542 17544 5b05f4 LoadLibraryA 17539->17544 17540->17539 17541 5b04e3 LoadLibraryA 17541->17542 17542->17541 17542->17544 17545 5b08c7 17544->17545 17547 5b0223 17546->17547 17548 5b0d90 17547->17548 17549 5b0dad 17548->17549 17550 5b0dbb GetPEB 17549->17550 17551 5b0238 VirtualAlloc 17549->17551 17550->17551 17551->17537 15936 5b0920 TerminateProcess 19353 7331f6 19354 733224 19353->19354 19355 733ade 3 API calls 19354->19355 19356 733add 19355->19356 15918 733ad0 15919 733add 15918->15919 15921 733ade 15918->15921 15922 733aed 15921->15922 15925 73427e 15922->15925 15926 734299 15925->15926 15927 7342a2 CreateToolhelp32Snapshot 15926->15927 15928 7342be Module32First 15926->15928 15927->15926 15927->15928 15929 733af6 15928->15929 15930 7342cd 15928->15930 15929->15919 15932 733f3d 15930->15932 15933 733f68 15932->15933 15934 733f79 VirtualAlloc 15933->15934 15935 733fb1 15933->15935 15934->15935
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\ODy57hA4Su.exe), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\ODy57hA4Su.exe$C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$D$P$\$puwycifc
                                                                                      • API String ID: 2089075347-3041349192
                                                                                      • Opcode ID: 210f584047e2a3557edc0ac511e6dc12bb7f949e626bf56cb8d544fe5afb1cee
                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                      • Opcode Fuzzy Hash: 210f584047e2a3557edc0ac511e6dc12bb7f949e626bf56cb8d544fe5afb1cee
                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 41a630-41a655 265 41a658-41a65e 264->265 266 41a660-41a66a 265->266 267 41a66f-41a679 265->267 266->267 268 41a67b-41a696 267->268 269 41a69c-41a6a3 267->269 268->269 269->265 270 41a6a5-41a6ad 269->270 272 41a6b0-41a6b6 270->272 273 41a6c4-41a6ce 272->273 274 41a6b8-41a6be 272->274 275 41a6d0 273->275 276 41a6d2-41a6d9 273->276 274->273 275->276 276->272 277 41a6db-41a6e2 276->277 278 41a6e8-41a7d3 InterlockedExchange SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaProcessorNode DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a81b-41a829 277->279 286 41a7e0-41a7e7 278->286 287 41a7d5-41a7da RtlEnterCriticalSection 278->287 280 41a830-41a838 279->280 284 41a84a-41a861 GetSystemTimes 280->284 285 41a83a-41a844 GetUserObjectInformationW 280->285 288 41a863-41a86a 284->288 289 41a86e-41a875 284->289 285->284 290 41a7f9-41a818 286->290 291 41a7e9-41a7f3 LoadLibraryA 286->291 287->286 288->280 292 41a86c 288->292 293 41a887-41a88f 289->293 294 41a877-41a881 FoldStringW 289->294 290->279 291->290 292->293 295 41a891-41a903 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameW GetFileAttributesW GetConsoleAliasExesLengthW 293->295 296 41a909-41a924 GlobalAlloc 293->296 294->293 295->296 299 41a926-41a931 296->299 300 41a95c-41a967 LoadLibraryW call 41a350 296->300 302 41a940-41a950 299->302 307 41a96c-41a97f call 41a5c0 300->307 305 41a952 302->305 306 41a957-41a95a 302->306 305->306 306->300 306->302 312 41a980-41a987 307->312 314 41a989-41a999 GlobalSize 312->314 315 41a99d-41a9a3 312->315 314->315 316 41a9a5 call 41a340 315->316 317 41a9aa-41a9b1 315->317 316->317 321 41a9c0-41a9c7 317->321 322 41a9b3-41a9ba InterlockedExchangeAdd 317->322 321->312 324 41a9c9-41a9d9 321->324 322->321 325 41a9e0-41a9e5 324->325 327 41a9e7-41a9ed 325->327 328 41a9ef-41a9f5 325->328 327->328 329 41a9f7-41aa0b 327->329 328->325 328->329
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A6EF
                                                                                      • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A6F7
                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A6FF
                                                                                      • FindAtomW.KERNEL32(00000000), ref: 0041A707
                                                                                      • SearchPathA.KERNEL32(0041C9B0,0041C998,0041C978,00000000,?,?), ref: 0041A72B
                                                                                      • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A735
                                                                                      • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A75D
                                                                                      • CopyFileExA.KERNEL32(0041C9DC,0041C9CC,00000000,00000000,00000000,00000000), ref: 0041A775
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0041A77B
                                                                                      • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A79A
                                                                                      • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A7A4
                                                                                      • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A7AC
                                                                                      • GetSystemDefaultLCID.KERNEL32 ref: 0041A7C6
                                                                                      • RtlEnterCriticalSection.NTDLL(?), ref: 0041A7DA
                                                                                      • LoadLibraryA.KERNEL32(00000000), ref: 0041A7F3
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A844
                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A859
                                                                                      • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A881
                                                                                      • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0041A8A0
                                                                                      • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A8AD
                                                                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0041A8B5
                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041A8BC
                                                                                      • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A8C2
                                                                                      • GlobalAlloc.KERNELBASE(00000000,00421FFC), ref: 0041A90C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400747790.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_415000_jhrsuqtz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Console$DefaultFileGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesCallCommComputerConfigCopyCriticalDebugEnterEnvironmentExchangeExesFindFoldInformationInterlockedLibraryLoadModeNameNamedNodeNumaObjectOutputPathPipeProcessProcessorSearchSectionSizeStopStringStringsTimesTitleUserWrite
                                                                                      • String ID: W9@$k`$}$
                                                                                      • API String ID: 414751691-3186663488
                                                                                      • Opcode ID: 3125ac5748dbd4fbce1368805dc9991385e2cf29a0c5f3b6033c5a1e3b709f57
                                                                                      • Instruction ID: 38aa9030d850b5c0fa977c86cdfdbc856e4cc6e92616535b5e60fdfa969bb4c8
                                                                                      • Opcode Fuzzy Hash: 3125ac5748dbd4fbce1368805dc9991385e2cf29a0c5f3b6033c5a1e3b709f57
                                                                                      • Instruction Fuzzy Hash: 90A127B1641310ABD320AB61DC4AFDB7B64EB4C715F01843AF669A61E0CBB85541CBEF

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 579 40637c-406384 580 406386-406389 579->580 581 40638a-4063b4 GetModuleHandleA VirtualAlloc 579->581 582 4063f5-4063f7 581->582 583 4063b6-4063d4 call 40ee08 VirtualAllocEx 581->583 584 40640b-40640f 582->584 583->582 587 4063d6-4063f3 call 4062b7 WriteProcessMemory 583->587 587->582 590 4063f9-40640a 587->590 590->584
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 332 4073ff-407419 333 40741b 332->333 334 40741d-407422 332->334 333->334 335 407424 334->335 336 407426-40742b 334->336 335->336 337 407430-407435 336->337 338 40742d 336->338 339 407437 337->339 340 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 337->340 338->337 339->340 345 407487-40749d call 40ee2a 340->345 346 4077f9-4077fe call 40ee2a 340->346 352 407703-40770e RegEnumKeyA 345->352 351 407801 346->351 353 407804-407808 351->353 354 4074a2-4074b1 call 406cad 352->354 355 407714-40771d RegCloseKey 352->355 358 4074b7-4074cc call 40f1a5 354->358 359 4076ed-407700 354->359 355->351 358->359 362 4074d2-4074f8 RegOpenKeyExA 358->362 359->352 363 407727-40772a 362->363 364 4074fe-407530 call 402544 RegQueryValueExA 362->364 365 407755-407764 call 40ee2a 363->365 366 40772c-407740 call 40ef00 363->366 364->363 372 407536-40753c 364->372 377 4076df-4076e2 365->377 374 407742-407745 RegCloseKey 366->374 375 40774b-40774e 366->375 376 40753f-407544 372->376 374->375 379 4077ec-4077f7 RegCloseKey 375->379 376->376 378 407546-40754b 376->378 377->359 380 4076e4-4076e7 RegCloseKey 377->380 378->365 381 407551-40756b call 40ee95 378->381 379->353 380->359 381->365 384 407571-407593 call 402544 call 40ee95 381->384 389 407753 384->389 390 407599-4075a0 384->390 389->365 391 4075a2-4075c6 call 40ef00 call 40ed03 390->391 392 4075c8-4075d7 call 40ed03 390->392 398 4075d8-4075da 391->398 392->398 400 4075dc 398->400 401 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 398->401 400->401 410 407626-40762b 401->410 410->410 411 40762d-407634 410->411 412 407637-40763c 411->412 412->412 413 40763e-407642 412->413 414 407644-407656 call 40ed77 413->414 415 40765c-407673 call 40ed23 413->415 414->415 420 407769-40777c call 40ef00 414->420 421 407680 415->421 422 407675-40767e 415->422 428 4077e3-4077e6 RegCloseKey 420->428 424 407683-40768e call 406cad 421->424 422->424 429 407722-407725 424->429 430 407694-4076bf call 40f1a5 call 406c96 424->430 428->379 431 4076dd 429->431 436 4076c1-4076c7 430->436 437 4076d8 430->437 431->377 436->437 438 4076c9-4076d2 436->438 437->431 438->437 439 40777e-407797 GetFileAttributesExA 438->439 440 407799 439->440 441 40779a-40779f 439->441 440->441 442 4077a1 441->442 443 4077a3-4077a8 441->443 442->443 444 4077c4-4077c8 443->444 445 4077aa-4077c0 call 40ee08 443->445 447 4077d7-4077dc 444->447 448 4077ca-4077d6 call 40ef00 444->448 445->444 451 4077e0-4077e2 447->451 452 4077de 447->452 448->447 451->428 452->451
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 454 5b003c-5b0047 455 5b0049 454->455 456 5b004c-5b0263 call 5b0a3f call 5b0e0f call 5b0d90 VirtualAlloc 454->456 455->456 471 5b028b-5b0292 456->471 472 5b0265-5b0289 call 5b0a69 456->472 473 5b02a1-5b02b0 471->473 475 5b02ce-5b03c2 VirtualProtect call 5b0cce call 5b0ce7 472->475 473->475 476 5b02b2-5b02cc 473->476 483 5b03d1-5b03e0 475->483 476->473 484 5b0439-5b04b8 VirtualFree 483->484 485 5b03e2-5b0437 call 5b0ce7 483->485 487 5b04be-5b04cd 484->487 488 5b05f4-5b05fe 484->488 485->483 492 5b04d3-5b04dd 487->492 489 5b077f-5b0789 488->489 490 5b0604-5b060d 488->490 496 5b078b-5b07a3 489->496 497 5b07a6-5b07b0 489->497 490->489 494 5b0613-5b0637 490->494 492->488 493 5b04e3-5b0505 LoadLibraryA 492->493 498 5b0517-5b0520 493->498 499 5b0507-5b0515 493->499 502 5b063e-5b0648 494->502 496->497 500 5b086e-5b08be LoadLibraryA 497->500 501 5b07b6-5b07cb 497->501 503 5b0526-5b0547 498->503 499->503 510 5b08c7-5b08f9 500->510 504 5b07d2-5b07d5 501->504 502->489 505 5b064e-5b065a 502->505 508 5b054d-5b0550 503->508 506 5b07d7-5b07e0 504->506 507 5b0824-5b0833 504->507 505->489 509 5b0660-5b066a 505->509 513 5b07e2 506->513 514 5b07e4-5b0822 506->514 518 5b0839-5b083c 507->518 515 5b05e0-5b05ef 508->515 516 5b0556-5b056b 508->516 517 5b067a-5b0689 509->517 511 5b08fb-5b0901 510->511 512 5b0902-5b091d 510->512 511->512 513->507 514->504 515->492 519 5b056f-5b057a 516->519 520 5b056d 516->520 521 5b068f-5b06b2 517->521 522 5b0750-5b077a 517->522 518->500 523 5b083e-5b0847 518->523 525 5b059b-5b05bb 519->525 526 5b057c-5b0599 519->526 520->515 527 5b06ef-5b06fc 521->527 528 5b06b4-5b06ed 521->528 522->502 529 5b084b-5b086c 523->529 530 5b0849 523->530 537 5b05bd-5b05db 525->537 526->537 531 5b074b 527->531 532 5b06fe-5b0748 527->532 528->527 529->518 530->500 531->517 532->531 537->508
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005B024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: 7551dfa21bb43cba0658288d1fd6cf974fef82f8ba6c86bf0450c771147d3be8
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: 4F526874A00229DFDB64CF58C985BADBBB1BF09304F1480D9E94DAB291DB30AE85DF14

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 538 40977c-4097b9 call 40ee2a CreateProcessA 541 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 538->541 542 4097bb-4097bd 538->542 546 409801-40981c call 40637c 541->546 547 4097f5 541->547 543 409864-409866 542->543 549 4097f6-4097ff TerminateProcess 546->549 551 40981e-409839 WriteProcessMemory 546->551 547->549 549->542 551->547 552 40983b-409856 Wow64SetThreadContext 551->552 552->547 553 409858-409863 ResumeThread 552->553 553->543
                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2098669666-2746444292
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 554 41a933-41a93a 555 41a940-41a950 554->555 556 41a952 555->556 557 41a957-41a95a 555->557 556->557 557->555 558 41a95c-41a97f LoadLibraryW call 41a350 call 41a5c0 557->558 563 41a980-41a987 558->563 564 41a989-41a999 GlobalSize 563->564 565 41a99d-41a9a3 563->565 564->565 566 41a9a5 call 41a340 565->566 567 41a9aa-41a9b1 565->567 566->567 570 41a9c0-41a9c7 567->570 571 41a9b3-41a9ba InterlockedExchangeAdd 567->571 570->563 572 41a9c9-41a9d9 570->572 571->570 573 41a9e0-41a9e5 572->573 574 41a9e7-41a9ed 573->574 575 41a9ef-41a9f5 573->575 574->575 576 41a9f7-41aa0b 574->576 575->573 575->576
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNELBASE(0041CA40), ref: 0041A961
                                                                                      • GlobalSize.KERNEL32(00000000), ref: 0041A98B
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041A9BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400747790.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_415000_jhrsuqtz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                      • String ID: k`$}$
                                                                                      • API String ID: 1230614907-956986773
                                                                                      • Opcode ID: d3d032c72053aceecd28de272ac849355dd5813b76bd1eed268e775e1403a36a
                                                                                      • Instruction ID: 87d718edd81fec5578da447485a1248bdf804c4c94e660229896a94c6f6a257a
                                                                                      • Opcode Fuzzy Hash: d3d032c72053aceecd28de272ac849355dd5813b76bd1eed268e775e1403a36a
                                                                                      • Instruction Fuzzy Hash: 33115B706552108BC7309B20DC42BDFB750EB49315F02483FE6A9862A1CB7854E18BDF

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 578 41a350-41a445 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00421ED0), ref: 0041A3EE
                                                                                      • GetProcAddress.KERNEL32(00000000,00420640), ref: 0041A421
                                                                                      • VirtualProtect.KERNELBASE(00421D1C,00421FFC,00000040,?), ref: 0041A440
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400747790.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_415000_jhrsuqtz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 2099061454-3916222277
                                                                                      • Opcode ID: 301b48656fdeabb88a85c72d70f5d368dde583ca559c2ddd4d3b112bc4849b32
                                                                                      • Instruction ID: d1e14fb232e0ed7b86ecf6662b745481911f37886fb3b6d0d712552d8374243e
                                                                                      • Opcode Fuzzy Hash: 301b48656fdeabb88a85c72d70f5d368dde583ca559c2ddd4d3b112bc4849b32
                                                                                      • Instruction Fuzzy Hash: 9E113774728344DAD330CF64FD45B063AB5EBA4704F81503DD8088B2B2D7B61526C75E

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 591 404000-404008 592 40400b-40402a CreateFileA 591->592 593 404057 592->593 594 40402c-404035 GetLastError 592->594 597 404059-40405c 593->597 595 404052 594->595 596 404037-40403a 594->596 599 404054-404056 595->599 596->595 598 40403c-40403f 596->598 597->599 598->597 600 404041-404050 Sleep 598->600 600->592 600->595
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 619 406e36-406e5d GetUserNameW 620 406ebe-406ec2 619->620 621 406e5f-406e95 LookupAccountNameW 619->621 621->620 622 406e97-406e9b 621->622 623 406ebb-406ebd 622->623 624 406e9d-406ea3 622->624 623->620 624->623 625 406ea5-406eaa 624->625 626 406eb7-406eb9 625->626 627 406eac-406eb0 625->627 626->620 627->623 628 406eb2-406eb5 627->628 628->623 628->626
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID:
                                                                                      • API String ID: 2370142434-0
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 629 73427e-734297 630 734299-73429b 629->630 631 7342a2-7342ae CreateToolhelp32Snapshot 630->631 632 73429d 630->632 633 7342b0-7342b6 631->633 634 7342be-7342cb Module32First 631->634 632->631 633->634 641 7342b8-7342bc 633->641 635 7342d4-7342dc 634->635 636 7342cd-7342ce call 733f3d 634->636 639 7342d3 636->639 639->635 641->630 641->634
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007342A6
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 007342C6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1401015750.0000000000733000.00000040.00000020.00020000.00000000.sdmp, Offset: 00733000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_733000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: 8d8d12552539f7f95671994d4ef753e5a3e9b15dae3c27badfd65ac177fb9944
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: 73F062325007116BE7242AB5988DA6BB6E8BF49724F500528F652A15C1DA78FC454A61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 642 5b0e0f-5b0e24 SetErrorMode * 2 643 5b0e2b-5b0e2c 642->643 644 5b0e26 642->644 644->643
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,005B0223,?,?), ref: 005B0E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,005B0223,?,?), ref: 005B0E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: e6f0b986f79c47f2df78b5900a9022620743f9650b9358d5e1040a707868e860
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 0FD0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9080C770994046E5

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 645 406dc2-406dd5 646 406e33-406e35 645->646 647 406dd7-406df1 call 406cc9 call 40ef00 645->647 652 406df4-406df9 647->652 652->652 653 406dfb-406e00 652->653 654 406e02-406e22 GetVolumeInformationA 653->654 655 406e24 653->655 654->655 656 406e2e 654->656 655->656 656->646
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID:
                                                                                      • API String ID: 1823874839-0
                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 657 409892-4098c0 658 4098c2-4098c5 657->658 659 4098d9 657->659 658->659 660 4098c7-4098d7 658->660 661 4098e0-4098f1 SetServiceStatus 659->661 660->661
                                                                                      APIs
                                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ServiceStatus
                                                                                      • String ID:
                                                                                      • API String ID: 3969395364-0
                                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                      APIs
                                                                                      • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 005B0929
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 560597551-0
                                                                                      • Opcode ID: 3c70e2495a12ff6ae4c515c261271d7c947c2eb84b30f042f73628172fd7eedf
                                                                                      • Instruction ID: 1318691bb2f91343321d018af63213c0b44ed3bcc8f8abdb047d49f21bb7817d
                                                                                      • Opcode Fuzzy Hash: 3c70e2495a12ff6ae4c515c261271d7c947c2eb84b30f042f73628172fd7eedf
                                                                                      • Instruction Fuzzy Hash: 8190026828415071D920659C0C01B9501452742630F3407507130996D0D441A6005115
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00733F8E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1401015750.0000000000733000.00000040.00000020.00020000.00000000.sdmp, Offset: 00733000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_733000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 53476ded5673290fbf3c25291527333713b1e8a71d0de80dce0534d7fbf5e50e
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: 3F113C79A40208EFDB01DF98C989E99BFF5AF08350F058094F9489B362D375EA50DF80
                                                                                      APIs
                                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3100162736-0
                                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 005B65F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005B6610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005B6631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005B6652
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 211ac597fde7f9ce83e2b7338cbc43df44649eb770c08912bbd277b8e9b786c0
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: AE119171600219BFDB219F65DC0AFDB3FA8FB047A5F104024F908A7291E7B5ED0087A4
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 005B9E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 005B9FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 005B9FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 005BA004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 005BA054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 005BA09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 005BA0D6
                                                                                      • lstrcpy.KERNEL32 ref: 005BA12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 005BA13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 005B9F13
                                                                                        • Part of subcall function 005B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 005B7081
                                                                                        • Part of subcall function 005B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uzbdhnkh,005B7043), ref: 005B6F4E
                                                                                        • Part of subcall function 005B6F30: GetProcAddress.KERNEL32(00000000), ref: 005B6F55
                                                                                        • Part of subcall function 005B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005B6F7B
                                                                                        • Part of subcall function 005B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005B6F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 005BA1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005BA1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 005BA214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 005BA21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 005BA265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005BA29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005BA2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 005BA2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005BA2F4
                                                                                      • wsprintfA.USER32 ref: 005BA31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005BA345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 005BA364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 005BA387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 005BA398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005BA1D1
                                                                                        • Part of subcall function 005B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 005B999D
                                                                                        • Part of subcall function 005B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005B99BD
                                                                                        • Part of subcall function 005B9966: RegCloseKey.ADVAPI32(?), ref: 005B99C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 005BA3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 005BA3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 005BA41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: a7d2f1e89181ed54af55cc229a0be5392a42b56b9c59c68d928cbaeee599c0c6
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: 34F130B1D4025DAFDF21DBA08C49EEE7FBCBB48300F1484A6F605E2151E775AA848F65
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 005B7D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005B7D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005B7D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 005B7DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005B7DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005B7DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005B7DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005B7DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005B7E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 005B7E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005B7E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005B7E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$D
                                                                                      • API String ID: 2976863881-3064012573
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: cefb486b5b680c260e05d7decbf669bbe41ea7f30ff57d5c5bc1a323ecec37ec
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: BAA13A7190021DAFDB119FA0DD88BEEBFBDFB48340F14806AE505E6150EB75AA85CB64
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$D
                                                                                      • API String ID: 2976863881-3064012573
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005B7A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005B7ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 005B7ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 005B7B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005B7B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005B7B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005B7B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005B7B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005B7B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 005B7B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005B7B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005B7B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 005B7BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005B7BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 005B7C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005B7C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005B7CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005B7CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 005B7CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 005B7CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005B7CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: 89b3d1f8087c37c346829e3a0b83553d8ab56ba6775a03c85c3b5456b34aceab
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: B6812A7190421EABDB11CFA4DD88BEEBFB8BF4C300F14806AE515E6150E775AA45CF64
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$localcfg
                                                                                      • API String ID: 237177642-3136575136
                                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-1839596206
                                                                                      • Opcode ID: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 005B865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 005B867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005B86A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005B86B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
                                                                                      • API String ID: 237177642-3625079511
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: 85821c3d8349f5c2c54631db15a9b20db35bdab4210c84fb822d7bcb9cd761ab
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: 71C1AF7190020DBFEB11ABA4DC89EFE7FBCFB58300F144466F601E2051EA71AA84CB65
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 005B1601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 005B17D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: 0478a2caa60d847de6afc4da6a5c1a5d88685d59e1e2ea3119b4fab534bac4a6
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: DEF18DB15087819FD720CF64C898BEBBBE4FB88304F50892DF59697290D7B4E944CB5A
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005B76D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 005B7757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 005B778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 005B78B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005B794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 005B796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005B797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005B79AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005B7A56
                                                                                        • Part of subcall function 005BF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,005B772A,?), ref: 005BF414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005B79F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005B7A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: 14f9732c337209aa73aea5edd104c929df46266ba869ff8c445462af3ff76271
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: 80C1717290420EAFDB119BA4DC49FEE7FB9FF89310F1440A5F505E6191EB71AA848B60
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.ADVAPI32(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.ADVAPI32(774D0F10,?,774D0F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005B2CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 005B2D07
                                                                                      • htons.WS2_32(00000000), ref: 005B2D42
                                                                                      • select.WS2_32 ref: 005B2D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 005B2DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005B2E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: e67ff8fbd2cadab23183ffcaf0608f3f78c5a4bcb9df411f2a892b25876b9489
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: 2D61CE71508305ABC720AF65DC09BFBBFE8FB88341F104819F98496251D7B4E8818BB6
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,774D0F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,774D0F10,00000000), ref: 0040691C
                                                                                      • CloseHandle.KERNEL32(000000FF,?,774D0F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 2622201749-0
                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 005B202D
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 005B204F
                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 005B206A
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005B2071
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 005B2082
                                                                                      • GetTickCount.KERNEL32 ref: 005B2230
                                                                                        • Part of subcall function 005B1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 005B1E7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                      • API String ID: 4207808166-1391650218
                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction ID: 2b252d354e93ad2067bb63dba5d330ae86db85dc8bea79181c75966064412eb6
                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction Fuzzy Hash: 0551C2B0500749AFE320AF658C8AFE7BEECFB84704F04492DF99692142D6B9B944C775
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-3679488032
                                                                                      • Opcode ID: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                      • Instruction ID: bd7dfe77e026ff01e11c6618f048304d5953ff5d6b37f7005ea1b6d17bf081bd
                                                                                      • Opcode Fuzzy Hash: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                      • Instruction Fuzzy Hash: 263197B25401197ADF016B96CCC2DFFBB6CEF49348B14052BF904B1182EB789A6587E9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 005B3068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 005B3078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 005B3095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005B30B6
                                                                                      • htons.WS2_32(00000035), ref: 005B30EF
                                                                                      • inet_addr.WS2_32(?), ref: 005B30FA
                                                                                      • gethostbyname.WS2_32(?), ref: 005B310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 005B314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: b3f9f70ca6d8991288c699e43f262cda0016f8682bd8e67a18eb20bb5b2c0807
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: F1314331A0060AABDB119BB89C48AEE7FBCBF05761F144165E518F7290DB74EA41CB58
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005B95A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005B95D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005B95DC
                                                                                      • wsprintfA.USER32 ref: 005B9635
                                                                                      • wsprintfA.USER32 ref: 005B9673
                                                                                      • wsprintfA.USER32 ref: 005B96F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005B9758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005B978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005B97D8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID:
                                                                                      • API String ID: 3696105349-0
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: a542cc43369465f5bf6131ba8fda483b4b66301481c61cb5793809328b6c73d7
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: 52A17EB194020DAFEB21DFA0DC49FDA3FACFB45741F104026FA1596152E7B5E984CBA4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005B67C3
                                                                                      • htonl.WS2_32(?), ref: 005B67DF
                                                                                      • htonl.WS2_32(?), ref: 005B67EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005B68F1
                                                                                      • ExitProcess.KERNEL32 ref: 005B69BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: d4a9b0e2127745ba7997dc03925d5dfde377ad9a2a57506eba5529799c59dca6
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: 8A616072940208AFDB609FB4DC45FEA7BE9FF48300F148066FA6DD2161DA75A990CF54
                                                                                      APIs
                                                                                      • htons.WS2_32(005BCC84), ref: 005BF5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 005BF5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 005BF5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: a44898ad5f234a90a7fc399be8b9dc11e02b1153f014cf1e7250ec6210b0f23a
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: B1315A76900119ABDB10DFA5EC89DEEBBBCFF88310F104576F915E3150E770AA818BA4
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 005B2FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 005B2FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 005B2FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005B3000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005B3007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 005B3032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 21b02c1c65e1e1676c498bff04207cf1531c4fb951c195246e60656f2ed366f5
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: 1A217171901629BBCB219B55DC89AEEBFBCFF08B50F114421F905E7140D7B4AE8187E4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005B9A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 005B9A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 005B9A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005B9A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 005B9AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 005B9AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: 984aecad86bb3164374d4f423bbc5856349b0097d64044014bc29e6e7bf60c95
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: 74213BB1A01219BBDB219BA1DC09EEFBFBCFF04750F404061BA19E1050E7759A84CBA4
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 005B1C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 005B1C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 005B1C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 005B1C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 005B1CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 005B1D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 005B1D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: 95aac3d67d17b037f8798fd2b5d1486c03c1aa139e80297ce5ebd4bffeae7742
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: E0315832E00609BFCB519FA4DC988EEBFB9FB45301BA4447AE501E6110D7B55E80DB98
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 005B6CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 005B6D22
                                                                                      • GetLastError.KERNEL32 ref: 005B6DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 005B6DB5
                                                                                      • GetLastError.KERNEL32 ref: 005B6DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 005B6DE7
                                                                                      • GetLastError.KERNEL32 ref: 005B6DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: 09ac034078e2bbb6fe46456f48667fc9cc08356b33edb250541a630f36315235
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 65310176A00249BFCB01DFA4DD49AEE7F79FB88300F148076E211E3211D774AA858B61
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uzbdhnkh,005B7043), ref: 005B6F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005B6F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005B6F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005B6F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\uzbdhnkh
                                                                                      • API String ID: 1082366364-1442287239
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: d1bbfdfb6a423775b5617643ceb55a75d7aaa48b03f7f04b6d33d1192128ce0b
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: 472138217443497EF7226335AC8DFFB2E4CAB96710F1880A5F504D5091DADDA8D6837D
                                                                                      APIs
                                                                                      • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A50D
                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A525
                                                                                      • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A52D
                                                                                      • GetComputerNameW.KERNEL32(?,?), ref: 0041A577
                                                                                      • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A588
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400747790.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_415000_jhrsuqtz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$BuildCommComputerExceptionFilterPathPrivateProfileShortStringUnhandledWrite
                                                                                      • String ID: -
                                                                                      • API String ID: 2733835202-2547889144
                                                                                      • Opcode ID: dd34520314507014667174f0e6434c3dbda5242ed859e180898910edffc3a613
                                                                                      • Instruction ID: 3cde9b8d507e75d165a48e7d4f5241052d71a567071430f553e1f5bb8a0b190c
                                                                                      • Opcode Fuzzy Hash: dd34520314507014667174f0e6434c3dbda5242ed859e180898910edffc3a613
                                                                                      • Instruction Fuzzy Hash: C121E770545214BBEB209F64DC85FEE7BB5EB4C320F5041A9F6099A181CF785AC48F5A
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction ID: a9c276c1b2eb92f59efa1c75ce5a6d4a443d1dbc568957a1db4178f691e32482
                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction Fuzzy Hash: 59712872A40309BEEF319B58DC8AFEE3F69BB40705F244427F905A6091DA72BD848757
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 005BDF6C: GetCurrentThreadId.KERNEL32 ref: 005BDFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 005BE8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,005B6128), ref: 005BE950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 005BE989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: ff68b7c0858a29420441f28f6c995f5c9b25cd2dd290d50e703ddae12fc09fa7
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: D831BE316007069BDB718F24C88ABE67FE4FB05721F18892AF55687551D374F888CB91
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: 5186ca2aa4b4f8e0aef87278900366842e92cc942163dc64239ec8e6e7596969
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: D6211A7A204219BFDB119BA0EC4AEDF7FADFB49761B208425F502E1091EB74EA409774
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 005B92E2
                                                                                      • wsprintfA.USER32 ref: 005B9350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005B9375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 005B9389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 005B9394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005B939B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: a15973af30e2426b72b8a6ccf6281449043aa60d7f5347fe6f74edfa959c3ee9
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: 5A1184B17401157BE7216B31EC0EFEF3E6DEBC9B10F00C065BB09E5092EEB45A418664
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,0040E538,?,774D0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 005BC6B4
                                                                                      • InterlockedIncrement.KERNEL32(005BC74B), ref: 005BC715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,005BC747), ref: 005BC728
                                                                                      • CloseHandle.KERNEL32(00000000,?,005BC747,00413588,005B8A77), ref: 005BC733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: aedb262e2e7370551d3fa661986246b8b46dc6062c0519030d02f829176f324c
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: 4C5139B1A01B418FD7348F69C6C566ABFE9FB88300B50593EE18BC7A90DB74F8448B14
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
                                                                                      • API String ID: 124786226-2154540336
                                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,005BE50A,00000000,00000000,00000000,00020106,00000000,005BE50A,00000000,000000E4), ref: 005BE319
                                                                                      • RegSetValueExA.ADVAPI32(005BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005BE38E
                                                                                      • RegDeleteValueA.ADVAPI32(005BE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D[), ref: 005BE3BF
                                                                                      • RegCloseKey.ADVAPI32(005BE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D[,005BE50A), ref: 005BE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: D[
                                                                                      • API String ID: 2667537340-2359138017
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: cfbbf2d8975094ffde3d5cc5a123a9e495c6eef6058608edd33b96bd1aaf2ee8
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: AF215E71A0021DBBDF209FA5EC8AEDE7FB9EF09750F048421F904E7151E271AA54D7A0
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005B71E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005B7228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 005B7286
                                                                                      • wsprintfA.USER32 ref: 005B729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: ec42ad3a012dc7a9aae02587fb5ff638a9287fb4dc821cd99e05d2db29a4e2ac
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: 94312B76904109BFCB01DFA8DC49ADA7FACFF48310F148066F859DB241EB75E6488BA4
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 005BB51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005BB529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005BB548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 005BB590
                                                                                      • wsprintfA.USER32 ref: 005BB61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 51855e68cfb64dec9c31dc6b80fdec582979d894ab6c9d9959fdcc3305a5d358
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: 725120B1D0021DAADF24DFD5D8895EEBBB9BF48304F10812AF501A6150E7F85AC9CF98
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 005B6303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 005B632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 005B63B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 005B6405
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: 244c9f8f9407203e404dd9dc9a6d129699ff1fcc6eeb6bf9e454d653f1993791
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: 32413871A0060AABDB14CF58C884BE9BBF8FF04354F288969E915D7290E779FD41DB50
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,774D0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1802437671-0
                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005B93C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005B93CD
                                                                                      • CharToOemA.USER32(?,?), ref: 005B93DB
                                                                                      • wsprintfA.USER32 ref: 005B9410
                                                                                        • Part of subcall function 005B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 005B92E2
                                                                                        • Part of subcall function 005B92CB: wsprintfA.USER32 ref: 005B9350
                                                                                        • Part of subcall function 005B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005B9375
                                                                                        • Part of subcall function 005B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 005B9389
                                                                                        • Part of subcall function 005B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 005B9394
                                                                                        • Part of subcall function 005B92CB: CloseHandle.KERNEL32(00000000), ref: 005B939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005B9448
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: a649f1f662ebe8d6f6505cc70b9d2f1a46d565ee25da5a01ba5ac056efeae30a
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: D00152F69001197BDB21A7619D4DEDF7B7CEB95701F0040A1BB49E2080EAB497C58F75
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 1d2a3b7c6f7ea271edeedc5c650fa9ee238e1258503c15c784c4f3b7ef5b90ca
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 47E0C2306086119FCB008B2CF848AC53BE4FF0A330F008580F044C31A1C734ECC097A0
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005B41AB
                                                                                      • GetLastError.KERNEL32 ref: 005B41B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005B41C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005B41D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 71a513bc9d4f550f422177c31ae1f0961c702b94fb57f211578ab1e4c3859c50
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: F601257691110AABDF11DF94ED84BEE3BACFB18355F008061F901E2050D770AAA0CFB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005B421F
                                                                                      • GetLastError.KERNEL32 ref: 005B4229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005B423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005B424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 89fa91474549ebfbe92448765db2b2dc538463015d1cadd30634eeeee98de609
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: D301A272911209ABDF11DF90EE84BEEBBACFB08356F108461F901E2051D770AA549FB6
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 005BE066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: 32fa88398adad9b48caca3218c343102593f141e6326b2488853441698da23f0
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: 04F0623120070ADBCB20DF25D888AD2BBF9FB05321B48862AE155C3060D3B4B899CB51
                                                                                      APIs
                                                                                      • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B03C,0041A971), ref: 0041A5DC
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B03C,0041A971), ref: 0041A5F7
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A61A
                                                                                      • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 0041A622
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400747790.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_415000_jhrsuqtz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                      • String ID:
                                                                                      • API String ID: 975556166-0
                                                                                      • Opcode ID: fc213b24a92c472580c126cfe80f9bbfcf6dd46c5811944ea437593e0904f25d
                                                                                      • Instruction ID: 494602ce712dfe78f3d2314fcb4a20314ccfb6bfbb70b33752429d16c64ce78c
                                                                                      • Opcode Fuzzy Hash: fc213b24a92c472580c126cfe80f9bbfcf6dd46c5811944ea437593e0904f25d
                                                                                      • Instruction Fuzzy Hash: 9AF08235785214ABEA30A764EC4AF963764E71C71AF908032F629962E0C7E419818B5E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,D[,00000000,00000000,00000000), ref: 005BE470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 005BE484
                                                                                        • Part of subcall function 005BE2FC: RegCreateKeyExA.ADVAPI32(80000001,005BE50A,00000000,00000000,00000000,00020106,00000000,005BE50A,00000000,000000E4), ref: 005BE319
                                                                                        • Part of subcall function 005BE2FC: RegSetValueExA.ADVAPI32(005BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005BE38E
                                                                                        • Part of subcall function 005BE2FC: RegDeleteValueA.ADVAPI32(005BE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D[), ref: 005BE3BF
                                                                                        • Part of subcall function 005BE2FC: RegCloseKey.ADVAPI32(005BE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D[,005BE50A), ref: 005BE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: D[
                                                                                      • API String ID: 4151426672-2359138017
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: e7b139525f47d4122370ed4cdab8c198bab3c590943177ea5f98603f6bf4bc94
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: 3741D871900209BAEF206B518C4BFEF3F6CFF45724F188125FA0994192E7B5AA50D6B4
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005B83C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 005B8477
                                                                                        • Part of subcall function 005BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005B1DCF,?), ref: 005BEEA8
                                                                                        • Part of subcall function 005BEE95: HeapFree.KERNEL32(00000000), ref: 005BEEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$CloseFreeOpenProcess
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
                                                                                      • API String ID: 1016092768-2154540336
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: 4fde68677851f346d0ac9e6e31f845047615bb0000dbbd6e190803eee9daccd7
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: 3C415EB290110ABFEF10ABA49E85DFF7F6CFB44344F1444A6F504D6151EAB0AA98CB64
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 005BAFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005BB00D
                                                                                        • Part of subcall function 005BAF6F: gethostname.WS2_32(?,00000080), ref: 005BAF83
                                                                                        • Part of subcall function 005BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 005BAFE6
                                                                                        • Part of subcall function 005B331C: gethostname.WS2_32(?,00000080), ref: 005B333F
                                                                                        • Part of subcall function 005B331C: gethostbyname.WS2_32(?), ref: 005B3349
                                                                                        • Part of subcall function 005BAA0A: inet_ntoa.WS2_32(00000000), ref: 005BAA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction ID: cffc76938d55058688b739609c2c9fc1989a3ad57ed5b4644cf84f2717e1c001
                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction Fuzzy Hash: D841347290020DABDB25EFA4DC4AEEF3B6CFF44304F244426F92592152EB75E654CB54
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 005B9536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 005B955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: 2c6a29b9ec20eac2be6a51fd3bc754db56fe2b9f19993fdac4610d933dfc8ee2
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: A94113B18483896EEF378B64D89DBF67FA4BF02310F2840A5D282971E2D6B46D81C711
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 005BB9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 005BBA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005BBA94
                                                                                      • GetTickCount.KERNEL32 ref: 005BBB79
                                                                                      • GetTickCount.KERNEL32 ref: 005BBB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005BBE15
                                                                                      • closesocket.WS2_32(00000000), ref: 005BBEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: f99357b01152afd8dd30bcf1fb55a9fedeef62fceb0ce0c55062fdd22bfc890c
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: CA317F71500248DFEF25DFA4DC89AED7BB8FB48700F204456FA2482161EBB5EA85CF15
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 005B70BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005B70F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: 500690029221fec0aa2aaa6f32a621cb7719f34c80e5c555977c6ef947bb9ff9
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: D8110C7290411CEBDF11CFD8DC84ADEBBBDBB48711F1441A6E501E6190D670AB88DBB0
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 005B2F88: GetModuleHandleA.KERNEL32(?), ref: 005B2FA1
                                                                                        • Part of subcall function 005B2F88: LoadLibraryA.KERNEL32(?), ref: 005B2FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B31DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 005B31E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400927151.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_5b0000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: ebfe1ce20004df77394db66accf9abefb5a786ca771e7d639e4cf4ba51f20144
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 04518E7590024AEFCB019F68DC889FABB75FF15304F144569EC9697211E732AA19CB90
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1400719293.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_400000_jhrsuqtz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                      Execution Graph

                                                                                      Execution Coverage:14.6%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0.7%
                                                                                      Total number of Nodes:1803
                                                                                      Total number of Limit Nodes:18
                                                                                      execution_graph 8057 2ed5029 8062 2ed4a02 8057->8062 8063 2ed4a18 8062->8063 8064 2ed4a12 8062->8064 8066 2ed4a26 8063->8066 8067 2edec2e codecvt 4 API calls 8063->8067 8065 2edec2e codecvt 4 API calls 8064->8065 8065->8063 8068 2edec2e codecvt 4 API calls 8066->8068 8069 2ed4a34 8066->8069 8067->8066 8068->8069 6140 2ed9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6256 2edec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6140->6256 6142 2ed9a95 6143 2ed9aa3 GetModuleHandleA GetModuleFileNameA 6142->6143 6149 2eda3cc 6142->6149 6152 2ed9ac4 6143->6152 6144 2eda41c CreateThread WSAStartup 6257 2ede52e 6144->6257 7332 2ed405e CreateEventA 6144->7332 6146 2ed9afd GetCommandLineA 6156 2ed9b22 6146->6156 6147 2eda406 DeleteFileA 6148 2eda40d 6147->6148 6147->6149 6148->6144 6149->6144 6149->6147 6149->6148 6153 2eda3ed GetLastError 6149->6153 6150 2eda445 6276 2edeaaf 6150->6276 6152->6146 6153->6148 6155 2eda3f8 Sleep 6153->6155 6154 2eda44d 6280 2ed1d96 6154->6280 6155->6147 6160 2ed9c0c 6156->6160 6169 2ed9b47 6156->6169 6158 2eda457 6328 2ed80c9 6158->6328 6520 2ed96aa 6160->6520 6166 2ed9c39 6171 2eda167 GetModuleHandleA GetModuleFileNameA 6166->6171 6526 2ed4280 CreateEventA 6166->6526 6167 2eda1d2 6177 2eda1e3 GetCommandLineA 6167->6177 6170 2ed9b96 lstrlenA 6169->6170 6176 2ed9b58 6169->6176 6170->6176 6174 2eda189 6171->6174 6175 2ed9c05 ExitProcess 6171->6175 6174->6175 6184 2eda1b2 GetDriveTypeA 6174->6184 6176->6175 6479 2ed675c 6176->6479 6200 2eda205 6177->6200 6184->6175 6186 2eda1c5 6184->6186 6627 2ed9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6186->6627 6187 2ed675c 21 API calls 6189 2ed9c79 6187->6189 6189->6171 6196 2ed9e3e 6189->6196 6197 2ed9ca0 GetTempPathA 6189->6197 6190 2ed9bff 6190->6175 6192 2eda49f GetTickCount 6193 2eda491 6192->6193 6194 2eda4be Sleep 6192->6194 6193->6192 6193->6194 6199 2eda4b7 GetTickCount 6193->6199 6375 2edc913 6193->6375 6194->6193 6205 2ed9e6b GetEnvironmentVariableA 6196->6205 6208 2ed9e04 6196->6208 6197->6196 6198 2ed9cba 6197->6198 6552 2ed99d2 lstrcpyA 6198->6552 6199->6194 6206 2eda285 lstrlenA 6200->6206 6212 2eda239 6200->6212 6207 2ed9e7d 6205->6207 6205->6208 6206->6212 6209 2ed99d2 16 API calls 6207->6209 6622 2edec2e 6208->6622 6211 2ed9e9d 6209->6211 6211->6208 6216 2ed9eb0 lstrcpyA lstrlenA 6211->6216 6635 2ed6ec3 6212->6635 6214 2ed9d5f 6566 2ed6cc9 6214->6566 6215 2eda3c2 6639 2ed98f2 6215->6639 6219 2ed9ef4 6216->6219 6220 2ed6dc2 6 API calls 6219->6220 6224 2ed9f03 6219->6224 6220->6224 6221 2eda39d StartServiceCtrlDispatcherA 6221->6215 6222 2ed9d72 lstrcpyA lstrcatA lstrcatA 6225 2ed9cf6 6222->6225 6223 2eda3c7 6223->6149 6227 2ed9f32 RegOpenKeyExA 6224->6227 6575 2ed9326 6225->6575 6226 2eda35f 6226->6215 6226->6221 6228 2ed9f48 RegSetValueExA RegCloseKey 6227->6228 6231 2ed9f70 6227->6231 6228->6231 6237 2ed9f9d GetModuleHandleA GetModuleFileNameA 6231->6237 6232 2ed9dde GetFileAttributesExA 6233 2ed9e0c DeleteFileA 6232->6233 6235 2ed9df7 6232->6235 6233->6196 6235->6208 6612 2ed96ff 6235->6612 6238 2eda093 6237->6238 6239 2ed9fc2 6237->6239 6240 2eda103 CreateProcessA 6238->6240 6241 2eda0a4 wsprintfA 6238->6241 6239->6238 6245 2ed9ff1 GetDriveTypeA 6239->6245 6242 2eda13a 6240->6242 6243 2eda12a DeleteFileA 6240->6243 6618 2ed2544 6241->6618 6242->6208 6249 2ed96ff 3 API calls 6242->6249 6243->6242 6245->6238 6247 2eda00d 6245->6247 6251 2eda02d lstrcatA 6247->6251 6249->6208 6252 2eda046 6251->6252 6253 2eda064 lstrcatA 6252->6253 6254 2eda052 lstrcatA 6252->6254 6253->6238 6255 2eda081 lstrcatA 6253->6255 6254->6253 6255->6238 6256->6142 6646 2eddd05 GetTickCount 6257->6646 6259 2ede538 6654 2eddbcf 6259->6654 6261 2ede544 6262 2ede555 GetFileSize 6261->6262 6267 2ede5b8 6261->6267 6263 2ede566 6262->6263 6264 2ede5b1 CloseHandle 6262->6264 6678 2eddb2e 6263->6678 6264->6267 6664 2ede3ca RegOpenKeyExA 6267->6664 6268 2ede576 ReadFile 6268->6264 6269 2ede58d 6268->6269 6682 2ede332 6269->6682 6271 2ede5f2 6274 2ede629 6271->6274 6275 2ede3ca 19 API calls 6271->6275 6274->6150 6275->6274 6277 2edeabe 6276->6277 6279 2edeaba 6276->6279 6278 2eddd05 6 API calls 6277->6278 6277->6279 6278->6279 6279->6154 6281 2edee2a 6280->6281 6282 2ed1db4 GetVersionExA 6281->6282 6283 2ed1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6282->6283 6285 2ed1e24 6283->6285 6286 2ed1e16 GetCurrentProcess 6283->6286 6740 2ede819 6285->6740 6286->6285 6288 2ed1e3d 6289 2ede819 11 API calls 6288->6289 6290 2ed1e4e 6289->6290 6291 2ed1e77 6290->6291 6781 2eddf70 6290->6781 6747 2edea84 6291->6747 6294 2ed1e6c 6296 2eddf70 12 API calls 6294->6296 6296->6291 6297 2ede819 11 API calls 6298 2ed1e93 6297->6298 6751 2ed199c inet_addr LoadLibraryA 6298->6751 6301 2ede819 11 API calls 6302 2ed1eb9 6301->6302 6303 2ed1ed8 6302->6303 6304 2edf04e 4 API calls 6302->6304 6305 2ede819 11 API calls 6303->6305 6306 2ed1ec9 6304->6306 6307 2ed1eee 6305->6307 6308 2edea84 30 API calls 6306->6308 6314 2ed1f0a 6307->6314 6765 2ed1b71 6307->6765 6308->6303 6309 2ede819 11 API calls 6311 2ed1f23 6309->6311 6322 2ed1f3f 6311->6322 6769 2ed1bdf 6311->6769 6312 2ed1efd 6313 2edea84 30 API calls 6312->6313 6313->6314 6314->6309 6316 2ede819 11 API calls 6318 2ed1f5e 6316->6318 6320 2ed1f77 6318->6320 6323 2edea84 30 API calls 6318->6323 6319 2edea84 30 API calls 6319->6322 6777 2ed30b5 6320->6777 6322->6316 6323->6320 6325 2ed6ec3 2 API calls 6327 2ed1f8e GetTickCount 6325->6327 6327->6158 6329 2ed6ec3 2 API calls 6328->6329 6330 2ed80eb 6329->6330 6331 2ed80ef 6330->6331 6332 2ed80f9 6330->6332 6835 2ed7ee6 6331->6835 6848 2ed704c 6332->6848 6335 2ed8269 CreateThread 6354 2ed5e6c 6335->6354 7310 2ed877e 6335->7310 6336 2ed80f4 6336->6335 6338 2ed675c 21 API calls 6336->6338 6337 2ed8110 6337->6336 6339 2ed8156 RegOpenKeyExA 6337->6339 6344 2ed8244 6338->6344 6340 2ed816d RegQueryValueExA 6339->6340 6341 2ed8216 6339->6341 6342 2ed818d 6340->6342 6343 2ed81f7 6340->6343 6341->6336 6342->6343 6349 2edebcc 4 API calls 6342->6349 6345 2ed820d RegCloseKey 6343->6345 6347 2edec2e codecvt 4 API calls 6343->6347 6344->6335 6346 2edec2e codecvt 4 API calls 6344->6346 6345->6341 6346->6335 6348 2ed81dd 6347->6348 6348->6345 6350 2ed81a0 6349->6350 6350->6345 6351 2ed81aa RegQueryValueExA 6350->6351 6351->6343 6352 2ed81c4 6351->6352 6353 2edebcc 4 API calls 6352->6353 6353->6348 6950 2edec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6354->6950 6356 2ed5e71 6951 2ede654 6356->6951 6358 2ed5ec1 6359 2ed3132 6358->6359 6360 2eddf70 12 API calls 6359->6360 6361 2ed313b 6360->6361 6362 2edc125 6361->6362 6962 2edec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6362->6962 6364 2edc12d 6365 2ede654 13 API calls 6364->6365 6366 2edc2bd 6365->6366 6367 2ede654 13 API calls 6366->6367 6368 2edc2c9 6367->6368 6369 2ede654 13 API calls 6368->6369 6370 2eda47a 6369->6370 6371 2ed8db1 6370->6371 6372 2ed8dbc 6371->6372 6373 2ede654 13 API calls 6372->6373 6374 2ed8dec Sleep 6373->6374 6374->6193 6376 2edc92f 6375->6376 6377 2edc93c 6376->6377 6974 2edc517 6376->6974 6379 2edca2b 6377->6379 6380 2ede819 11 API calls 6377->6380 6379->6193 6381 2edc96a 6380->6381 6382 2ede819 11 API calls 6381->6382 6383 2edc97d 6382->6383 6384 2ede819 11 API calls 6383->6384 6385 2edc990 6384->6385 6386 2edc9aa 6385->6386 6387 2edebcc 4 API calls 6385->6387 6386->6379 6963 2ed2684 6386->6963 6387->6386 6392 2edca26 6991 2edc8aa 6392->6991 6395 2edca44 6396 2edca4b closesocket 6395->6396 6397 2edca83 6395->6397 6396->6392 6398 2edea84 30 API calls 6397->6398 6399 2edcaac 6398->6399 6400 2edf04e 4 API calls 6399->6400 6401 2edcab2 6400->6401 6402 2edea84 30 API calls 6401->6402 6403 2edcaca 6402->6403 6404 2edea84 30 API calls 6403->6404 6405 2edcad9 6404->6405 6995 2edc65c 6405->6995 6408 2edcb60 closesocket 6408->6379 6410 2eddad2 closesocket 6411 2ede318 23 API calls 6410->6411 6412 2eddae0 6411->6412 6412->6379 6413 2eddf4c 20 API calls 6473 2edcb70 6413->6473 6418 2ede654 13 API calls 6418->6473 6420 2edc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6420->6473 6422 2edf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6422->6473 6426 2edea84 30 API calls 6426->6473 6427 2edd569 closesocket Sleep 7042 2ede318 6427->7042 6428 2edd815 wsprintfA 6428->6473 6429 2edcc1c GetTempPathA 6429->6473 6430 2ed7ead 6 API calls 6430->6473 6431 2edc517 23 API calls 6431->6473 6433 2ede8a1 30 API calls 6433->6473 6434 2edd582 ExitProcess 6435 2edec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6435->6473 6436 2edcfe3 GetSystemDirectoryA 6436->6473 6437 2edcfad GetEnvironmentVariableA 6437->6473 6438 2ed675c 21 API calls 6438->6473 6439 2edd027 GetSystemDirectoryA 6439->6473 6440 2edd105 lstrcatA 6440->6473 6441 2edef1e lstrlenA 6441->6473 6442 2edcc9f CreateFileA 6443 2edccc6 WriteFile 6442->6443 6442->6473 6447 2edcced CloseHandle 6443->6447 6448 2edcdcc CloseHandle 6443->6448 6444 2ed8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6444->6473 6445 2edd15b CreateFileA 6446 2edd182 WriteFile CloseHandle 6445->6446 6445->6473 6446->6473 6453 2edcd2f 6447->6453 6448->6473 6449 2edcd16 wsprintfA 6449->6453 6450 2edd149 SetFileAttributesA 6450->6445 6451 2edd36e GetEnvironmentVariableA 6451->6473 6452 2edd1bf SetFileAttributesA 6452->6473 6453->6449 7024 2ed7fcf 6453->7024 6454 2edd22d GetEnvironmentVariableA 6454->6473 6455 2edd3af lstrcatA 6457 2edd3f2 CreateFileA 6455->6457 6455->6473 6460 2edd415 WriteFile CloseHandle 6457->6460 6457->6473 6459 2ed7fcf 64 API calls 6459->6473 6460->6473 6461 2edcda5 6464 2ed7ee6 64 API calls 6461->6464 6462 2edcd81 WaitForSingleObject CloseHandle CloseHandle 6463 2edf04e 4 API calls 6462->6463 6463->6461 6468 2edcdbd DeleteFileA 6464->6468 6465 2edd4b1 CreateProcessA 6469 2edd4e8 CloseHandle CloseHandle 6465->6469 6465->6473 6466 2edd3e0 SetFileAttributesA 6466->6457 6467 2edd26e lstrcatA 6470 2edd2b1 CreateFileA 6467->6470 6467->6473 6468->6473 6469->6473 6470->6473 6474 2edd2d8 WriteFile CloseHandle 6470->6474 6471 2ed7ee6 64 API calls 6471->6473 6472 2edd452 SetFileAttributesA 6472->6473 6473->6410 6473->6413 6473->6418 6473->6420 6473->6422 6473->6426 6473->6427 6473->6428 6473->6429 6473->6430 6473->6431 6473->6433 6473->6435 6473->6436 6473->6437 6473->6438 6473->6439 6473->6440 6473->6441 6473->6442 6473->6444 6473->6445 6473->6450 6473->6451 6473->6452 6473->6454 6473->6455 6473->6457 6473->6459 6473->6465 6473->6466 6473->6467 6473->6470 6473->6471 6473->6472 6476 2edd29f SetFileAttributesA 6473->6476 6478 2edd31d SetFileAttributesA 6473->6478 7003 2edc75d 6473->7003 7015 2ed7e2f 6473->7015 7037 2ed7ead 6473->7037 7047 2ed31d0 6473->7047 7064 2ed3c09 6473->7064 7074 2ed3a00 6473->7074 7078 2ede7b4 6473->7078 7081 2edc06c 6473->7081 7087 2ed6f5f GetUserNameA 6473->7087 7098 2ede854 6473->7098 7108 2ed7dd6 6473->7108 6474->6473 6476->6470 6478->6473 6480 2ed677a SetFileAttributesA 6479->6480 6481 2ed6784 CreateFileA 6479->6481 6480->6481 6482 2ed67b5 6481->6482 6483 2ed67a4 CreateFileA 6481->6483 6484 2ed67ba SetFileAttributesA 6482->6484 6485 2ed67c5 6482->6485 6483->6482 6484->6485 6486 2ed67cf GetFileSize 6485->6486 6487 2ed6977 6485->6487 6488 2ed67e5 6486->6488 6506 2ed6965 6486->6506 6487->6175 6507 2ed6a60 CreateFileA 6487->6507 6489 2ed67ed ReadFile 6488->6489 6488->6506 6491 2ed6811 SetFilePointer 6489->6491 6489->6506 6490 2ed696e FindCloseChangeNotification 6490->6487 6492 2ed682a ReadFile 6491->6492 6491->6506 6493 2ed6848 SetFilePointer 6492->6493 6492->6506 6494 2ed6867 6493->6494 6493->6506 6495 2ed6878 ReadFile 6494->6495 6496 2ed68d5 6494->6496 6497 2ed68d0 6495->6497 6500 2ed6891 6495->6500 6496->6490 6498 2edebcc 4 API calls 6496->6498 6497->6496 6499 2ed68f8 6498->6499 6501 2ed6900 SetFilePointer 6499->6501 6499->6506 6500->6495 6500->6497 6502 2ed690d ReadFile 6501->6502 6503 2ed695a 6501->6503 6502->6503 6504 2ed6922 6502->6504 6505 2edec2e codecvt 4 API calls 6503->6505 6504->6490 6505->6506 6506->6490 6508 2ed6b8c GetLastError 6507->6508 6509 2ed6a8f GetDiskFreeSpaceA 6507->6509 6517 2ed6b86 6508->6517 6510 2ed6ac5 6509->6510 6519 2ed6ad7 6509->6519 7193 2edeb0e 6510->7193 6514 2ed6b56 CloseHandle 6516 2ed6b65 GetLastError CloseHandle 6514->6516 6514->6517 6515 2ed6b36 GetLastError CloseHandle 6518 2ed6b7f DeleteFileA 6515->6518 6516->6518 6517->6190 6518->6517 7197 2ed6987 6519->7197 6521 2ed96b9 6520->6521 6522 2ed73ff 17 API calls 6521->6522 6523 2ed96e2 6522->6523 6524 2ed96f7 6523->6524 6525 2ed704c 16 API calls 6523->6525 6524->6166 6524->6167 6525->6524 6527 2ed429d 6526->6527 6528 2ed42a5 6526->6528 6527->6171 6527->6187 7203 2ed3ecd 6528->7203 6530 2ed42b0 7207 2ed4000 6530->7207 6532 2ed43c1 CloseHandle 6532->6527 6533 2ed42b6 6533->6527 6533->6532 7213 2ed3f18 WriteFile 6533->7213 6538 2ed43ba CloseHandle 6538->6532 6539 2ed4318 6540 2ed3f18 4 API calls 6539->6540 6541 2ed4331 6540->6541 6542 2ed3f18 4 API calls 6541->6542 6543 2ed434a 6542->6543 6544 2edebcc 4 API calls 6543->6544 6545 2ed4350 6544->6545 6546 2ed3f18 4 API calls 6545->6546 6547 2ed4389 6546->6547 6548 2edec2e codecvt 4 API calls 6547->6548 6549 2ed438f 6548->6549 6550 2ed3f8c 4 API calls 6549->6550 6551 2ed439f CloseHandle CloseHandle 6550->6551 6551->6527 6553 2ed99eb 6552->6553 6554 2ed9a2f lstrcatA 6553->6554 6555 2edee2a 6554->6555 6556 2ed9a4b lstrcatA 6555->6556 6557 2ed6a60 13 API calls 6556->6557 6558 2ed9a60 6557->6558 6558->6196 6558->6225 6559 2ed6dc2 6558->6559 6560 2ed6dd7 6559->6560 6561 2ed6e33 6559->6561 6562 2ed6cc9 5 API calls 6560->6562 6561->6214 6563 2ed6ddc 6562->6563 6563->6563 6564 2ed6e24 6563->6564 6565 2ed6e02 GetVolumeInformationA 6563->6565 6564->6561 6565->6564 6567 2ed6cdc GetModuleHandleA GetProcAddress 6566->6567 6568 2ed6d8b 6566->6568 6569 2ed6cfd 6567->6569 6570 2ed6d12 GetSystemDirectoryA 6567->6570 6568->6222 6569->6568 6569->6570 6571 2ed6d1e 6570->6571 6572 2ed6d27 GetWindowsDirectoryA 6570->6572 6571->6568 6571->6572 6573 2ed6d42 6572->6573 6574 2edef1e lstrlenA 6573->6574 6574->6568 7221 2ed1910 6575->7221 6578 2ed934a GetModuleHandleA GetModuleFileNameA 6580 2ed937f 6578->6580 6581 2ed93d9 6580->6581 6582 2ed93a4 6580->6582 6584 2ed9401 wsprintfA 6581->6584 6583 2ed93c3 wsprintfA 6582->6583 6585 2ed9415 6583->6585 6584->6585 6588 2ed6cc9 5 API calls 6585->6588 6609 2ed94a0 6585->6609 6586 2ed6edd 5 API calls 6587 2ed94ac 6586->6587 6589 2ed962f 6587->6589 6591 2ed94e8 RegOpenKeyExA 6587->6591 6590 2ed9439 6588->6590 6595 2ed9646 6589->6595 7236 2ed1820 6589->7236 6598 2edef1e lstrlenA 6590->6598 6593 2ed94fb 6591->6593 6594 2ed9502 6591->6594 6593->6589 6599 2ed958a 6593->6599 6597 2ed951f RegQueryValueExA 6594->6597 6604 2ed95d6 6595->6604 7242 2ed91eb 6595->7242 6601 2ed9539 6597->6601 6602 2ed9530 6597->6602 6603 2ed9462 6598->6603 6599->6595 6600 2ed9593 6599->6600 6600->6604 7223 2edf0e4 6600->7223 6606 2ed9556 RegQueryValueExA 6601->6606 6605 2ed956e RegCloseKey 6602->6605 6607 2ed947e wsprintfA 6603->6607 6604->6232 6604->6233 6605->6593 6606->6602 6606->6605 6607->6609 6609->6586 6610 2ed95bb 6610->6604 7230 2ed18e0 6610->7230 6613 2ed2544 6612->6613 6614 2ed972d RegOpenKeyExA 6613->6614 6615 2ed9740 6614->6615 6616 2ed9765 6614->6616 6617 2ed974f RegDeleteValueA RegCloseKey 6615->6617 6616->6208 6617->6616 6619 2ed2554 lstrcatA 6618->6619 6620 2edee2a 6619->6620 6621 2eda0ec lstrcatA 6620->6621 6621->6240 6623 2eda15d 6622->6623 6624 2edec37 6622->6624 6623->6171 6623->6175 6625 2edeba0 codecvt 2 API calls 6624->6625 6626 2edec3d GetProcessHeap RtlFreeHeap 6625->6626 6626->6623 6628 2ed2544 6627->6628 6629 2ed919e wsprintfA 6628->6629 6630 2ed91bb 6629->6630 7281 2ed9064 GetTempPathA 6630->7281 6633 2ed91d5 ShellExecuteA 6634 2ed91e7 6633->6634 6634->6190 6636 2ed6ecc 6635->6636 6638 2ed6ed5 6635->6638 6637 2ed6e36 2 API calls 6636->6637 6637->6638 6638->6226 6640 2ed98f6 6639->6640 6641 2ed4280 30 API calls 6640->6641 6642 2ed9904 Sleep 6640->6642 6643 2ed9915 6640->6643 6641->6640 6642->6640 6642->6643 6644 2ed9947 6643->6644 7288 2ed977c 6643->7288 6644->6223 6647 2eddd41 InterlockedExchange 6646->6647 6648 2eddd4a 6647->6648 6649 2eddd20 GetCurrentThreadId 6647->6649 6651 2eddd53 GetCurrentThreadId 6648->6651 6650 2eddd2e GetTickCount 6649->6650 6649->6651 6652 2eddd4c 6650->6652 6653 2eddd39 Sleep 6650->6653 6651->6259 6652->6651 6653->6647 6655 2eddbf0 6654->6655 6687 2eddb67 GetEnvironmentVariableA 6655->6687 6657 2eddc19 6658 2eddcda 6657->6658 6659 2eddb67 3 API calls 6657->6659 6658->6261 6660 2eddc5c 6659->6660 6660->6658 6661 2eddb67 3 API calls 6660->6661 6662 2eddc9b 6661->6662 6662->6658 6663 2eddb67 3 API calls 6662->6663 6663->6658 6665 2ede528 6664->6665 6666 2ede3f4 6664->6666 6665->6271 6667 2ede434 RegQueryValueExA 6666->6667 6668 2ede51d RegCloseKey 6667->6668 6669 2ede458 6667->6669 6668->6665 6670 2ede46e RegQueryValueExA 6669->6670 6670->6669 6671 2ede488 6670->6671 6671->6668 6672 2eddb2e 8 API calls 6671->6672 6673 2ede499 6672->6673 6673->6668 6674 2ede4b9 RegQueryValueExA 6673->6674 6675 2ede4e8 6673->6675 6674->6673 6674->6675 6675->6668 6676 2ede332 14 API calls 6675->6676 6677 2ede513 6676->6677 6677->6668 6679 2eddb3a 6678->6679 6681 2eddb55 6678->6681 6691 2edebed 6679->6691 6681->6264 6681->6268 6709 2edf04e SystemTimeToFileTime GetSystemTimeAsFileTime 6682->6709 6684 2ede3be 6684->6264 6685 2ede342 6685->6684 6712 2edde24 6685->6712 6688 2eddb89 lstrcpyA CreateFileA 6687->6688 6689 2eddbca 6687->6689 6688->6657 6689->6657 6692 2edebf6 6691->6692 6693 2edec01 6691->6693 6700 2edebcc GetProcessHeap RtlAllocateHeap 6692->6700 6703 2edeba0 6693->6703 6701 2edeb74 2 API calls 6700->6701 6702 2edebe8 6701->6702 6702->6681 6704 2edebbf GetProcessHeap HeapReAlloc 6703->6704 6705 2edeba7 GetProcessHeap HeapSize 6703->6705 6706 2edeb74 6704->6706 6705->6704 6707 2edeb7b GetProcessHeap HeapSize 6706->6707 6708 2edeb93 6706->6708 6707->6708 6708->6681 6723 2edeb41 6709->6723 6711 2edf0b7 6711->6685 6713 2edde3a 6712->6713 6718 2edde4e 6713->6718 6732 2eddd84 6713->6732 6716 2edde9e 6717 2edebed 8 API calls 6716->6717 6716->6718 6721 2eddef6 6717->6721 6718->6685 6719 2edde76 6736 2edddcf 6719->6736 6721->6718 6722 2edddcf lstrcmpA 6721->6722 6722->6718 6724 2edeb4a 6723->6724 6727 2edeb61 6723->6727 6728 2edeae4 6724->6728 6726 2edeb54 6726->6711 6726->6727 6727->6711 6729 2edeaed LoadLibraryA 6728->6729 6730 2edeb02 GetProcAddress 6728->6730 6729->6730 6731 2edeb01 6729->6731 6730->6726 6731->6726 6733 2edddc5 6732->6733 6734 2eddd96 6732->6734 6733->6716 6733->6719 6734->6733 6735 2edddad lstrcmpiA 6734->6735 6735->6733 6735->6734 6737 2eddddd 6736->6737 6739 2edde20 6736->6739 6738 2edddfa lstrcmpA 6737->6738 6737->6739 6738->6737 6739->6718 6741 2eddd05 6 API calls 6740->6741 6742 2ede821 6741->6742 6743 2eddd84 lstrcmpiA 6742->6743 6744 2ede82c 6743->6744 6745 2ede844 6744->6745 6790 2ed2480 6744->6790 6745->6288 6748 2edea98 6747->6748 6799 2ede8a1 6748->6799 6750 2ed1e84 6750->6297 6752 2ed19d5 GetProcAddress GetProcAddress GetProcAddress 6751->6752 6755 2ed19ce 6751->6755 6753 2ed1a04 6752->6753 6754 2ed1ab3 FreeLibrary 6752->6754 6753->6754 6756 2ed1a14 GetBestInterface GetProcessHeap 6753->6756 6754->6755 6755->6301 6756->6755 6757 2ed1a2e HeapAlloc 6756->6757 6757->6755 6758 2ed1a42 GetAdaptersInfo 6757->6758 6759 2ed1a62 6758->6759 6760 2ed1a52 HeapReAlloc 6758->6760 6761 2ed1a69 GetAdaptersInfo 6759->6761 6762 2ed1aa1 FreeLibrary 6759->6762 6760->6759 6761->6762 6763 2ed1a75 HeapFree 6761->6763 6762->6755 6763->6762 6827 2ed1ac3 LoadLibraryA 6765->6827 6768 2ed1bcf 6768->6312 6770 2ed1ac3 13 API calls 6769->6770 6771 2ed1c09 6770->6771 6772 2ed1c0d GetComputerNameA 6771->6772 6773 2ed1c5a 6771->6773 6774 2ed1c45 GetVolumeInformationA 6772->6774 6775 2ed1c1f 6772->6775 6773->6319 6774->6773 6775->6774 6775->6775 6776 2ed1c41 6775->6776 6776->6773 6778 2edee2a 6777->6778 6779 2ed30d0 gethostname gethostbyname 6778->6779 6780 2ed1f82 6779->6780 6780->6325 6780->6327 6782 2eddd05 6 API calls 6781->6782 6783 2eddf7c 6782->6783 6784 2eddd84 lstrcmpiA 6783->6784 6789 2eddf89 6784->6789 6785 2eddfc4 6785->6294 6786 2edddcf lstrcmpA 6786->6789 6787 2edec2e codecvt 4 API calls 6787->6789 6788 2eddd84 lstrcmpiA 6788->6789 6789->6785 6789->6786 6789->6787 6789->6788 6793 2ed2419 lstrlenA 6790->6793 6792 2ed2491 6792->6745 6794 2ed243d lstrlenA 6793->6794 6795 2ed2474 6793->6795 6796 2ed244e lstrcmpiA 6794->6796 6797 2ed2464 lstrlenA 6794->6797 6795->6792 6796->6797 6798 2ed245c 6796->6798 6797->6794 6797->6795 6798->6795 6798->6797 6800 2eddd05 6 API calls 6799->6800 6801 2ede8b4 6800->6801 6802 2eddd84 lstrcmpiA 6801->6802 6803 2ede8c0 6802->6803 6804 2ede8c8 lstrcpynA 6803->6804 6805 2ede90a 6803->6805 6807 2ede8f5 6804->6807 6806 2ed2419 4 API calls 6805->6806 6815 2edea27 6805->6815 6808 2ede926 lstrlenA lstrlenA 6806->6808 6820 2eddf4c 6807->6820 6809 2ede94c lstrlenA 6808->6809 6810 2ede96a 6808->6810 6809->6810 6814 2edebcc 4 API calls 6810->6814 6810->6815 6812 2ede901 6813 2eddd84 lstrcmpiA 6812->6813 6813->6805 6816 2ede98f 6814->6816 6815->6750 6816->6815 6817 2eddf4c 20 API calls 6816->6817 6818 2edea1e 6817->6818 6819 2edec2e codecvt 4 API calls 6818->6819 6819->6815 6821 2eddd05 6 API calls 6820->6821 6822 2eddf51 6821->6822 6823 2edf04e 4 API calls 6822->6823 6824 2eddf58 6823->6824 6825 2edde24 10 API calls 6824->6825 6826 2eddf63 6825->6826 6826->6812 6828 2ed1ae2 GetProcAddress 6827->6828 6832 2ed1b68 GetComputerNameA GetVolumeInformationA 6827->6832 6830 2ed1af5 6828->6830 6828->6832 6829 2ed1b1c GetAdaptersAddresses 6829->6830 6833 2ed1b29 6829->6833 6830->6829 6831 2edebed 8 API calls 6830->6831 6830->6833 6831->6830 6832->6768 6833->6832 6834 2edec2e codecvt 4 API calls 6833->6834 6834->6832 6836 2ed6ec3 2 API calls 6835->6836 6837 2ed7ef4 6836->6837 6847 2ed7fc9 6837->6847 6871 2ed73ff 6837->6871 6839 2ed7f16 6839->6847 6891 2ed7809 GetUserNameA 6839->6891 6841 2ed7f63 6841->6847 6915 2edef1e lstrlenA 6841->6915 6844 2edef1e lstrlenA 6845 2ed7fb7 6844->6845 6917 2ed7a95 RegOpenKeyExA 6845->6917 6847->6336 6849 2ed7073 6848->6849 6850 2ed70b9 RegOpenKeyExA 6849->6850 6851 2ed70d0 6850->6851 6865 2ed71b8 6850->6865 6852 2ed6dc2 6 API calls 6851->6852 6855 2ed70d5 6852->6855 6853 2ed719b RegEnumValueA 6854 2ed71af RegCloseKey 6853->6854 6853->6855 6854->6865 6855->6853 6857 2ed71d0 6855->6857 6948 2edf1a5 lstrlenA 6855->6948 6858 2ed7205 RegCloseKey 6857->6858 6859 2ed7227 6857->6859 6858->6865 6860 2ed728e RegCloseKey 6859->6860 6861 2ed72b8 ___ascii_stricmp 6859->6861 6860->6865 6862 2ed72cd RegCloseKey 6861->6862 6863 2ed72dd 6861->6863 6862->6865 6864 2ed7311 RegCloseKey 6863->6864 6866 2ed7335 6863->6866 6864->6865 6865->6337 6867 2ed73d5 RegCloseKey 6866->6867 6869 2ed737e GetFileAttributesExA 6866->6869 6870 2ed7397 6866->6870 6868 2ed73e4 6867->6868 6869->6870 6870->6867 6872 2ed741b 6871->6872 6873 2ed6dc2 6 API calls 6872->6873 6874 2ed743f 6873->6874 6875 2ed7469 RegOpenKeyExA 6874->6875 6876 2ed77f9 6875->6876 6887 2ed7487 ___ascii_stricmp 6875->6887 6876->6839 6877 2ed7703 RegEnumKeyA 6878 2ed7714 RegCloseKey 6877->6878 6877->6887 6878->6876 6879 2edf1a5 lstrlenA 6879->6887 6880 2ed74d2 RegOpenKeyExA 6880->6887 6881 2ed772c 6883 2ed774b 6881->6883 6884 2ed7742 RegCloseKey 6881->6884 6882 2ed7521 RegQueryValueExA 6882->6887 6886 2ed77ec RegCloseKey 6883->6886 6884->6883 6885 2ed76e4 RegCloseKey 6885->6887 6886->6876 6887->6877 6887->6879 6887->6880 6887->6881 6887->6882 6887->6885 6888 2ed7769 6887->6888 6890 2ed777e GetFileAttributesExA 6887->6890 6889 2ed77e3 RegCloseKey 6888->6889 6889->6886 6890->6888 6892 2ed783d LookupAccountNameA 6891->6892 6893 2ed7a8d 6891->6893 6892->6893 6894 2ed7874 GetLengthSid GetFileSecurityA 6892->6894 6893->6841 6894->6893 6895 2ed78a8 GetSecurityDescriptorOwner 6894->6895 6896 2ed791d GetSecurityDescriptorDacl 6895->6896 6897 2ed78c5 EqualSid 6895->6897 6896->6893 6905 2ed7941 6896->6905 6897->6896 6898 2ed78dc LocalAlloc 6897->6898 6898->6896 6899 2ed78ef InitializeSecurityDescriptor 6898->6899 6901 2ed78fb SetSecurityDescriptorOwner 6899->6901 6902 2ed7916 LocalFree 6899->6902 6900 2ed795b GetAce 6900->6905 6901->6902 6903 2ed790b SetFileSecurityA 6901->6903 6902->6896 6903->6902 6904 2ed7980 EqualSid 6904->6905 6905->6893 6905->6900 6905->6904 6906 2ed7a3d 6905->6906 6907 2ed79be EqualSid 6905->6907 6908 2ed799d DeleteAce 6905->6908 6906->6893 6909 2ed7a43 LocalAlloc 6906->6909 6907->6905 6908->6905 6909->6893 6910 2ed7a56 InitializeSecurityDescriptor 6909->6910 6911 2ed7a86 LocalFree 6910->6911 6912 2ed7a62 SetSecurityDescriptorDacl 6910->6912 6911->6893 6912->6911 6913 2ed7a73 SetFileSecurityA 6912->6913 6913->6911 6914 2ed7a83 6913->6914 6914->6911 6916 2ed7fa6 6915->6916 6916->6844 6918 2ed7acb GetUserNameA 6917->6918 6919 2ed7ac4 6917->6919 6920 2ed7aed LookupAccountNameA 6918->6920 6921 2ed7da7 RegCloseKey 6918->6921 6919->6847 6920->6921 6922 2ed7b24 RegGetKeySecurity 6920->6922 6921->6919 6922->6921 6923 2ed7b49 GetSecurityDescriptorOwner 6922->6923 6924 2ed7bb8 GetSecurityDescriptorDacl 6923->6924 6925 2ed7b63 EqualSid 6923->6925 6927 2ed7da6 6924->6927 6938 2ed7bdc 6924->6938 6925->6924 6926 2ed7b74 LocalAlloc 6925->6926 6926->6924 6928 2ed7b8a InitializeSecurityDescriptor 6926->6928 6927->6921 6930 2ed7b96 SetSecurityDescriptorOwner 6928->6930 6931 2ed7bb1 LocalFree 6928->6931 6929 2ed7bf8 GetAce 6929->6938 6930->6931 6932 2ed7ba6 RegSetKeySecurity 6930->6932 6931->6924 6932->6931 6933 2ed7c1d EqualSid 6933->6938 6934 2ed7cd9 6934->6927 6937 2ed7d5a LocalAlloc 6934->6937 6939 2ed7cf2 RegOpenKeyExA 6934->6939 6935 2ed7c5f EqualSid 6935->6938 6936 2ed7c3a DeleteAce 6936->6938 6937->6927 6940 2ed7d70 InitializeSecurityDescriptor 6937->6940 6938->6927 6938->6929 6938->6933 6938->6934 6938->6935 6938->6936 6939->6937 6945 2ed7d0f 6939->6945 6941 2ed7d7c SetSecurityDescriptorDacl 6940->6941 6942 2ed7d9f LocalFree 6940->6942 6941->6942 6943 2ed7d8c RegSetKeySecurity 6941->6943 6942->6927 6943->6942 6944 2ed7d9c 6943->6944 6944->6942 6946 2ed7d43 RegSetValueExA 6945->6946 6946->6937 6947 2ed7d54 6946->6947 6947->6937 6949 2edf1c3 6948->6949 6949->6855 6950->6356 6952 2eddd05 6 API calls 6951->6952 6955 2ede65f 6952->6955 6953 2ede6a5 6954 2edebcc 4 API calls 6953->6954 6959 2ede6f5 6953->6959 6957 2ede6b0 6954->6957 6955->6953 6956 2ede68c lstrcmpA 6955->6956 6956->6955 6957->6959 6960 2ede6b7 6957->6960 6961 2ede6e0 lstrcpynA 6957->6961 6958 2ede71d lstrcmpA 6958->6959 6959->6958 6959->6960 6960->6358 6961->6959 6962->6364 6964 2ed2692 inet_addr 6963->6964 6966 2ed268e 6963->6966 6965 2ed269e gethostbyname 6964->6965 6964->6966 6965->6966 6967 2edf428 6966->6967 7115 2edf315 6967->7115 6970 2edf43e 6971 2edf473 recv 6970->6971 6972 2edf47c 6971->6972 6973 2edf458 6971->6973 6972->6395 6973->6971 6973->6972 6975 2edc525 6974->6975 6977 2edc532 6974->6977 6975->6977 6978 2edec2e codecvt 4 API calls 6975->6978 6976 2edc548 6980 2ede7ff lstrcmpiA 6976->6980 6988 2edc54f 6976->6988 6977->6976 7128 2ede7ff 6977->7128 6978->6977 6981 2edc615 6980->6981 6982 2edebcc 4 API calls 6981->6982 6981->6988 6982->6988 6984 2edc5d1 6986 2edebcc 4 API calls 6984->6986 6985 2ede819 11 API calls 6987 2edc5b7 6985->6987 6986->6988 6989 2edf04e 4 API calls 6987->6989 6988->6377 6990 2edc5bf 6989->6990 6990->6976 6990->6984 6993 2edc8d2 6991->6993 6992 2edc907 6992->6379 6993->6992 6994 2edc517 23 API calls 6993->6994 6994->6992 6996 2edc670 6995->6996 6997 2edc67d 6995->6997 6998 2edebcc 4 API calls 6996->6998 6999 2edebcc 4 API calls 6997->6999 7001 2edc699 6997->7001 6998->6997 6999->7001 7000 2edc6f3 7000->6408 7000->6473 7001->7000 7002 2edc73c send 7001->7002 7002->7000 7004 2edc770 7003->7004 7005 2edc77d 7003->7005 7006 2edebcc 4 API calls 7004->7006 7007 2edc799 7005->7007 7008 2edebcc 4 API calls 7005->7008 7006->7005 7009 2edc7b5 7007->7009 7011 2edebcc 4 API calls 7007->7011 7008->7007 7010 2edf43e recv 7009->7010 7012 2edc7cb 7010->7012 7011->7009 7013 2edf43e recv 7012->7013 7014 2edc7d3 7012->7014 7013->7014 7014->6473 7131 2ed7db7 7015->7131 7018 2ed7e70 7019 2ed7e96 7018->7019 7021 2edf04e 4 API calls 7018->7021 7019->6473 7020 2edf04e 4 API calls 7022 2ed7e4c 7020->7022 7021->7019 7022->7018 7023 2edf04e 4 API calls 7022->7023 7023->7018 7025 2ed6ec3 2 API calls 7024->7025 7026 2ed7fdd 7025->7026 7027 2ed73ff 17 API calls 7026->7027 7036 2ed80c2 CreateProcessA 7026->7036 7028 2ed7fff 7027->7028 7029 2ed7809 21 API calls 7028->7029 7028->7036 7030 2ed804d 7029->7030 7031 2edef1e lstrlenA 7030->7031 7030->7036 7032 2ed809e 7031->7032 7033 2edef1e lstrlenA 7032->7033 7034 2ed80af 7033->7034 7035 2ed7a95 24 API calls 7034->7035 7035->7036 7036->6461 7036->6462 7038 2ed7db7 2 API calls 7037->7038 7039 2ed7eb8 7038->7039 7040 2edf04e 4 API calls 7039->7040 7041 2ed7ece DeleteFileA 7040->7041 7041->6473 7043 2eddd05 6 API calls 7042->7043 7044 2ede31d 7043->7044 7135 2ede177 7044->7135 7046 2ede326 7046->6434 7048 2ed31f3 7047->7048 7058 2ed31ec 7047->7058 7049 2edebcc 4 API calls 7048->7049 7063 2ed31fc 7049->7063 7050 2ed344b 7051 2ed349d 7050->7051 7052 2ed3459 7050->7052 7054 2edec2e codecvt 4 API calls 7051->7054 7053 2edf04e 4 API calls 7052->7053 7055 2ed345f 7053->7055 7054->7058 7056 2ed30fa 4 API calls 7055->7056 7056->7058 7057 2edebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7057->7063 7058->6473 7059 2ed344d 7060 2edec2e codecvt 4 API calls 7059->7060 7060->7050 7062 2ed3141 lstrcmpiA 7062->7063 7063->7050 7063->7057 7063->7058 7063->7059 7063->7062 7161 2ed30fa GetTickCount 7063->7161 7065 2ed30fa 4 API calls 7064->7065 7066 2ed3c1a 7065->7066 7071 2ed3ce6 7066->7071 7166 2ed3a72 7066->7166 7069 2ed3a72 9 API calls 7072 2ed3c5e 7069->7072 7070 2ed3a72 9 API calls 7070->7072 7071->6473 7072->7070 7072->7071 7073 2edec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7072->7073 7073->7072 7075 2ed3a10 7074->7075 7076 2ed30fa 4 API calls 7075->7076 7077 2ed3a1a 7076->7077 7077->6473 7079 2eddd05 6 API calls 7078->7079 7080 2ede7be 7079->7080 7080->6473 7082 2edc07e wsprintfA 7081->7082 7083 2edc105 7081->7083 7175 2edbfce GetTickCount wsprintfA 7082->7175 7083->6473 7085 2edc0ef 7176 2edbfce GetTickCount wsprintfA 7085->7176 7088 2ed6f88 LookupAccountNameA 7087->7088 7089 2ed7047 7087->7089 7091 2ed6fcb 7088->7091 7092 2ed7025 7088->7092 7089->6473 7094 2ed6fdb ConvertSidToStringSidA 7091->7094 7177 2ed6edd 7092->7177 7094->7092 7096 2ed6ff1 7094->7096 7096->7096 7097 2ed7013 LocalFree 7096->7097 7097->7092 7099 2eddd05 6 API calls 7098->7099 7100 2ede85c 7099->7100 7101 2eddd84 lstrcmpiA 7100->7101 7102 2ede867 7101->7102 7103 2ede885 lstrcpyA 7102->7103 7188 2ed24a5 7102->7188 7191 2eddd69 7103->7191 7109 2ed7db7 2 API calls 7108->7109 7110 2ed7de1 7109->7110 7111 2edf04e 4 API calls 7110->7111 7114 2ed7e16 7110->7114 7112 2ed7df2 7111->7112 7113 2edf04e 4 API calls 7112->7113 7112->7114 7113->7114 7114->6473 7116 2edf33b 7115->7116 7117 2edca1d 7115->7117 7118 2edf347 htons socket 7116->7118 7117->6392 7117->6970 7119 2edf374 closesocket 7118->7119 7120 2edf382 ioctlsocket 7118->7120 7119->7117 7121 2edf39d 7120->7121 7122 2edf3aa connect select 7120->7122 7123 2edf39f closesocket 7121->7123 7122->7117 7124 2edf3f2 __WSAFDIsSet 7122->7124 7123->7117 7124->7123 7125 2edf403 ioctlsocket 7124->7125 7127 2edf26d setsockopt setsockopt setsockopt setsockopt setsockopt 7125->7127 7127->7117 7129 2eddd84 lstrcmpiA 7128->7129 7130 2edc58e 7129->7130 7130->6976 7130->6984 7130->6985 7132 2ed7dc8 InterlockedExchange 7131->7132 7133 2ed7dd4 7132->7133 7134 2ed7dc0 Sleep 7132->7134 7133->7018 7133->7020 7134->7132 7137 2ede184 7135->7137 7136 2ede2e4 7136->7046 7137->7136 7138 2ede223 7137->7138 7151 2eddfe2 7137->7151 7138->7136 7140 2eddfe2 8 API calls 7138->7140 7145 2ede23c 7140->7145 7141 2ede1be 7141->7138 7142 2eddbcf 3 API calls 7141->7142 7144 2ede1d6 7142->7144 7143 2ede21a CloseHandle 7143->7138 7144->7138 7144->7143 7146 2ede1f9 WriteFile 7144->7146 7145->7136 7155 2ede095 RegCreateKeyExA 7145->7155 7146->7143 7148 2ede213 7146->7148 7148->7143 7149 2ede2a3 7149->7136 7150 2ede095 4 API calls 7149->7150 7150->7136 7152 2eddffc 7151->7152 7154 2ede024 7151->7154 7153 2eddb2e 8 API calls 7152->7153 7152->7154 7153->7154 7154->7141 7156 2ede172 7155->7156 7158 2ede0c0 7155->7158 7156->7149 7157 2ede13d 7159 2ede14e RegDeleteValueA RegCloseKey 7157->7159 7158->7157 7160 2ede115 RegSetValueExA 7158->7160 7159->7156 7160->7157 7160->7158 7162 2ed3122 InterlockedExchange 7161->7162 7163 2ed310f GetTickCount 7162->7163 7164 2ed312e 7162->7164 7163->7164 7165 2ed311a Sleep 7163->7165 7164->7063 7165->7162 7167 2edf04e 4 API calls 7166->7167 7168 2ed3a83 7167->7168 7169 2ed3bc0 7168->7169 7173 2ed3b66 lstrlenA 7168->7173 7174 2ed3ac1 7168->7174 7170 2ed3be6 7169->7170 7172 2edec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7169->7172 7171 2edec2e codecvt 4 API calls 7170->7171 7171->7174 7172->7169 7173->7168 7173->7174 7174->7069 7174->7071 7175->7085 7176->7083 7178 2ed6eef AllocateAndInitializeSid 7177->7178 7184 2ed6f55 wsprintfA 7177->7184 7179 2ed6f1c CheckTokenMembership 7178->7179 7180 2ed6f44 7178->7180 7181 2ed6f2e 7179->7181 7182 2ed6f3b FreeSid 7179->7182 7180->7184 7185 2ed6e36 GetUserNameW 7180->7185 7181->7182 7182->7180 7184->7089 7186 2ed6e5f LookupAccountNameW 7185->7186 7187 2ed6e97 7185->7187 7186->7187 7187->7184 7189 2ed2419 4 API calls 7188->7189 7190 2ed24b6 7189->7190 7190->7103 7192 2eddd79 lstrlenA 7191->7192 7192->6473 7194 2edeb21 7193->7194 7195 2edeb17 7193->7195 7194->6519 7196 2edeae4 2 API calls 7195->7196 7196->7194 7199 2ed69b9 WriteFile 7197->7199 7200 2ed6a3c 7199->7200 7202 2ed69ff 7199->7202 7200->6514 7200->6515 7201 2ed6a10 WriteFile 7201->7200 7201->7202 7202->7200 7202->7201 7204 2ed3edc 7203->7204 7205 2ed3ee2 7203->7205 7206 2ed6dc2 6 API calls 7204->7206 7205->6530 7206->7205 7208 2ed400b CreateFileA 7207->7208 7209 2ed402c GetLastError 7208->7209 7210 2ed4052 7208->7210 7209->7210 7211 2ed4037 7209->7211 7210->6533 7211->7210 7212 2ed4041 Sleep 7211->7212 7212->7208 7212->7210 7214 2ed3f7c 7213->7214 7215 2ed3f4e GetLastError 7213->7215 7217 2ed3f8c ReadFile 7214->7217 7215->7214 7216 2ed3f5b WaitForSingleObject GetOverlappedResult 7215->7216 7216->7214 7218 2ed3ff0 7217->7218 7219 2ed3fc2 GetLastError 7217->7219 7218->6538 7218->6539 7219->7218 7220 2ed3fcf WaitForSingleObject GetOverlappedResult 7219->7220 7220->7218 7222 2ed1924 GetVersionExA 7221->7222 7222->6578 7224 2edf0ed 7223->7224 7225 2edf0f1 7223->7225 7224->6610 7226 2edf119 7225->7226 7227 2edf0fa lstrlenA SysAllocStringByteLen 7225->7227 7228 2edf11c MultiByteToWideChar 7226->7228 7227->7228 7229 2edf117 7227->7229 7228->7229 7229->6610 7231 2ed1820 17 API calls 7230->7231 7232 2ed18f2 7231->7232 7233 2ed18f9 7232->7233 7247 2ed1280 7232->7247 7233->6604 7235 2ed1908 7235->6604 7260 2ed1000 7236->7260 7238 2ed1839 7239 2ed183d 7238->7239 7240 2ed1851 GetCurrentProcess 7238->7240 7239->6595 7241 2ed1864 7240->7241 7241->6595 7243 2ed920e 7242->7243 7246 2ed9308 7242->7246 7244 2ed92f1 Sleep 7243->7244 7245 2ed92bf ShellExecuteA 7243->7245 7243->7246 7244->7243 7245->7243 7245->7246 7246->6604 7250 2ed12e1 ShellExecuteExW 7247->7250 7249 2ed16f9 GetLastError 7251 2ed1699 7249->7251 7250->7249 7258 2ed13a8 7250->7258 7251->7235 7252 2ed1570 lstrlenW 7252->7258 7253 2ed15be GetStartupInfoW 7253->7258 7254 2ed15ff CreateProcessWithLogonW 7255 2ed16bf GetLastError 7254->7255 7256 2ed163f WaitForSingleObject 7254->7256 7255->7251 7257 2ed1659 CloseHandle 7256->7257 7256->7258 7257->7258 7258->7251 7258->7252 7258->7253 7258->7254 7259 2ed1668 CloseHandle 7258->7259 7259->7258 7261 2ed100d LoadLibraryA 7260->7261 7277 2ed1023 7260->7277 7262 2ed1021 7261->7262 7261->7277 7262->7238 7263 2ed10b5 GetProcAddress 7264 2ed127b 7263->7264 7265 2ed10d1 GetProcAddress 7263->7265 7264->7238 7265->7264 7266 2ed10f0 GetProcAddress 7265->7266 7266->7264 7267 2ed1110 GetProcAddress 7266->7267 7267->7264 7268 2ed1130 GetProcAddress 7267->7268 7268->7264 7269 2ed114f GetProcAddress 7268->7269 7269->7264 7270 2ed116f GetProcAddress 7269->7270 7270->7264 7271 2ed118f GetProcAddress 7270->7271 7271->7264 7272 2ed11ae GetProcAddress 7271->7272 7272->7264 7273 2ed11ce GetProcAddress 7272->7273 7273->7264 7274 2ed11ee GetProcAddress 7273->7274 7274->7264 7275 2ed1209 GetProcAddress 7274->7275 7275->7264 7276 2ed1225 GetProcAddress 7275->7276 7276->7264 7278 2ed1241 GetProcAddress 7276->7278 7277->7263 7280 2ed10ae 7277->7280 7278->7264 7279 2ed125c GetProcAddress 7278->7279 7279->7264 7280->7238 7282 2ed908d 7281->7282 7283 2ed90e2 wsprintfA 7282->7283 7284 2edee2a 7283->7284 7285 2ed90fd CreateFileA 7284->7285 7286 2ed913f 7285->7286 7287 2ed911a lstrlenA WriteFile CloseHandle 7285->7287 7286->6633 7286->6634 7287->7286 7289 2edee2a 7288->7289 7290 2ed9794 CreateProcessA 7289->7290 7291 2ed97bb 7290->7291 7292 2ed97c2 7290->7292 7291->6644 7293 2ed97d4 GetThreadContext 7292->7293 7294 2ed97f5 7293->7294 7295 2ed9801 7293->7295 7296 2ed97f6 TerminateProcess 7294->7296 7302 2ed637c 7295->7302 7296->7291 7298 2ed9816 7298->7296 7299 2ed981e WriteProcessMemory 7298->7299 7299->7294 7300 2ed983b SetThreadContext 7299->7300 7300->7294 7301 2ed9858 ResumeThread 7300->7301 7301->7291 7303 2ed638a GetModuleHandleA VirtualAlloc 7302->7303 7304 2ed6386 7302->7304 7305 2ed63b6 7303->7305 7309 2ed63f5 7303->7309 7304->7298 7306 2ed63be VirtualAllocEx 7305->7306 7307 2ed63d6 7306->7307 7306->7309 7308 2ed63df WriteProcessMemory 7307->7308 7308->7309 7309->7298 7311 2ed879f 7310->7311 7312 2ed8791 7310->7312 7314 2ed87bc 7311->7314 7315 2edf04e 4 API calls 7311->7315 7313 2edf04e 4 API calls 7312->7313 7313->7311 7316 2ede819 11 API calls 7314->7316 7315->7314 7317 2ed87d7 7316->7317 7330 2ed8803 7317->7330 7465 2ed26b2 gethostbyaddr 7317->7465 7320 2ed87eb 7322 2ede8a1 30 API calls 7320->7322 7320->7330 7322->7330 7325 2edf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7325->7330 7326 2ede819 11 API calls 7326->7330 7327 2ed88a0 Sleep 7327->7330 7329 2ed26b2 2 API calls 7329->7330 7330->7325 7330->7326 7330->7327 7330->7329 7331 2ede8a1 30 API calls 7330->7331 7362 2ed8cee 7330->7362 7370 2edc4d6 7330->7370 7373 2edc4e2 7330->7373 7376 2ed2011 7330->7376 7411 2ed8328 7330->7411 7331->7330 7333 2ed407d 7332->7333 7334 2ed4084 7332->7334 7335 2ed3ecd 6 API calls 7334->7335 7336 2ed408f 7335->7336 7337 2ed4000 3 API calls 7336->7337 7338 2ed4095 7337->7338 7339 2ed4130 7338->7339 7340 2ed40c0 7338->7340 7341 2ed3ecd 6 API calls 7339->7341 7345 2ed3f18 4 API calls 7340->7345 7342 2ed4159 CreateNamedPipeA 7341->7342 7343 2ed4188 ConnectNamedPipe 7342->7343 7344 2ed4167 Sleep 7342->7344 7348 2ed4195 GetLastError 7343->7348 7356 2ed41ab 7343->7356 7344->7339 7346 2ed4176 CloseHandle 7344->7346 7347 2ed40da 7345->7347 7346->7343 7349 2ed3f8c 4 API calls 7347->7349 7350 2ed425e DisconnectNamedPipe 7348->7350 7348->7356 7352 2ed40ec 7349->7352 7350->7343 7351 2ed3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7351->7356 7353 2ed4127 CloseHandle 7352->7353 7354 2ed4101 7352->7354 7353->7339 7357 2ed3f18 4 API calls 7354->7357 7355 2ed3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7355->7356 7356->7343 7356->7350 7356->7351 7356->7355 7359 2ed426a CloseHandle CloseHandle 7356->7359 7358 2ed411c ExitProcess 7357->7358 7360 2ede318 23 API calls 7359->7360 7361 2ed427b 7360->7361 7361->7361 7363 2ed8dae 7362->7363 7364 2ed8d02 GetTickCount 7362->7364 7363->7330 7364->7363 7367 2ed8d19 7364->7367 7365 2ed8da1 GetTickCount 7365->7363 7367->7365 7369 2ed8d89 7367->7369 7470 2eda677 7367->7470 7473 2eda688 7367->7473 7369->7365 7481 2edc2dc 7370->7481 7374 2edc2dc 125 API calls 7373->7374 7375 2edc4ec 7374->7375 7375->7330 7377 2ed202e 7376->7377 7378 2ed2020 7376->7378 7380 2edf04e 4 API calls 7377->7380 7384 2ed204b 7377->7384 7379 2edf04e 4 API calls 7378->7379 7379->7377 7380->7384 7381 2ed206e GetTickCount 7383 2ed20db GetTickCount 7381->7383 7393 2ed2090 7381->7393 7382 2edf04e 4 API calls 7386 2ed2068 7382->7386 7385 2ed2132 GetTickCount GetTickCount 7383->7385 7396 2ed20e7 7383->7396 7384->7381 7384->7382 7389 2edf04e 4 API calls 7385->7389 7386->7381 7387 2ed20d4 GetTickCount 7387->7383 7388 2ed212b GetTickCount 7388->7385 7391 2ed2159 7389->7391 7390 2ed2684 2 API calls 7390->7393 7394 2ed21b4 7391->7394 7395 2ede854 13 API calls 7391->7395 7393->7387 7393->7390 7401 2ed20ce 7393->7401 7757 2ed1978 7393->7757 7397 2edf04e 4 API calls 7394->7397 7398 2ed218e 7395->7398 7396->7388 7403 2ed1978 15 API calls 7396->7403 7404 2ed2125 7396->7404 7747 2ed2ef8 7396->7747 7400 2ed21d1 7397->7400 7402 2ede819 11 API calls 7398->7402 7405 2ed21f2 7400->7405 7407 2edea84 30 API calls 7400->7407 7401->7387 7406 2ed219c 7402->7406 7403->7396 7404->7388 7405->7330 7406->7394 7762 2ed1c5f 7406->7762 7408 2ed21ec 7407->7408 7409 2edf04e 4 API calls 7408->7409 7409->7405 7412 2ed7dd6 6 API calls 7411->7412 7413 2ed833c 7412->7413 7414 2ed8340 7413->7414 7415 2ed6ec3 2 API calls 7413->7415 7414->7330 7416 2ed834f 7415->7416 7417 2ed835c 7416->7417 7420 2ed846b 7416->7420 7418 2ed73ff 17 API calls 7417->7418 7439 2ed8373 7418->7439 7419 2ed675c 21 API calls 7422 2ed85df 7419->7422 7423 2ed84a7 RegOpenKeyExA 7420->7423 7453 2ed8450 7420->7453 7421 2ed8626 GetTempPathA 7425 2ed8638 7421->7425 7422->7421 7434 2ed8768 7422->7434 7455 2ed8671 7422->7455 7426 2ed84c0 RegQueryValueExA 7423->7426 7428 2ed852f 7423->7428 7425->7455 7429 2ed8521 RegCloseKey 7426->7429 7432 2ed84dd 7426->7432 7427 2ed86ad 7430 2ed8762 7427->7430 7433 2ed7e2f 6 API calls 7427->7433 7431 2ed8564 RegOpenKeyExA 7428->7431 7445 2ed85a5 7428->7445 7429->7428 7430->7434 7435 2ed8573 RegSetValueExA RegCloseKey 7431->7435 7431->7445 7432->7429 7437 2edebcc 4 API calls 7432->7437 7442 2ed86bb 7433->7442 7434->7414 7436 2edec2e codecvt 4 API calls 7434->7436 7435->7445 7436->7414 7441 2ed84f0 7437->7441 7438 2ed875b DeleteFileA 7438->7430 7439->7414 7443 2ed83ea RegOpenKeyExA 7439->7443 7439->7453 7441->7429 7444 2ed84f8 RegQueryValueExA 7441->7444 7442->7438 7449 2ed86e0 lstrcpyA lstrlenA 7442->7449 7446 2ed83fd RegQueryValueExA 7443->7446 7443->7453 7444->7429 7447 2ed8515 7444->7447 7448 2edec2e codecvt 4 API calls 7445->7448 7445->7453 7450 2ed842d RegSetValueExA 7446->7450 7451 2ed841e 7446->7451 7452 2edec2e codecvt 4 API calls 7447->7452 7448->7453 7454 2ed7fcf 64 API calls 7449->7454 7456 2ed8447 RegCloseKey 7450->7456 7451->7450 7451->7456 7457 2ed851d 7452->7457 7453->7419 7453->7422 7458 2ed8719 CreateProcessA 7454->7458 7834 2ed6ba7 IsBadCodePtr 7455->7834 7456->7453 7457->7429 7459 2ed873d CloseHandle CloseHandle 7458->7459 7460 2ed874f 7458->7460 7459->7434 7461 2ed7ee6 64 API calls 7460->7461 7462 2ed8754 7461->7462 7463 2ed7ead 6 API calls 7462->7463 7464 2ed875a 7463->7464 7464->7438 7466 2ed26cd 7465->7466 7467 2ed26fb 7465->7467 7468 2ed26e1 inet_ntoa 7466->7468 7469 2ed26de 7466->7469 7467->7320 7468->7469 7469->7320 7476 2eda63d 7470->7476 7472 2eda685 7472->7367 7474 2eda63d GetTickCount 7473->7474 7475 2eda696 7474->7475 7475->7367 7477 2eda64d 7476->7477 7478 2eda645 7476->7478 7479 2eda65e GetTickCount 7477->7479 7480 2eda66e 7477->7480 7478->7472 7479->7480 7480->7472 7498 2eda4c7 GetTickCount 7481->7498 7484 2edc47a 7489 2edc4ab InterlockedIncrement CreateThread 7484->7489 7490 2edc4d2 7484->7490 7485 2edc326 7487 2edc337 7485->7487 7488 2edc32b GetTickCount 7485->7488 7486 2edc300 GetTickCount 7486->7487 7487->7484 7492 2edc363 GetTickCount 7487->7492 7488->7487 7489->7490 7491 2edc4cb CloseHandle 7489->7491 7503 2edb535 7489->7503 7490->7330 7491->7490 7492->7484 7493 2edc373 7492->7493 7494 2edc378 GetTickCount 7493->7494 7495 2edc37f 7493->7495 7494->7495 7496 2edc43b GetTickCount 7495->7496 7497 2edc45e 7496->7497 7497->7484 7499 2eda4f7 InterlockedExchange 7498->7499 7500 2eda4e4 GetTickCount 7499->7500 7501 2eda500 7499->7501 7500->7501 7502 2eda4ef Sleep 7500->7502 7501->7484 7501->7485 7501->7486 7502->7499 7504 2edb566 7503->7504 7505 2edebcc 4 API calls 7504->7505 7506 2edb587 7505->7506 7507 2edebcc 4 API calls 7506->7507 7551 2edb590 7507->7551 7508 2edbdcd InterlockedDecrement 7509 2edbde2 7508->7509 7511 2edec2e codecvt 4 API calls 7509->7511 7512 2edbdea 7511->7512 7514 2edec2e codecvt 4 API calls 7512->7514 7513 2edbdb7 Sleep 7513->7551 7515 2edbdf2 7514->7515 7517 2edbe05 7515->7517 7518 2edec2e codecvt 4 API calls 7515->7518 7516 2edbdcc 7516->7508 7518->7517 7519 2edebed 8 API calls 7519->7551 7522 2edb6b6 lstrlenA 7522->7551 7523 2ed30b5 2 API calls 7523->7551 7524 2ede819 11 API calls 7524->7551 7525 2edb6ed lstrcpyA 7577 2ed5ce1 7525->7577 7528 2edb71f lstrcmpA 7529 2edb731 lstrlenA 7528->7529 7528->7551 7529->7551 7530 2edb772 GetTickCount 7530->7551 7531 2edbd49 InterlockedIncrement 7640 2eda628 7531->7640 7533 2edab81 lstrcpynA InterlockedIncrement 7533->7551 7535 2edb7ce InterlockedIncrement 7587 2edacd7 7535->7587 7536 2edbc5b InterlockedIncrement 7536->7551 7539 2edb912 GetTickCount 7539->7551 7540 2edbcdc closesocket 7540->7551 7541 2edb932 GetTickCount 7543 2edbc6d InterlockedIncrement 7541->7543 7541->7551 7542 2edb826 InterlockedIncrement 7542->7530 7543->7551 7544 2ed38f0 6 API calls 7544->7551 7546 2edbba6 InterlockedIncrement 7546->7551 7549 2edbc4c closesocket 7549->7551 7551->7508 7551->7513 7551->7516 7551->7519 7551->7522 7551->7523 7551->7524 7551->7525 7551->7528 7551->7529 7551->7530 7551->7531 7551->7533 7551->7535 7551->7536 7551->7539 7551->7540 7551->7541 7551->7542 7551->7544 7551->7546 7551->7549 7552 2edba71 wsprintfA 7551->7552 7553 2ed5ded 12 API calls 7551->7553 7554 2ed5ce1 22 API calls 7551->7554 7556 2eda7c1 22 API calls 7551->7556 7557 2edef1e lstrlenA 7551->7557 7558 2eda688 GetTickCount 7551->7558 7559 2ed3e10 7551->7559 7562 2ed3e4f 7551->7562 7565 2ed384f 7551->7565 7585 2eda7a3 inet_ntoa 7551->7585 7592 2edabee 7551->7592 7604 2ed1feb GetTickCount 7551->7604 7625 2ed3cfb 7551->7625 7628 2edab81 7551->7628 7605 2eda7c1 7552->7605 7553->7551 7554->7551 7556->7551 7557->7551 7558->7551 7560 2ed30fa 4 API calls 7559->7560 7561 2ed3e1d 7560->7561 7561->7551 7563 2ed30fa 4 API calls 7562->7563 7564 2ed3e5c 7563->7564 7564->7551 7566 2ed30fa 4 API calls 7565->7566 7568 2ed3863 7566->7568 7567 2ed38b2 7567->7551 7568->7567 7569 2ed38b9 7568->7569 7570 2ed3889 7568->7570 7649 2ed35f9 7569->7649 7643 2ed3718 7570->7643 7575 2ed35f9 6 API calls 7575->7567 7576 2ed3718 6 API calls 7576->7567 7578 2ed5cec 7577->7578 7579 2ed5cf4 7577->7579 7655 2ed4bd1 GetTickCount 7578->7655 7580 2ed4bd1 4 API calls 7579->7580 7582 2ed5d02 7580->7582 7660 2ed5472 7582->7660 7586 2eda7b9 7585->7586 7586->7551 7588 2edf315 14 API calls 7587->7588 7589 2edaceb 7588->7589 7590 2edacff 7589->7590 7591 2edf315 14 API calls 7589->7591 7590->7551 7591->7590 7593 2edabfb 7592->7593 7596 2edac65 7593->7596 7723 2ed2f22 7593->7723 7595 2edf315 14 API calls 7595->7596 7596->7595 7597 2edac8a 7596->7597 7598 2edac6f 7596->7598 7597->7551 7600 2edab81 2 API calls 7598->7600 7599 2edac23 7599->7596 7602 2ed2684 2 API calls 7599->7602 7601 2edac81 7600->7601 7731 2ed38f0 7601->7731 7602->7599 7604->7551 7606 2eda87d lstrlenA send 7605->7606 7607 2eda7df 7605->7607 7608 2eda8bf 7606->7608 7609 2eda899 7606->7609 7607->7606 7610 2eda80a 7607->7610 7614 2eda7fa wsprintfA 7607->7614 7617 2eda8f2 7607->7617 7612 2eda8c4 send 7608->7612 7608->7617 7611 2eda8a5 wsprintfA 7609->7611 7624 2eda89e 7609->7624 7610->7606 7611->7624 7615 2eda8d8 wsprintfA 7612->7615 7612->7617 7613 2eda978 recv 7613->7617 7618 2eda982 7613->7618 7614->7610 7615->7624 7616 2eda9b0 wsprintfA 7616->7624 7617->7613 7617->7616 7617->7618 7619 2ed30b5 2 API calls 7618->7619 7618->7624 7620 2edab05 7619->7620 7621 2ede819 11 API calls 7620->7621 7622 2edab17 7621->7622 7623 2eda7a3 inet_ntoa 7622->7623 7623->7624 7624->7551 7626 2ed30fa 4 API calls 7625->7626 7627 2ed3d0b 7626->7627 7627->7551 7629 2edab8c 7628->7629 7630 2edabe9 GetTickCount 7628->7630 7629->7630 7631 2edaba8 lstrcpynA 7629->7631 7632 2edabe1 InterlockedIncrement 7629->7632 7633 2eda51d 7630->7633 7631->7629 7632->7629 7634 2eda4c7 4 API calls 7633->7634 7635 2eda52c 7634->7635 7636 2eda542 GetTickCount 7635->7636 7638 2eda539 GetTickCount 7635->7638 7636->7638 7639 2eda56c 7638->7639 7639->7551 7641 2eda4c7 4 API calls 7640->7641 7642 2eda633 7641->7642 7642->7551 7644 2edf04e 4 API calls 7643->7644 7646 2ed372a 7644->7646 7645 2ed3847 7645->7567 7645->7576 7646->7645 7647 2ed37b3 GetCurrentThreadId 7646->7647 7647->7646 7648 2ed37c8 GetCurrentThreadId 7647->7648 7648->7646 7650 2edf04e 4 API calls 7649->7650 7653 2ed360c 7650->7653 7651 2ed36f1 7651->7567 7651->7575 7652 2ed36da GetCurrentThreadId 7652->7651 7654 2ed36e5 GetCurrentThreadId 7652->7654 7653->7651 7653->7652 7654->7651 7656 2ed4bff InterlockedExchange 7655->7656 7657 2ed4bec GetTickCount 7656->7657 7658 2ed4c08 7656->7658 7657->7658 7659 2ed4bf7 Sleep 7657->7659 7658->7579 7659->7656 7679 2ed4763 7660->7679 7662 2ed5b58 7689 2ed4699 7662->7689 7665 2ed4763 lstrlenA 7666 2ed5b6e 7665->7666 7710 2ed4f9f 7666->7710 7668 2ed5b79 7668->7551 7670 2ed5549 lstrlenA 7678 2ed548a 7670->7678 7671 2ed5472 13 API calls 7671->7678 7673 2ed558d lstrcpynA 7673->7678 7674 2ed4ae6 8 API calls 7674->7678 7675 2ed5a9f lstrcpyA 7675->7678 7676 2ed5935 lstrcpynA 7676->7678 7677 2ed58e7 lstrcpyA 7677->7678 7678->7662 7678->7671 7678->7673 7678->7674 7678->7675 7678->7676 7678->7677 7683 2ed4ae6 7678->7683 7687 2edef7c lstrlenA lstrlenA lstrlenA 7678->7687 7682 2ed477a 7679->7682 7680 2ed4859 7680->7678 7681 2ed480d lstrlenA 7681->7682 7682->7680 7682->7681 7684 2ed4af3 7683->7684 7686 2ed4b03 7683->7686 7685 2edebed 8 API calls 7684->7685 7685->7686 7686->7670 7688 2edefb4 7687->7688 7688->7678 7715 2ed45b3 7689->7715 7692 2ed45b3 7 API calls 7693 2ed46c6 7692->7693 7694 2ed45b3 7 API calls 7693->7694 7695 2ed46d8 7694->7695 7696 2ed45b3 7 API calls 7695->7696 7697 2ed46ea 7696->7697 7698 2ed45b3 7 API calls 7697->7698 7699 2ed46ff 7698->7699 7700 2ed45b3 7 API calls 7699->7700 7701 2ed4711 7700->7701 7702 2ed45b3 7 API calls 7701->7702 7703 2ed4723 7702->7703 7704 2edef7c 3 API calls 7703->7704 7705 2ed4735 7704->7705 7706 2edef7c 3 API calls 7705->7706 7707 2ed474a 7706->7707 7708 2edef7c 3 API calls 7707->7708 7709 2ed475c 7708->7709 7709->7665 7711 2ed4fac 7710->7711 7713 2ed4fb0 7710->7713 7711->7668 7712 2ed4ffd 7712->7668 7713->7712 7714 2ed4fd5 IsBadCodePtr 7713->7714 7714->7713 7716 2ed45c1 7715->7716 7718 2ed45c8 7715->7718 7717 2edebcc 4 API calls 7716->7717 7717->7718 7719 2edebcc 4 API calls 7718->7719 7721 2ed45e1 7718->7721 7719->7721 7720 2ed4691 7720->7692 7721->7720 7722 2edef7c 3 API calls 7721->7722 7722->7721 7738 2ed2d21 GetModuleHandleA 7723->7738 7726 2ed2f44 7726->7599 7727 2ed2fcf GetProcessHeap HeapFree 7727->7726 7728 2ed2f4f 7730 2ed2f6b GetProcessHeap HeapFree 7728->7730 7729 2ed2f85 7729->7727 7729->7729 7730->7726 7732 2ed3980 7731->7732 7733 2ed3900 7731->7733 7732->7597 7734 2ed30fa 4 API calls 7733->7734 7737 2ed390a 7734->7737 7735 2ed391b GetCurrentThreadId 7735->7737 7736 2ed3939 GetCurrentThreadId 7736->7737 7737->7732 7737->7735 7737->7736 7739 2ed2d5b GetProcAddress 7738->7739 7740 2ed2d46 LoadLibraryA 7738->7740 7741 2ed2d6b DnsQuery_A 7739->7741 7744 2ed2d54 7739->7744 7740->7739 7740->7744 7743 2ed2d7d 7741->7743 7741->7744 7742 2ed2d97 GetProcessHeap HeapAlloc 7742->7744 7746 2ed2dac 7742->7746 7743->7742 7743->7744 7744->7726 7744->7728 7744->7729 7745 2ed2db5 lstrcpynA 7745->7746 7746->7743 7746->7745 7748 2ed2d21 7 API calls 7747->7748 7749 2ed2f01 7748->7749 7750 2ed2f14 7749->7750 7751 2ed2f06 7749->7751 7753 2ed2684 2 API calls 7750->7753 7770 2ed2df2 GetModuleHandleA 7751->7770 7754 2ed2f1d 7753->7754 7754->7396 7756 2ed2f1f 7756->7396 7758 2edf428 14 API calls 7757->7758 7759 2ed198a 7758->7759 7760 2ed1998 7759->7760 7761 2ed1990 closesocket 7759->7761 7760->7393 7761->7760 7763 2ed1c80 7762->7763 7764 2ed1cc2 wsprintfA 7763->7764 7765 2ed1d1c 7763->7765 7769 2ed1d79 7763->7769 7766 2ed2684 2 API calls 7764->7766 7767 2ed1d47 wsprintfA 7765->7767 7766->7763 7768 2ed2684 2 API calls 7767->7768 7768->7769 7769->7394 7771 2ed2e0b 7770->7771 7772 2ed2e10 LoadLibraryA 7770->7772 7771->7772 7773 2ed2e17 7771->7773 7772->7773 7774 2ed2ef1 7773->7774 7775 2ed2e28 GetProcAddress 7773->7775 7774->7750 7774->7756 7775->7774 7776 2ed2e3e GetProcessHeap HeapAlloc 7775->7776 7779 2ed2e62 7776->7779 7777 2ed2ede GetProcessHeap HeapFree 7777->7774 7778 2ed2e7f htons inet_addr 7778->7779 7780 2ed2ea5 gethostbyname 7778->7780 7779->7774 7779->7777 7779->7778 7779->7780 7782 2ed2ceb 7779->7782 7780->7779 7784 2ed2cf2 7782->7784 7785 2ed2d1c 7784->7785 7786 2ed2d0e Sleep 7784->7786 7787 2ed2a62 GetProcessHeap HeapAlloc 7784->7787 7785->7779 7786->7784 7786->7785 7788 2ed2a99 socket 7787->7788 7789 2ed2a92 7787->7789 7790 2ed2ab4 7788->7790 7791 2ed2cd3 GetProcessHeap HeapFree 7788->7791 7789->7784 7790->7791 7803 2ed2abd 7790->7803 7791->7789 7792 2ed2adb htons 7807 2ed26ff 7792->7807 7794 2ed2b04 select 7794->7803 7795 2ed2ca4 7796 2ed2cb3 GetProcessHeap HeapFree closesocket 7795->7796 7796->7789 7797 2ed2b3f recv 7797->7803 7798 2ed2b66 htons 7798->7795 7798->7803 7799 2ed2b87 htons 7799->7795 7799->7803 7801 2ed2bf3 GetProcessHeap HeapAlloc 7801->7803 7803->7792 7803->7794 7803->7795 7803->7796 7803->7797 7803->7798 7803->7799 7803->7801 7804 2ed2c17 htons 7803->7804 7806 2ed2c4d GetProcessHeap HeapFree 7803->7806 7814 2ed2923 7803->7814 7826 2ed2904 7803->7826 7822 2ed2871 7804->7822 7806->7803 7808 2ed2717 7807->7808 7809 2ed271d 7807->7809 7810 2edebcc 4 API calls 7808->7810 7811 2ed272b GetTickCount htons 7809->7811 7810->7809 7812 2ed27cc htons htons sendto 7811->7812 7813 2ed278a 7811->7813 7812->7803 7813->7812 7815 2ed2944 7814->7815 7817 2ed293d 7814->7817 7830 2ed2816 htons 7815->7830 7817->7803 7818 2ed2871 htons 7819 2ed2950 7818->7819 7819->7817 7819->7818 7820 2ed29bd htons htons htons 7819->7820 7820->7817 7821 2ed29f6 GetProcessHeap HeapAlloc 7820->7821 7821->7817 7821->7819 7823 2ed28e3 7822->7823 7824 2ed2889 7822->7824 7823->7803 7824->7823 7824->7824 7825 2ed28c3 htons 7824->7825 7825->7823 7825->7824 7827 2ed2908 7826->7827 7828 2ed2921 7826->7828 7829 2ed2909 GetProcessHeap HeapFree 7827->7829 7828->7803 7829->7828 7829->7829 7831 2ed286b 7830->7831 7832 2ed2836 7830->7832 7831->7819 7832->7831 7833 2ed285c htons 7832->7833 7833->7831 7833->7832 7835 2ed6bbc 7834->7835 7836 2ed6bc0 7834->7836 7835->7427 7837 2ed6bd4 7836->7837 7838 2edebcc 4 API calls 7836->7838 7837->7427 7839 2ed6be4 7838->7839 7839->7837 7840 2ed6bfc 7839->7840 7841 2ed6c07 CreateFileA 7839->7841 7844 2edec2e codecvt 4 API calls 7840->7844 7842 2ed6c2a 7841->7842 7843 2ed6c34 WriteFile 7841->7843 7845 2edec2e codecvt 4 API calls 7842->7845 7846 2ed6c49 CloseHandle DeleteFileA 7843->7846 7847 2ed6c5a CloseHandle 7843->7847 7844->7837 7845->7837 7846->7842 7848 2edec2e codecvt 4 API calls 7847->7848 7848->7837 8070 2ed35a5 8071 2ed30fa 4 API calls 8070->8071 8072 2ed35b3 8071->8072 8076 2ed35ea 8072->8076 8077 2ed355d 8072->8077 8074 2ed35da 8075 2ed355d 4 API calls 8074->8075 8074->8076 8075->8076 8078 2edf04e 4 API calls 8077->8078 8079 2ed356a 8078->8079 8079->8074 7849 2ed4861 IsBadWritePtr 7850 2ed4876 7849->7850 7851 2ed9961 RegisterServiceCtrlHandlerA 7852 2ed997d 7851->7852 7859 2ed99cb 7851->7859 7861 2ed9892 7852->7861 7854 2ed999a 7855 2ed9892 SetServiceStatus 7854->7855 7856 2ed99ba 7854->7856 7857 2ed99aa 7855->7857 7858 2ed9892 SetServiceStatus 7856->7858 7856->7859 7857->7856 7860 2ed98f2 41 API calls 7857->7860 7858->7859 7860->7856 7863 2ed98c2 SetServiceStatus 7861->7863 7863->7854 8080 2ed5e21 8081 2ed5e29 8080->8081 8082 2ed5e36 8080->8082 8084 2ed50dc 8081->8084 8085 2ed4bd1 4 API calls 8084->8085 8086 2ed50f2 8085->8086 8087 2ed4ae6 8 API calls 8086->8087 8093 2ed50ff 8087->8093 8088 2ed5130 8089 2ed4ae6 8 API calls 8088->8089 8092 2ed5138 8089->8092 8090 2ed4ae6 8 API calls 8091 2ed5110 lstrcmpA 8090->8091 8091->8088 8091->8093 8095 2ed513e 8092->8095 8096 2ed516e 8092->8096 8097 2ed4ae6 8 API calls 8092->8097 8093->8088 8093->8090 8094 2ed4ae6 8 API calls 8093->8094 8094->8093 8095->8082 8096->8095 8098 2ed4ae6 8 API calls 8096->8098 8099 2ed515e 8097->8099 8100 2ed51b6 8098->8100 8099->8096 8102 2ed4ae6 8 API calls 8099->8102 8127 2ed4a3d 8100->8127 8102->8096 8104 2ed4ae6 8 API calls 8105 2ed51c7 8104->8105 8106 2ed4ae6 8 API calls 8105->8106 8107 2ed51d7 8106->8107 8108 2ed4ae6 8 API calls 8107->8108 8109 2ed51e7 8108->8109 8109->8095 8110 2ed4ae6 8 API calls 8109->8110 8111 2ed5219 8110->8111 8112 2ed4ae6 8 API calls 8111->8112 8113 2ed5227 8112->8113 8114 2ed4ae6 8 API calls 8113->8114 8115 2ed524f lstrcpyA 8114->8115 8116 2ed4ae6 8 API calls 8115->8116 8121 2ed5263 8116->8121 8117 2ed4ae6 8 API calls 8118 2ed5315 8117->8118 8119 2ed4ae6 8 API calls 8118->8119 8120 2ed5323 8119->8120 8122 2ed4ae6 8 API calls 8120->8122 8121->8117 8124 2ed5331 8122->8124 8123 2ed4ae6 8 API calls 8123->8124 8124->8095 8124->8123 8125 2ed4ae6 8 API calls 8124->8125 8126 2ed5351 lstrcmpA 8125->8126 8126->8095 8126->8124 8128 2ed4a4a 8127->8128 8129 2ed4a53 8127->8129 8130 2edebed 8 API calls 8128->8130 8131 2ed4a78 8129->8131 8132 2edebed 8 API calls 8129->8132 8130->8129 8133 2ed4a8e 8131->8133 8134 2ed4aa3 8131->8134 8132->8131 8135 2ed4a9b 8133->8135 8136 2edec2e codecvt 4 API calls 8133->8136 8134->8135 8137 2edebed 8 API calls 8134->8137 8135->8104 8136->8135 8137->8135 7864 2ed4960 7865 2ed496d 7864->7865 7867 2ed497d 7864->7867 7866 2edebed 8 API calls 7865->7866 7866->7867 7880 2edb3f8 7881 2ed5ce1 22 API calls 7880->7881 7882 2edb404 7881->7882 7883 2edef7c 3 API calls 7882->7883 7889 2edb440 7882->7889 7885 2edb42b 7883->7885 7884 2edef7c 3 API calls 7886 2edb458 wsprintfA 7884->7886 7887 2edef7c 3 API calls 7885->7887 7888 2edef7c 3 API calls 7886->7888 7887->7889 7890 2edb480 7888->7890 7889->7884 7891 2edef7c 3 API calls 7890->7891 7892 2edb493 7891->7892 7893 2edef7c 3 API calls 7892->7893 7894 2edb4bb 7893->7894 7909 2edad89 GetLocalTime SystemTimeToFileTime 7894->7909 7898 2edb4cc 7899 2edef7c 3 API calls 7898->7899 7900 2edb4dd 7899->7900 7901 2edb211 7 API calls 7900->7901 7902 2edb4ec 7901->7902 7903 2edef7c 3 API calls 7902->7903 7904 2edb4fd 7903->7904 7905 2edb211 7 API calls 7904->7905 7906 2edb509 7905->7906 7907 2edef7c 3 API calls 7906->7907 7908 2edb51a 7907->7908 7910 2edadbf 7909->7910 7934 2edad08 gethostname 7910->7934 7913 2ed30b5 2 API calls 7914 2edadd3 7913->7914 7915 2eda7a3 inet_ntoa 7914->7915 7916 2edade4 7914->7916 7915->7916 7917 2edae85 wsprintfA 7916->7917 7919 2edae36 wsprintfA wsprintfA 7916->7919 7918 2edef7c 3 API calls 7917->7918 7920 2edaebb 7918->7920 7921 2edef7c 3 API calls 7919->7921 7922 2edef7c 3 API calls 7920->7922 7921->7916 7923 2edaed2 7922->7923 7924 2edb211 7923->7924 7925 2edb2af GetLocalTime 7924->7925 7926 2edb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7924->7926 7927 2edb2d2 7925->7927 7926->7927 7928 2edb31c GetTimeZoneInformation 7927->7928 7929 2edb2d9 SystemTimeToFileTime 7927->7929 7931 2edb33a wsprintfA 7928->7931 7930 2edb2ec 7929->7930 7932 2edb312 FileTimeToSystemTime 7930->7932 7931->7898 7932->7928 7935 2edad71 7934->7935 7939 2edad26 lstrlenA 7934->7939 7937 2edad79 lstrcpyA 7935->7937 7938 2edad85 7935->7938 7937->7938 7938->7913 7939->7935 7940 2edad68 lstrlenA 7939->7940 7940->7935 7941 2ed4c75 7942 2ed4c83 7941->7942 7943 2ed4c92 7942->7943 7945 2ed1940 7942->7945 7946 2edec2e codecvt 4 API calls 7945->7946 7947 2ed1949 7946->7947 7947->7943 8138 2ed5d34 IsBadWritePtr 8139 2ed5d47 8138->8139 8140 2ed5d4a 8138->8140 8143 2ed5389 8140->8143 8144 2ed4bd1 4 API calls 8143->8144 8145 2ed53a5 8144->8145 8146 2ed4ae6 8 API calls 8145->8146 8148 2ed53ad 8146->8148 8147 2ed4ae6 8 API calls 8147->8148 8148->8147 8149 2ed5407 8148->8149 8150 2edbe31 lstrcmpiA 8151 2edbe55 lstrcmpiA 8150->8151 8157 2edbe71 8150->8157 8152 2edbe61 lstrcmpiA 8151->8152 8151->8157 8155 2edbfc8 8152->8155 8152->8157 8153 2edbf62 lstrcmpiA 8154 2edbf77 lstrcmpiA 8153->8154 8158 2edbf70 8153->8158 8156 2edbf8c lstrcmpiA 8154->8156 8154->8158 8156->8158 8157->8153 8161 2edebcc 4 API calls 8157->8161 8158->8155 8159 2edbfc2 8158->8159 8160 2edec2e codecvt 4 API calls 8158->8160 8162 2edec2e codecvt 4 API calls 8159->8162 8160->8158 8165 2edbeb6 8161->8165 8162->8155 8163 2edebcc 4 API calls 8163->8165 8164 2edbf5a 8164->8153 8165->8153 8165->8155 8165->8163 8165->8164 7948 2ed5e4d 7953 2ed5048 7948->7953 7954 2ed4bd1 4 API calls 7953->7954 7955 2ed5056 7954->7955 7956 2edec2e codecvt 4 API calls 7955->7956 7957 2ed508b 7955->7957 7956->7957 8166 2ed5e0d 8167 2ed50dc 17 API calls 8166->8167 8168 2ed5e20 8167->8168 8169 2ed4c0d 8170 2ed4ae6 8 API calls 8169->8170 8171 2ed4c17 8170->8171 7958 2ede749 7959 2eddd05 6 API calls 7958->7959 7960 2ede751 7959->7960 7961 2ede781 lstrcmpA 7960->7961 7962 2ede799 7960->7962 7961->7960 8185 2ed5c05 IsBadWritePtr 8186 2ed5c24 IsBadWritePtr 8185->8186 8193 2ed5ca6 8185->8193 8187 2ed5c32 8186->8187 8186->8193 8188 2ed5c82 8187->8188 8189 2ed4bd1 4 API calls 8187->8189 8190 2ed4bd1 4 API calls 8188->8190 8189->8188 8191 2ed5c90 8190->8191 8192 2ed5472 18 API calls 8191->8192 8192->8193 8194 2ed5b84 IsBadWritePtr 8195 2ed5b99 8194->8195 8196 2ed5b9d 8194->8196 8197 2ed4bd1 4 API calls 8196->8197 8198 2ed5bcc 8197->8198 8199 2ed5472 18 API calls 8198->8199 8200 2ed5be5 8199->8200 8201 2edf304 8204 2edf26d setsockopt setsockopt setsockopt setsockopt setsockopt 8201->8204 8203 2edf312 8204->8203 8205 2edf483 WSAStartup 8206 2ed5099 8207 2ed4bd1 4 API calls 8206->8207 8208 2ed50a2 8207->8208 7967 2ed195b 7968 2ed196b 7967->7968 7969 2ed1971 7967->7969 7970 2edec2e codecvt 4 API calls 7968->7970 7970->7969 8209 2ed8314 8210 2ed675c 21 API calls 8209->8210 8211 2ed8324 8210->8211 7971 2ed8c51 7972 2ed8c86 7971->7972 7974 2ed8c5d 7971->7974 7973 2ed8c8b lstrcmpA 7972->7973 7984 2ed8c7b 7972->7984 7975 2ed8c9e 7973->7975 7973->7984 7977 2ed8c7d 7974->7977 7978 2ed8c6e 7974->7978 7976 2ed8cad 7975->7976 7979 2edec2e codecvt 4 API calls 7975->7979 7983 2edebcc 4 API calls 7976->7983 7976->7984 7993 2ed8bb3 7977->7993 7985 2ed8be7 7978->7985 7979->7976 7983->7984 7986 2ed8c2a 7985->7986 7987 2ed8bf2 7985->7987 7986->7984 7988 2ed8bb3 6 API calls 7987->7988 7989 2ed8bf8 7988->7989 7997 2ed6410 7989->7997 7991 2ed8c01 7991->7986 8012 2ed6246 7991->8012 7994 2ed8be4 7993->7994 7995 2ed8bbc 7993->7995 7995->7994 7996 2ed6246 6 API calls 7995->7996 7996->7994 7998 2ed641e 7997->7998 7999 2ed6421 7997->7999 7998->7991 8000 2ed643a 7999->8000 8001 2ed643e VirtualAlloc 7999->8001 8000->7991 8002 2ed645b VirtualAlloc 8001->8002 8003 2ed6472 8001->8003 8002->8003 8011 2ed64fb 8002->8011 8004 2edebcc 4 API calls 8003->8004 8005 2ed6479 8004->8005 8005->8011 8022 2ed6069 8005->8022 8008 2ed64da 8009 2ed6246 6 API calls 8008->8009 8008->8011 8009->8011 8011->7991 8013 2ed6252 8012->8013 8021 2ed62b3 8012->8021 8014 2ed6297 8013->8014 8015 2ed628f 8013->8015 8019 2ed6281 FreeLibrary 8013->8019 8016 2ed62ad 8014->8016 8017 2ed62a0 VirtualFree 8014->8017 8020 2edec2e codecvt 4 API calls 8015->8020 8018 2edec2e codecvt 4 API calls 8016->8018 8017->8016 8018->8021 8019->8013 8020->8014 8021->7986 8023 2ed6089 8022->8023 8024 2ed6090 IsBadReadPtr 8022->8024 8023->8008 8032 2ed5f3f 8023->8032 8024->8023 8026 2ed60aa 8024->8026 8025 2ed60c0 LoadLibraryA 8025->8023 8025->8026 8026->8023 8026->8025 8027 2edebcc 4 API calls 8026->8027 8028 2edebed 8 API calls 8026->8028 8029 2ed6191 IsBadReadPtr 8026->8029 8030 2ed6155 GetProcAddress 8026->8030 8031 2ed6141 GetProcAddress 8026->8031 8027->8026 8028->8026 8029->8023 8029->8026 8030->8026 8031->8026 8033 2ed5fe6 8032->8033 8035 2ed5f61 8032->8035 8033->8008 8034 2ed5fbf VirtualProtect 8034->8033 8034->8035 8035->8033 8035->8034 8212 2ed6511 wsprintfA IsBadReadPtr 8213 2ed674e 8212->8213 8214 2ed656a htonl htonl wsprintfA wsprintfA 8212->8214 8215 2ede318 23 API calls 8213->8215 8219 2ed65f3 8214->8219 8216 2ed6753 ExitProcess 8215->8216 8217 2ed668a GetCurrentProcess StackWalk64 8218 2ed66a0 wsprintfA 8217->8218 8217->8219 8220 2ed66ba 8218->8220 8219->8217 8219->8218 8221 2ed6652 wsprintfA 8219->8221 8222 2ed6712 wsprintfA 8220->8222 8223 2ed66ed wsprintfA 8220->8223 8224 2ed66da wsprintfA 8220->8224 8221->8219 8225 2ede8a1 30 API calls 8222->8225 8223->8220 8224->8223 8226 2ed6739 8225->8226 8227 2ede318 23 API calls 8226->8227 8228 2ed6741 8227->8228 8036 2ed4ed3 8041 2ed4c9a 8036->8041 8042 2ed4cd8 8041->8042 8044 2ed4ca9 8041->8044 8043 2edec2e codecvt 4 API calls 8043->8042 8044->8043 8045 2ed5453 8050 2ed543a 8045->8050 8051 2ed5048 8 API calls 8050->8051 8052 2ed544b 8051->8052 8229 2ed5d93 IsBadWritePtr 8230 2ed5da8 8229->8230 8232 2ed5ddc 8229->8232 8231 2ed5389 12 API calls 8230->8231 8230->8232 8231->8232 8053 2ed43d2 8054 2ed43e0 8053->8054 8055 2ed43ef 8054->8055 8056 2ed1940 4 API calls 8054->8056 8056->8055 8233 2ed4e92 GetTickCount 8234 2ed4ec0 InterlockedExchange 8233->8234 8235 2ed4ead GetTickCount 8234->8235 8236 2ed4ec9 8234->8236 8235->8236 8237 2ed4eb8 Sleep 8235->8237 8237->8234
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 02EDCA4E
                                                                                      • closesocket.WS2_32(?), ref: 02EDCB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 02EDCC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02EDCCB4
                                                                                      • WriteFile.KERNEL32(02EDA4B3,?,-000000E8,?,00000000), ref: 02EDCCDC
                                                                                      • CloseHandle.KERNEL32(02EDA4B3), ref: 02EDCCED
                                                                                      • wsprintfA.USER32 ref: 02EDCD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02EDCD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02EDCD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 02EDCD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 02EDCD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 02EDCDC4
                                                                                      • CloseHandle.KERNEL32(02EDA4B3), ref: 02EDCDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02EDCFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02EDCFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02EDD033
                                                                                      • lstrcatA.KERNEL32(?,04500108), ref: 02EDD10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 02EDD155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02EDD171
                                                                                      • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000), ref: 02EDD195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02EDD19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 02EDD1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02EDD231
                                                                                      • lstrcatA.KERNEL32(?,04500108,?,?,?,?,?,?,?,00000100), ref: 02EDD27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02EDD2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD2C7
                                                                                      • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02EDD326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02EDD372
                                                                                      • lstrcatA.KERNEL32(?,04500108,?,?,?,?,?,?,?,00000100), ref: 02EDD3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02EDD3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD408
                                                                                      • WriteFile.KERNEL32(00000000,0450012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02EDD42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02EDD45B
                                                                                      • CreateProcessA.KERNEL32(?,02EE0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02EDD4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02EDD4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02EDD4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02EDD513
                                                                                      • closesocket.WS2_32(?), ref: 02EDD56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 02EDD577
                                                                                      • ExitProcess.KERNEL32 ref: 02EDD583
                                                                                      • wsprintfA.USER32 ref: 02EDD81F
                                                                                        • Part of subcall function 02EDC65C: send.WS2_32(00000000,?,00000000), ref: 02EDC74B
                                                                                      • closesocket.WS2_32(?), ref: 02EDDAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-1236896550
                                                                                      • Opcode ID: 129e9ad947de29bf4d34f1a778f05bfa95c2b515505cb40a70351054d174e2c3
                                                                                      • Instruction ID: c60d5686d5cc71c62c29150bfc4eb106a7414384bb054070aee9b78f6949107e
                                                                                      • Opcode Fuzzy Hash: 129e9ad947de29bf4d34f1a778f05bfa95c2b515505cb40a70351054d174e2c3
                                                                                      • Instruction Fuzzy Hash: 89B294B2DC0209ABEF20DFA5DC44FEA77ADEB04348F54A496F605AB140D7709996CF60
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02ED9A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02ED9A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(02ED6511), ref: 02ED9A8A
                                                                                        • Part of subcall function 02EDEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02EDEC5E
                                                                                        • Part of subcall function 02EDEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02EDEC72
                                                                                        • Part of subcall function 02EDEC54: GetTickCount.KERNEL32 ref: 02EDEC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02ED9AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02ED9ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 02ED9AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 02ED9B99
                                                                                      • ExitProcess.KERNEL32 ref: 02ED9C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 02ED9CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 02ED9D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 02ED9D8B
                                                                                      • lstrcatA.KERNEL32(?,02EE070C), ref: 02ED9D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02ED9DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 02ED9E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02ED9E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02ED9EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02ED9ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02ED9F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02ED9F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02ED9F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02ED9FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02ED9FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02ED9FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02EDA038
                                                                                      • lstrcatA.KERNEL32(00000022,02EE0A34), ref: 02EDA05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 02EDA072
                                                                                      • lstrcatA.KERNEL32(00000022,02EE0A34), ref: 02EDA08D
                                                                                      • wsprintfA.USER32 ref: 02EDA0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02EDA0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 02EDA0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02EDA120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02EDA131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02EDA174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02EDA17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 02EDA1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 02EDA1E5
                                                                                        • Part of subcall function 02ED99D2: lstrcpyA.KERNEL32(?,?,00000100,02EE22F8,00000000,?,02ED9E9D,?,00000022,?,?,?,?,?,?,?), ref: 02ED99DF
                                                                                        • Part of subcall function 02ED99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02ED9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02ED9A3C
                                                                                        • Part of subcall function 02ED99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02ED9E9D,?,00000022,?,?,?), ref: 02ED9A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 02EDA288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02EDA3B7
                                                                                      • GetLastError.KERNEL32 ref: 02EDA3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 02EDA400
                                                                                      • DeleteFileA.KERNELBASE(02EE33D8), ref: 02EDA407
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,02ED405E,00000000,00000000,00000000), ref: 02EDA42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 02EDA43A
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,02ED877E,00000000,00000000,00000000), ref: 02EDA469
                                                                                      • Sleep.KERNELBASE(00000BB8), ref: 02EDA48A
                                                                                      • GetTickCount.KERNEL32 ref: 02EDA49F
                                                                                      • GetTickCount.KERNEL32 ref: 02EDA4B7
                                                                                      • Sleep.KERNELBASE(00001A90), ref: 02EDA4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$D$P$\$puwycifc
                                                                                      • API String ID: 2089075347-2159763429
                                                                                      • Opcode ID: afd5c36e4d88cbf2a83dd3a3cc6cc62b56d1603d625d837ce03d73b970b314cc
                                                                                      • Instruction ID: 82843247f86e89df8e7ffa1cf9de4856b2a0fbc8392fc22fefe9c343b6bea9aa
                                                                                      • Opcode Fuzzy Hash: afd5c36e4d88cbf2a83dd3a3cc6cc62b56d1603d625d837ce03d73b970b314cc
                                                                                      • Instruction Fuzzy Hash: 325281B1CC0259EFDF21DBB0DC49EEE7BBDAB04304F4498A5F509A6141E7709A868F61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 2ed199c-2ed19cc inet_addr LoadLibraryA 906 2ed19ce-2ed19d0 905->906 907 2ed19d5-2ed19fe GetProcAddress * 3 905->907 908 2ed1abf-2ed1ac2 906->908 909 2ed1a04-2ed1a06 907->909 910 2ed1ab3-2ed1ab6 FreeLibrary 907->910 909->910 911 2ed1a0c-2ed1a0e 909->911 912 2ed1abc 910->912 911->910 913 2ed1a14-2ed1a28 GetBestInterface GetProcessHeap 911->913 914 2ed1abe 912->914 913->912 915 2ed1a2e-2ed1a40 HeapAlloc 913->915 914->908 915->912 916 2ed1a42-2ed1a50 GetAdaptersInfo 915->916 917 2ed1a62-2ed1a67 916->917 918 2ed1a52-2ed1a60 HeapReAlloc 916->918 919 2ed1a69-2ed1a73 GetAdaptersInfo 917->919 920 2ed1aa1-2ed1aad FreeLibrary 917->920 918->917 919->920 922 2ed1a75 919->922 920->912 921 2ed1aaf-2ed1ab1 920->921 921->914 923 2ed1a77-2ed1a80 922->923 924 2ed1a8a-2ed1a91 923->924 925 2ed1a82-2ed1a86 923->925 927 2ed1a96-2ed1a9b HeapFree 924->927 928 2ed1a93 924->928 925->923 926 2ed1a88 925->926 926->927 927->920 928->927
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 02ED19B1
                                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02ED1E9E), ref: 02ED19BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02ED19E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02ED19ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02ED19F9
                                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A1B
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02ED1E9E), ref: 02ED1A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A36
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02ED1E9E,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A4A
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,02ED1E9E,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A5A
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02ED1E9E,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A6E
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02ED1E9E), ref: 02ED1A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02ED1E9E), ref: 02ED1AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 293628436-270533642
                                                                                      • Opcode ID: 577ad0a16a693c95d205d22d02c5b7dbbdb4cbfcdbc35a002ebaa16f1a95b377
                                                                                      • Instruction ID: fd648f4b4b1b305f84524f34b883976c7b6bd073e8482048be79692fb5a35033
                                                                                      • Opcode Fuzzy Hash: 577ad0a16a693c95d205d22d02c5b7dbbdb4cbfcdbc35a002ebaa16f1a95b377
                                                                                      • Instruction Fuzzy Hash: 58318131D80219EFDF119FE1CD888BEBBB9EF44245B549569F10ABB100D7704A41CB60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 696 2ed7a95-2ed7ac2 RegOpenKeyExA 697 2ed7acb-2ed7ae7 GetUserNameA 696->697 698 2ed7ac4-2ed7ac6 696->698 700 2ed7aed-2ed7b1e LookupAccountNameA 697->700 701 2ed7da7-2ed7db3 RegCloseKey 697->701 699 2ed7db4-2ed7db6 698->699 700->701 702 2ed7b24-2ed7b43 RegGetKeySecurity 700->702 701->699 702->701 703 2ed7b49-2ed7b61 GetSecurityDescriptorOwner 702->703 704 2ed7bb8-2ed7bd6 GetSecurityDescriptorDacl 703->704 705 2ed7b63-2ed7b72 EqualSid 703->705 707 2ed7bdc-2ed7be1 704->707 708 2ed7da6 704->708 705->704 706 2ed7b74-2ed7b88 LocalAlloc 705->706 706->704 709 2ed7b8a-2ed7b94 InitializeSecurityDescriptor 706->709 707->708 710 2ed7be7-2ed7bf2 707->710 708->701 712 2ed7b96-2ed7ba4 SetSecurityDescriptorOwner 709->712 713 2ed7bb1-2ed7bb2 LocalFree 709->713 710->708 711 2ed7bf8-2ed7c08 GetAce 710->711 714 2ed7c0e-2ed7c1b 711->714 715 2ed7cc6 711->715 712->713 716 2ed7ba6-2ed7bab RegSetKeySecurity 712->716 713->704 718 2ed7c1d-2ed7c2f EqualSid 714->718 719 2ed7c4f-2ed7c52 714->719 717 2ed7cc9-2ed7cd3 715->717 716->713 717->711 720 2ed7cd9-2ed7cdc 717->720 721 2ed7c36-2ed7c38 718->721 722 2ed7c31-2ed7c34 718->722 723 2ed7c5f-2ed7c71 EqualSid 719->723 724 2ed7c54-2ed7c5e 719->724 720->708 725 2ed7ce2-2ed7ce8 720->725 721->719 726 2ed7c3a-2ed7c4d DeleteAce 721->726 722->718 722->721 727 2ed7c86 723->727 728 2ed7c73-2ed7c84 723->728 724->723 729 2ed7d5a-2ed7d6e LocalAlloc 725->729 730 2ed7cea-2ed7cf0 725->730 726->717 731 2ed7c8b-2ed7c8e 727->731 728->731 729->708 735 2ed7d70-2ed7d7a InitializeSecurityDescriptor 729->735 730->729 732 2ed7cf2-2ed7d0d RegOpenKeyExA 730->732 733 2ed7c9d-2ed7c9f 731->733 734 2ed7c90-2ed7c96 731->734 732->729 736 2ed7d0f-2ed7d16 732->736 737 2ed7ca7-2ed7cc3 733->737 738 2ed7ca1-2ed7ca5 733->738 734->733 739 2ed7d7c-2ed7d8a SetSecurityDescriptorDacl 735->739 740 2ed7d9f-2ed7da0 LocalFree 735->740 741 2ed7d19-2ed7d1e 736->741 737->715 738->715 738->737 739->740 742 2ed7d8c-2ed7d9a RegSetKeySecurity 739->742 740->708 741->741 744 2ed7d20-2ed7d52 call 2ed2544 RegSetValueExA 741->744 742->740 743 2ed7d9c 742->743 743->740 744->729 747 2ed7d54 744->747 747->729
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02ED7ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02ED7ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,02EE070C,?,?,?), ref: 02ED7B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02ED7B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02ED7B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 02ED7B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02ED7B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02ED7B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02ED7B9C
                                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02ED7BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 02ED7BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,02ED7FC9,?,00000000), ref: 02ED7BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$D
                                                                                      • API String ID: 2976863881-3064012573
                                                                                      • Opcode ID: aa90c8e6d9238ff78acd9c73e6a7b833637792532e50fa07f293f915bf18a44d
                                                                                      • Instruction ID: ca5a748387ed6baef8edc4c4775bec3d8f12a9e1ab325309f79681f2a191b70c
                                                                                      • Opcode Fuzzy Hash: aa90c8e6d9238ff78acd9c73e6a7b833637792532e50fa07f293f915bf18a44d
                                                                                      • Instruction Fuzzy Hash: 4FA14D71D80219EFDF119FA1DC84EEEBBB9FB09308F049869F505E6140D7758A96CB60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 748 2ed7809-2ed7837 GetUserNameA 749 2ed783d-2ed786e LookupAccountNameA 748->749 750 2ed7a8e-2ed7a94 748->750 749->750 751 2ed7874-2ed78a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2ed78a8-2ed78c3 GetSecurityDescriptorOwner 751->752 753 2ed791d-2ed793b GetSecurityDescriptorDacl 752->753 754 2ed78c5-2ed78da EqualSid 752->754 755 2ed7a8d 753->755 756 2ed7941-2ed7946 753->756 754->753 757 2ed78dc-2ed78ed LocalAlloc 754->757 755->750 756->755 758 2ed794c-2ed7955 756->758 757->753 759 2ed78ef-2ed78f9 InitializeSecurityDescriptor 757->759 758->755 760 2ed795b-2ed796b GetAce 758->760 761 2ed78fb-2ed7909 SetSecurityDescriptorOwner 759->761 762 2ed7916-2ed7917 LocalFree 759->762 763 2ed7a2a 760->763 764 2ed7971-2ed797e 760->764 761->762 765 2ed790b-2ed7910 SetFileSecurityA 761->765 762->753 768 2ed7a2d-2ed7a37 763->768 766 2ed79ae-2ed79b1 764->766 767 2ed7980-2ed7992 EqualSid 764->767 765->762 772 2ed79be-2ed79d0 EqualSid 766->772 773 2ed79b3-2ed79bd 766->773 769 2ed7999-2ed799b 767->769 770 2ed7994-2ed7997 767->770 768->760 771 2ed7a3d-2ed7a41 768->771 769->766 774 2ed799d-2ed79ac DeleteAce 769->774 770->767 770->769 771->755 775 2ed7a43-2ed7a54 LocalAlloc 771->775 776 2ed79e5 772->776 777 2ed79d2-2ed79e3 772->777 773->772 774->768 775->755 778 2ed7a56-2ed7a60 InitializeSecurityDescriptor 775->778 779 2ed79ea-2ed79ed 776->779 777->779 780 2ed7a86-2ed7a87 LocalFree 778->780 781 2ed7a62-2ed7a71 SetSecurityDescriptorDacl 778->781 782 2ed79ef-2ed79f5 779->782 783 2ed79f8-2ed79fb 779->783 780->755 781->780 786 2ed7a73-2ed7a81 SetFileSecurityA 781->786 782->783 784 2ed79fd-2ed7a01 783->784 785 2ed7a03-2ed7a0e 783->785 784->763 784->785 787 2ed7a19-2ed7a24 785->787 788 2ed7a10-2ed7a17 785->788 786->780 789 2ed7a83 786->789 790 2ed7a27 787->790 788->790 789->780 790->763
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02ED782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02ED7866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 02ED7878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02ED789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,02ED7F63,?), ref: 02ED78B8
                                                                                      • EqualSid.ADVAPI32(?,02ED7F63), ref: 02ED78D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02ED78E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02ED78F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02ED7901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02ED7910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 02ED7917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02ED7933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 02ED7963
                                                                                      • EqualSid.ADVAPI32(?,02ED7F63), ref: 02ED798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 02ED79A3
                                                                                      • EqualSid.ADVAPI32(?,02ED7F63), ref: 02ED79C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02ED7A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02ED7A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02ED7A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02ED7A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 02ED7A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: 2a613b13e076cbded5807dfe268743edde2b9150cd5b50b5d6eb90d863335c2f
                                                                                      • Instruction ID: 63db7ce30b77cb0834951a77377beb69441c87eccae1098b52809cbccab00b43
                                                                                      • Opcode Fuzzy Hash: 2a613b13e076cbded5807dfe268743edde2b9150cd5b50b5d6eb90d863335c2f
                                                                                      • Instruction Fuzzy Hash: 8E813972D80219EFDF21CFA5CD44BEEBBB8EB08348F54956AF515EA140D7348A42CB60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 791 2ed8328-2ed833e call 2ed7dd6 794 2ed8348-2ed8356 call 2ed6ec3 791->794 795 2ed8340-2ed8343 791->795 799 2ed835c-2ed8378 call 2ed73ff 794->799 800 2ed846b-2ed8474 794->800 796 2ed877b-2ed877d 795->796 812 2ed837e-2ed8384 799->812 813 2ed8464-2ed8466 799->813 801 2ed847a-2ed8480 800->801 802 2ed85c2-2ed85ce 800->802 801->802 806 2ed8486-2ed84ba call 2ed2544 RegOpenKeyExA 801->806 804 2ed8615-2ed8620 802->804 805 2ed85d0-2ed85da call 2ed675c 802->805 810 2ed86a7-2ed86b0 call 2ed6ba7 804->810 811 2ed8626-2ed864c GetTempPathA call 2ed8274 call 2edeca5 804->811 815 2ed85df-2ed85eb 805->815 821 2ed84c0-2ed84db RegQueryValueExA 806->821 822 2ed8543-2ed8571 call 2ed2544 RegOpenKeyExA 806->822 831 2ed86b6-2ed86bd call 2ed7e2f 810->831 832 2ed8762 810->832 852 2ed864e-2ed866f call 2edeca5 811->852 853 2ed8671-2ed86a4 call 2ed2544 call 2edef00 call 2edee2a 811->853 812->813 819 2ed838a-2ed838d 812->819 814 2ed8779-2ed877a 813->814 814->796 815->804 820 2ed85ed-2ed85ef 815->820 819->813 825 2ed8393-2ed8399 819->825 820->804 827 2ed85f1-2ed85fa 820->827 829 2ed84dd-2ed84e1 821->829 830 2ed8521-2ed852d RegCloseKey 821->830 846 2ed85a5-2ed85b7 call 2edee2a 822->846 847 2ed8573-2ed857b 822->847 826 2ed839c-2ed83a1 825->826 826->826 834 2ed83a3-2ed83af 826->834 827->804 836 2ed85fc-2ed860f call 2ed24c2 827->836 829->830 838 2ed84e3-2ed84e6 829->838 830->822 835 2ed852f-2ed8541 call 2edeed1 830->835 864 2ed875b-2ed875c DeleteFileA 831->864 865 2ed86c3-2ed873b call 2edee2a * 2 lstrcpyA lstrlenA call 2ed7fcf CreateProcessA 831->865 840 2ed8768-2ed876b 832->840 842 2ed83b1 834->842 843 2ed83b3-2ed83ba 834->843 835->822 835->846 836->804 836->840 838->830 848 2ed84e8-2ed84f6 call 2edebcc 838->848 850 2ed876d-2ed8775 call 2edec2e 840->850 851 2ed8776-2ed8778 840->851 842->843 858 2ed8450-2ed845f call 2edee2a 843->858 859 2ed83c0-2ed83fb call 2ed2544 RegOpenKeyExA 843->859 846->802 879 2ed85b9-2ed85c1 call 2edec2e 846->879 861 2ed857e-2ed8583 847->861 848->830 878 2ed84f8-2ed8513 RegQueryValueExA 848->878 850->851 851->814 852->853 853->810 858->802 859->858 883 2ed83fd-2ed841c RegQueryValueExA 859->883 861->861 871 2ed8585-2ed859f RegSetValueExA RegCloseKey 861->871 864->832 899 2ed873d-2ed874d CloseHandle * 2 865->899 900 2ed874f-2ed875a call 2ed7ee6 call 2ed7ead 865->900 871->846 878->830 884 2ed8515-2ed851e call 2edec2e 878->884 879->802 888 2ed842d-2ed8441 RegSetValueExA 883->888 889 2ed841e-2ed8421 883->889 884->830 895 2ed8447-2ed844a RegCloseKey 888->895 889->888 894 2ed8423-2ed8426 889->894 894->888 898 2ed8428-2ed842b 894->898 895->858 898->888 898->895 899->840 900->864
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02EE0750,?,?,00000000,localcfg,00000000), ref: 02ED83F3
                                                                                      • RegQueryValueExA.KERNELBASE(02EE0750,?,00000000,?,02ED8893,?,?,?,00000000,00000103,02EE0750,?,?,00000000,localcfg,00000000), ref: 02ED8414
                                                                                      • RegSetValueExA.KERNELBASE(02EE0750,?,00000000,00000004,02ED8893,00000004,?,?,00000000,00000103,02EE0750,?,?,00000000,localcfg,00000000), ref: 02ED8441
                                                                                      • RegCloseKey.ADVAPI32(02EE0750,?,?,00000000,00000103,02EE0750,?,?,00000000,localcfg,00000000), ref: 02ED844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe$localcfg
                                                                                      • API String ID: 237177642-3136575136
                                                                                      • Opcode ID: c61b0404beb30a2c55fdaf8ed85ebd5e204af003bb423b9ec5764ef0ae35e13d
                                                                                      • Instruction ID: 1f0c378b97a1f3573da573d42d58ca1bdd6ec881fb0b174debe877682dd6d5ed
                                                                                      • Opcode Fuzzy Hash: c61b0404beb30a2c55fdaf8ed85ebd5e204af003bb423b9ec5764ef0ae35e13d
                                                                                      • Instruction Fuzzy Hash: 8DC17EB1DC0149FEEF11EFA5DC85EEE7BBDEB04308F149865FA05A6040E7705A968B21

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 02ED1DC6
                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 02ED1DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02ED1E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02ED1E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 02ED1E1B
                                                                                      • GetTickCount.KERNEL32 ref: 02ED1FC9
                                                                                        • Part of subcall function 02ED1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02ED1C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 010b13180c399675cdc480262b1acefc54d1d323d9e57f753a12ebeabf73f441
                                                                                      • Instruction ID: 96939d6d63ed7c9c800f3ac9e2fcb1386167cdb76a7d1fef2b8f0a768ef4ab1d
                                                                                      • Opcode Fuzzy Hash: 010b13180c399675cdc480262b1acefc54d1d323d9e57f753a12ebeabf73f441
                                                                                      • Instruction Fuzzy Hash: A251E8B09C4344AFE720AF768C89F277BECEF44708F44A91DF58A5A142D7B4A505CBA1

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 999 2ed73ff-2ed7419 1000 2ed741d-2ed7422 999->1000 1001 2ed741b 999->1001 1002 2ed7424 1000->1002 1003 2ed7426-2ed742b 1000->1003 1001->1000 1002->1003 1004 2ed742d 1003->1004 1005 2ed7430-2ed7435 1003->1005 1004->1005 1006 2ed743a-2ed7481 call 2ed6dc2 call 2ed2544 RegOpenKeyExA 1005->1006 1007 2ed7437 1005->1007 1012 2ed77f9-2ed77fe call 2edee2a 1006->1012 1013 2ed7487-2ed749d call 2edee2a 1006->1013 1007->1006 1018 2ed7801 1012->1018 1019 2ed7703-2ed770e RegEnumKeyA 1013->1019 1022 2ed7804-2ed7808 1018->1022 1020 2ed7714-2ed771d RegCloseKey 1019->1020 1021 2ed74a2-2ed74b1 call 2ed6cad 1019->1021 1020->1018 1025 2ed76ed-2ed7700 1021->1025 1026 2ed74b7-2ed74cc call 2edf1a5 1021->1026 1025->1019 1026->1025 1029 2ed74d2-2ed74f8 RegOpenKeyExA 1026->1029 1030 2ed74fe-2ed7530 call 2ed2544 RegQueryValueExA 1029->1030 1031 2ed7727-2ed772a 1029->1031 1030->1031 1038 2ed7536-2ed753c 1030->1038 1033 2ed772c-2ed7740 call 2edef00 1031->1033 1034 2ed7755-2ed7764 call 2edee2a 1031->1034 1042 2ed774b-2ed774e 1033->1042 1043 2ed7742-2ed7745 RegCloseKey 1033->1043 1044 2ed76df-2ed76e2 1034->1044 1041 2ed753f-2ed7544 1038->1041 1041->1041 1046 2ed7546-2ed754b 1041->1046 1047 2ed77ec-2ed77f7 RegCloseKey 1042->1047 1043->1042 1044->1025 1045 2ed76e4-2ed76e7 RegCloseKey 1044->1045 1045->1025 1046->1034 1048 2ed7551-2ed756b call 2edee95 1046->1048 1047->1022 1048->1034 1051 2ed7571-2ed7593 call 2ed2544 call 2edee95 1048->1051 1056 2ed7599-2ed75a0 1051->1056 1057 2ed7753 1051->1057 1058 2ed75c8-2ed75d7 call 2eded03 1056->1058 1059 2ed75a2-2ed75c6 call 2edef00 call 2eded03 1056->1059 1057->1034 1065 2ed75d8-2ed75da 1058->1065 1059->1065 1067 2ed75dc 1065->1067 1068 2ed75df-2ed7623 call 2edee95 call 2ed2544 call 2edee95 call 2edee2a 1065->1068 1067->1068 1077 2ed7626-2ed762b 1068->1077 1077->1077 1078 2ed762d-2ed7634 1077->1078 1079 2ed7637-2ed763c 1078->1079 1079->1079 1080 2ed763e-2ed7642 1079->1080 1081 2ed765c-2ed7673 call 2eded23 1080->1081 1082 2ed7644-2ed7656 call 2eded77 1080->1082 1087 2ed7675-2ed767e 1081->1087 1088 2ed7680 1081->1088 1082->1081 1089 2ed7769-2ed777c call 2edef00 1082->1089 1091 2ed7683-2ed768e call 2ed6cad 1087->1091 1088->1091 1094 2ed77e3-2ed77e6 RegCloseKey 1089->1094 1096 2ed7694-2ed76bf call 2edf1a5 call 2ed6c96 1091->1096 1097 2ed7722-2ed7725 1091->1097 1094->1047 1103 2ed76d8 1096->1103 1104 2ed76c1-2ed76c7 1096->1104 1098 2ed76dd 1097->1098 1098->1044 1103->1098 1104->1103 1105 2ed76c9-2ed76d2 1104->1105 1105->1103 1106 2ed777e-2ed7797 GetFileAttributesExA 1105->1106 1107 2ed7799 1106->1107 1108 2ed779a-2ed779f 1106->1108 1107->1108 1109 2ed77a1 1108->1109 1110 2ed77a3-2ed77a8 1108->1110 1109->1110 1111 2ed77aa-2ed77c0 call 2edee08 1110->1111 1112 2ed77c4-2ed77c8 1110->1112 1111->1112 1114 2ed77ca-2ed77d6 call 2edef00 1112->1114 1115 2ed77d7-2ed77dc 1112->1115 1114->1115 1118 2ed77de 1115->1118 1119 2ed77e0-2ed77e2 1115->1119 1118->1119 1119->1094
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 02ED7472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED74F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED7528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 02ED764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED76E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02ED7706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED7717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED7745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 02ED77EF
                                                                                        • Part of subcall function 02EDF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02EE22F8,000000C8,02ED7150,?), ref: 02EDF1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02ED778F
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 02ED77E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: e89f6b73ecc02c9bf42d6560c7deb16c7012492cad64fdfb9ea285db35c74b8e
                                                                                      • Instruction ID: 2fef0f725fb854a6f15e3b59f342c455679e7cf3b8b258cadc53cd01444bb6fe
                                                                                      • Opcode Fuzzy Hash: e89f6b73ecc02c9bf42d6560c7deb16c7012492cad64fdfb9ea285db35c74b8e
                                                                                      • Instruction Fuzzy Hash: D6C1C271980209AFEB11DBA5DC48FEEBBB9EF44314F149495F504AA190EB70DA82CF60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1121 2ed675c-2ed6778 1122 2ed677a-2ed677e SetFileAttributesA 1121->1122 1123 2ed6784-2ed67a2 CreateFileA 1121->1123 1122->1123 1124 2ed67b5-2ed67b8 1123->1124 1125 2ed67a4-2ed67b2 CreateFileA 1123->1125 1126 2ed67ba-2ed67bf SetFileAttributesA 1124->1126 1127 2ed67c5-2ed67c9 1124->1127 1125->1124 1126->1127 1128 2ed67cf-2ed67df GetFileSize 1127->1128 1129 2ed6977-2ed6986 1127->1129 1130 2ed696b 1128->1130 1131 2ed67e5-2ed67e7 1128->1131 1133 2ed696e-2ed6971 FindCloseChangeNotification 1130->1133 1131->1130 1132 2ed67ed-2ed680b ReadFile 1131->1132 1132->1130 1134 2ed6811-2ed6824 SetFilePointer 1132->1134 1133->1129 1134->1130 1135 2ed682a-2ed6842 ReadFile 1134->1135 1135->1130 1136 2ed6848-2ed6861 SetFilePointer 1135->1136 1136->1130 1137 2ed6867-2ed6876 1136->1137 1138 2ed6878-2ed688f ReadFile 1137->1138 1139 2ed68d5-2ed68df 1137->1139 1141 2ed6891-2ed689e 1138->1141 1142 2ed68d2 1138->1142 1139->1133 1140 2ed68e5-2ed68eb 1139->1140 1143 2ed68ed 1140->1143 1144 2ed68f0-2ed68fe call 2edebcc 1140->1144 1145 2ed68b7-2ed68ba 1141->1145 1146 2ed68a0-2ed68b5 1141->1146 1142->1139 1143->1144 1144->1130 1152 2ed6900-2ed690b SetFilePointer 1144->1152 1148 2ed68bd-2ed68c3 1145->1148 1146->1148 1150 2ed68c8-2ed68ce 1148->1150 1151 2ed68c5 1148->1151 1150->1138 1153 2ed68d0 1150->1153 1151->1150 1154 2ed690d-2ed6920 ReadFile 1152->1154 1155 2ed695a-2ed6969 call 2edec2e 1152->1155 1153->1139 1154->1155 1156 2ed6922-2ed6958 1154->1156 1155->1133 1156->1133
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 02ED677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 02ED679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 02ED67B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 02ED67BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 02ED67D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,02ED8244,00000000,?,774D0F10,00000000), ref: 02ED6807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 02ED681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 02ED683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 02ED685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,02ED8244,00000000,?,774D0F10,00000000), ref: 02ED688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 02ED6906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,02ED8244,00000000,?,774D0F10,00000000), ref: 02ED691C
                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,774D0F10,00000000), ref: 02ED6971
                                                                                        • Part of subcall function 02EDEC2E: GetProcessHeap.KERNEL32(00000000,02EDEA27,00000000,02EDEA27,00000000), ref: 02EDEC41
                                                                                        • Part of subcall function 02EDEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02EDEC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 1400801100-0
                                                                                      • Opcode ID: 8efe3f6e2984617b46ae42338e6defa90681f0a99064ea3151a195b37b03e12c
                                                                                      • Instruction ID: c4a4f2b833cb4e9034622f92e12558f956a8ffa0e05c85a42b4a8567fdb964d4
                                                                                      • Opcode Fuzzy Hash: 8efe3f6e2984617b46ae42338e6defa90681f0a99064ea3151a195b37b03e12c
                                                                                      • Instruction Fuzzy Hash: 5F712AB1C8021DEFDF148FA5DC80AEEBBB9FB04318F10956AE515A6190D7309E92DF60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1159 2edf315-2edf332 1160 2edf33b-2edf372 call 2edee2a htons socket 1159->1160 1161 2edf334-2edf336 1159->1161 1165 2edf374-2edf37d closesocket 1160->1165 1166 2edf382-2edf39b ioctlsocket 1160->1166 1162 2edf424-2edf427 1161->1162 1165->1162 1167 2edf39d 1166->1167 1168 2edf3aa-2edf3f0 connect select 1166->1168 1169 2edf39f-2edf3a8 closesocket 1167->1169 1170 2edf421 1168->1170 1171 2edf3f2-2edf401 __WSAFDIsSet 1168->1171 1172 2edf423 1169->1172 1170->1172 1171->1169 1173 2edf403-2edf416 ioctlsocket call 2edf26d 1171->1173 1172->1162 1175 2edf41b-2edf41f 1173->1175 1175->1172
                                                                                      APIs
                                                                                      • htons.WS2_32(02EDCA1D), ref: 02EDF34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 02EDF367
                                                                                      • closesocket.WS2_32(00000000), ref: 02EDF375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 1a2548509997d6d443206cb9a17784b79746b4e519c073907b36a17c5c2e6740
                                                                                      • Instruction ID: 051475fd8c1e640b24faa7953dce9a9582ed1366186676879c23f15e7b9c8908
                                                                                      • Opcode Fuzzy Hash: 1a2548509997d6d443206cb9a17784b79746b4e519c073907b36a17c5c2e6740
                                                                                      • Instruction Fuzzy Hash: 11317E72980118ABDB10DFA5DC849EE7BFCFF49314F108566F919E7141E7709A828BA0

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1176 2ed405e-2ed407b CreateEventA 1177 2ed407d-2ed4081 1176->1177 1178 2ed4084-2ed40a8 call 2ed3ecd call 2ed4000 1176->1178 1183 2ed40ae-2ed40be call 2edee2a 1178->1183 1184 2ed4130-2ed413e call 2edee2a 1178->1184 1183->1184 1190 2ed40c0-2ed40f1 call 2edeca5 call 2ed3f18 call 2ed3f8c 1183->1190 1189 2ed413f-2ed4165 call 2ed3ecd CreateNamedPipeA 1184->1189 1195 2ed4188-2ed4193 ConnectNamedPipe 1189->1195 1196 2ed4167-2ed4174 Sleep 1189->1196 1207 2ed4127-2ed412a CloseHandle 1190->1207 1208 2ed40f3-2ed40ff 1190->1208 1200 2ed41ab-2ed41c0 call 2ed3f8c 1195->1200 1201 2ed4195-2ed41a5 GetLastError 1195->1201 1196->1189 1198 2ed4176-2ed4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 2ed41c2-2ed41f2 call 2ed3f18 call 2ed3f8c 1200->1209 1201->1200 1203 2ed425e-2ed4265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1184 1208->1207 1210 2ed4101-2ed4121 call 2ed3f18 ExitProcess 1208->1210 1209->1203 1217 2ed41f4-2ed4200 1209->1217 1217->1203 1218 2ed4202-2ed4215 call 2ed3f8c 1217->1218 1218->1203 1221 2ed4217-2ed421b 1218->1221 1221->1203 1222 2ed421d-2ed4230 call 2ed3f8c 1221->1222 1222->1203 1225 2ed4232-2ed4236 1222->1225 1225->1195 1226 2ed423c-2ed4251 call 2ed3f18 1225->1226 1229 2ed426a-2ed4276 CloseHandle * 2 call 2ede318 1226->1229 1230 2ed4253-2ed4259 1226->1230 1232 2ed427b 1229->1232 1230->1195 1232->1232
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02ED4070
                                                                                      • ExitProcess.KERNEL32 ref: 02ED4121
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: 01693e7b361ccb41a0229e685d922e3116cd0d1c59c79583a28ec18b89fb9c96
                                                                                      • Instruction ID: fbdddf89ff7002766e0635bd5e4872cda900e3c91889977a9287cf850e5235da
                                                                                      • Opcode Fuzzy Hash: 01693e7b361ccb41a0229e685d922e3116cd0d1c59c79583a28ec18b89fb9c96
                                                                                      • Instruction Fuzzy Hash: EB5161B1DC0219BADF10ABA18D85FEF7B7DEB25718F409455F614BA0C0E7718A42CB61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1233 2ed2d21-2ed2d44 GetModuleHandleA 1234 2ed2d5b-2ed2d69 GetProcAddress 1233->1234 1235 2ed2d46-2ed2d52 LoadLibraryA 1233->1235 1236 2ed2d54-2ed2d56 1234->1236 1237 2ed2d6b-2ed2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2ed2dee-2ed2df1 1236->1238 1237->1236 1239 2ed2d7d-2ed2d88 1237->1239 1240 2ed2deb 1239->1240 1241 2ed2d8a-2ed2d8b 1239->1241 1240->1238 1242 2ed2d90-2ed2d95 1241->1242 1243 2ed2d97-2ed2daa GetProcessHeap HeapAlloc 1242->1243 1244 2ed2de2-2ed2de8 1242->1244 1245 2ed2dac-2ed2dd9 call 2edee2a lstrcpynA 1243->1245 1246 2ed2dea 1243->1246 1244->1242 1244->1246 1249 2ed2ddb-2ed2dde 1245->1249 1250 2ed2de0 1245->1250 1246->1240 1249->1244 1250->1244
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,02ED2F01,?,02ED20FF,02EE2000), ref: 02ED2D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 02ED2D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02ED2D61
                                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02ED2D77
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02ED2D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 02ED2DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02ED2DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 233223969-3847274415
                                                                                      • Opcode ID: 26d6e17006b9935d74c0d34c6551e2de1ba19f55cf744b4f4cb263542c9cb614
                                                                                      • Instruction ID: 83c135ba216d4f7a703c55c5b9b450538cfd6d8e7faf37ebfc6783a6e52704cc
                                                                                      • Opcode Fuzzy Hash: 26d6e17006b9935d74c0d34c6551e2de1ba19f55cf744b4f4cb263542c9cb614
                                                                                      • Instruction Fuzzy Hash: D7218171980225EBCB219FA5DC44AAEBBB8EF09754F408412FA45F7101D3B099828BE0

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1251 2ed80c9-2ed80ed call 2ed6ec3 1254 2ed80ef call 2ed7ee6 1251->1254 1255 2ed80f9-2ed8115 call 2ed704c 1251->1255 1258 2ed80f4 1254->1258 1260 2ed8225-2ed822b 1255->1260 1261 2ed811b-2ed8121 1255->1261 1258->1260 1262 2ed822d-2ed8233 1260->1262 1263 2ed826c-2ed8273 1260->1263 1261->1260 1264 2ed8127-2ed812a 1261->1264 1262->1263 1265 2ed8235-2ed823f call 2ed675c 1262->1265 1264->1260 1266 2ed8130-2ed8167 call 2ed2544 RegOpenKeyExA 1264->1266 1270 2ed8244-2ed824b 1265->1270 1271 2ed816d-2ed818b RegQueryValueExA 1266->1271 1272 2ed8216-2ed8222 call 2edee2a 1266->1272 1270->1263 1273 2ed824d-2ed8269 call 2ed24c2 call 2edec2e 1270->1273 1274 2ed818d-2ed8191 1271->1274 1275 2ed81f7-2ed81fe 1271->1275 1272->1260 1273->1263 1274->1275 1281 2ed8193-2ed8196 1274->1281 1279 2ed820d-2ed8210 RegCloseKey 1275->1279 1280 2ed8200-2ed8206 call 2edec2e 1275->1280 1279->1272 1289 2ed820c 1280->1289 1281->1275 1285 2ed8198-2ed81a8 call 2edebcc 1281->1285 1285->1279 1291 2ed81aa-2ed81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1275 1292 2ed81c4-2ed81ca 1291->1292 1293 2ed81cd-2ed81d2 1292->1293 1293->1293 1294 2ed81d4-2ed81e5 call 2edebcc 1293->1294 1294->1279 1297 2ed81e7-2ed81f5 call 2edef00 1294->1297 1297->1289
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 02ED815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02EDA45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 02ED8187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02EDA45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 02ED81BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 02ED8210
                                                                                        • Part of subcall function 02ED675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 02ED677E
                                                                                        • Part of subcall function 02ED675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 02ED679A
                                                                                        • Part of subcall function 02ED675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 02ED67B0
                                                                                        • Part of subcall function 02ED675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 02ED67BF
                                                                                        • Part of subcall function 02ED675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 02ED67D3
                                                                                        • Part of subcall function 02ED675C: ReadFile.KERNELBASE(000000FF,?,00000040,02ED8244,00000000,?,774D0F10,00000000), ref: 02ED6807
                                                                                        • Part of subcall function 02ED675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 02ED681F
                                                                                        • Part of subcall function 02ED675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 02ED683E
                                                                                        • Part of subcall function 02ED675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 02ED685C
                                                                                        • Part of subcall function 02EDEC2E: GetProcessHeap.KERNEL32(00000000,02EDEA27,00000000,02EDEA27,00000000), ref: 02EDEC41
                                                                                        • Part of subcall function 02EDEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02EDEC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\puwycifc\jhrsuqtz.exe
                                                                                      • API String ID: 124786226-2154540336
                                                                                      • Opcode ID: 3f8c7d4cef236f23182fa96068e2445fd1b682867eb466efcb121a0616df7461
                                                                                      • Instruction ID: 04487ff46514fd8aaf2e9d992a0d33fae5d6e04f91e39556d97bf975fd6eef1f
                                                                                      • Opcode Fuzzy Hash: 3f8c7d4cef236f23182fa96068e2445fd1b682867eb466efcb121a0616df7461
                                                                                      • Instruction Fuzzy Hash: 3A4152B2DC1109BFEF11EFA1ED85EFE776D9B04308F449866FA05A6000E7705E968B61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1300 2ed1ac3-2ed1adc LoadLibraryA 1301 2ed1b6b-2ed1b70 1300->1301 1302 2ed1ae2-2ed1af3 GetProcAddress 1300->1302 1303 2ed1b6a 1302->1303 1304 2ed1af5-2ed1b01 1302->1304 1303->1301 1305 2ed1b1c-2ed1b27 GetAdaptersAddresses 1304->1305 1306 2ed1b29-2ed1b2b 1305->1306 1307 2ed1b03-2ed1b12 call 2edebed 1305->1307 1309 2ed1b2d-2ed1b32 1306->1309 1310 2ed1b5b-2ed1b5e 1306->1310 1307->1306 1315 2ed1b14-2ed1b1b 1307->1315 1312 2ed1b69 1309->1312 1313 2ed1b34-2ed1b3b 1309->1313 1310->1312 1314 2ed1b60-2ed1b68 call 2edec2e 1310->1314 1312->1303 1316 2ed1b3d-2ed1b52 1313->1316 1317 2ed1b54-2ed1b59 1313->1317 1314->1312 1315->1305 1316->1316 1316->1317 1317->1310 1317->1313
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02ED1AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02ED1AE9
                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02ED1B20
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 3646706440-1087626847
                                                                                      • Opcode ID: 1330725c42edbc00d2b17720e155165350822051bc8b6ad23e0139177efd7aa4
                                                                                      • Instruction ID: 900794c603d89f09e80fac2543baa918e6a56647b576a80ccb6395007739ea86
                                                                                      • Opcode Fuzzy Hash: 1330725c42edbc00d2b17720e155165350822051bc8b6ad23e0139177efd7aa4
                                                                                      • Instruction Fuzzy Hash: 17110671E81128EFDF218BA9CC948EDBBBAEB44B54B14D055F00EAF101E7704A42CB90

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1320 2ede3ca-2ede3ee RegOpenKeyExA 1321 2ede528-2ede52d 1320->1321 1322 2ede3f4-2ede3fb 1320->1322 1323 2ede3fe-2ede403 1322->1323 1323->1323 1324 2ede405-2ede40f 1323->1324 1325 2ede414-2ede452 call 2edee08 call 2edf1ed RegQueryValueExA 1324->1325 1326 2ede411-2ede413 1324->1326 1331 2ede51d-2ede527 RegCloseKey 1325->1331 1332 2ede458-2ede486 call 2edf1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 2ede488-2ede48a 1332->1335 1335->1331 1336 2ede490-2ede4a1 call 2eddb2e 1335->1336 1336->1331 1339 2ede4a3-2ede4a6 1336->1339 1340 2ede4a9-2ede4d3 call 2edf1ed RegQueryValueExA 1339->1340 1343 2ede4e8-2ede4ea 1340->1343 1344 2ede4d5-2ede4da 1340->1344 1343->1331 1346 2ede4ec-2ede516 call 2ed2544 call 2ede332 1343->1346 1344->1343 1345 2ede4dc-2ede4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,02EDE5F2,00000000,00020119,02EDE5F2,02EE22F8), ref: 02EDE3E6
                                                                                      • RegQueryValueExA.ADVAPI32(02EDE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02EDE44E
                                                                                      • RegQueryValueExA.ADVAPI32(02EDE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02EDE482
                                                                                      • RegQueryValueExA.ADVAPI32(02EDE5F2,?,00000000,?,80000001,?), ref: 02EDE4CF
                                                                                      • RegCloseKey.ADVAPI32(02EDE5F2,?,?,?,?,000000C8,000000E4), ref: 02EDE520
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: 9cd8ba3f529affbbac1d8b7b96a6e087b56a57dd6ce72c73c1e8b7cc01526a1a
                                                                                      • Instruction ID: 2b8a32e48dc80e28b5630e90bd02029833b0cc600807e4ef3cad58d94ae8320c
                                                                                      • Opcode Fuzzy Hash: 9cd8ba3f529affbbac1d8b7b96a6e087b56a57dd6ce72c73c1e8b7cc01526a1a
                                                                                      • Instruction Fuzzy Hash: 424107B2D80219EFDF11DFE4DC84DEEBBBAEB08344F549466F910A6150E3319A568B60

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1351 2edf26d-2edf303 setsockopt * 5
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02EDF2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02EDF2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02EDF2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02EDF2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02EDF2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 382af35e3df1b8112510c4c24e7cc706cc6583964d57b3a8aa5f4b8e73bdb0f0
                                                                                      • Instruction ID: 685bed17fc9d84a5d2bd47717bdfe81bf1ed536045ae98ee7010165728d35012
                                                                                      • Opcode Fuzzy Hash: 382af35e3df1b8112510c4c24e7cc706cc6583964d57b3a8aa5f4b8e73bdb0f0
                                                                                      • Instruction Fuzzy Hash: 5711FBB1A40248BAEF11DE95CD41F9E7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1352 2ed1bdf-2ed1c04 call 2ed1ac3 1354 2ed1c09-2ed1c0b 1352->1354 1355 2ed1c0d-2ed1c1d GetComputerNameA 1354->1355 1356 2ed1c5a-2ed1c5e 1354->1356 1357 2ed1c1f-2ed1c24 1355->1357 1358 2ed1c45-2ed1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 2ed1c26-2ed1c3b 1357->1359 1358->1356 1359->1359 1360 2ed1c3d-2ed1c3f 1359->1360 1360->1358 1361 2ed1c41-2ed1c43 1360->1361 1361->1356
                                                                                      APIs
                                                                                        • Part of subcall function 02ED1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02ED1AD4
                                                                                        • Part of subcall function 02ED1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02ED1AE9
                                                                                        • Part of subcall function 02ED1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02ED1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02ED1C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02ED1C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2794401326-2393279970
                                                                                      • Opcode ID: 1dd4b61d4ff5eb6c89501d169d60c57d34c9f6d22ba8473ded723d2e35cefdcb
                                                                                      • Instruction ID: 4971c84f978af757df546d5c4b62a8380b5f470297ec3bd6488057c9b0da3a56
                                                                                      • Opcode Fuzzy Hash: 1dd4b61d4ff5eb6c89501d169d60c57d34c9f6d22ba8473ded723d2e35cefdcb
                                                                                      • Instruction Fuzzy Hash: B201D2B2A80118BFEB14DAF8C8C09EFBBBCEB44248F104835E606E7140D2709E4586B0
                                                                                      APIs
                                                                                        • Part of subcall function 02ED1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02ED1AD4
                                                                                        • Part of subcall function 02ED1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02ED1AE9
                                                                                        • Part of subcall function 02ED1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02ED1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02ED1BA3
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02ED1EFD,00000000,00000000,00000000,00000000), ref: 02ED1BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2794401326-1857712256
                                                                                      • Opcode ID: 8e090af8c62307a20cabe323e82ed5ca1e5c916a613f5df61efd3347723a2dbd
                                                                                      • Instruction ID: cf6a8c16b1dc902cbd6326d2446e1081624d754d7f7ce47bb8afcf801e716a26
                                                                                      • Opcode Fuzzy Hash: 8e090af8c62307a20cabe323e82ed5ca1e5c916a613f5df61efd3347723a2dbd
                                                                                      • Instruction Fuzzy Hash: 9A014BB6D40108FFEB019AE9C8859EFFABDAB48654F154562A605FB140D6B05E098AB0
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 02ED2693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 02ED269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: be68f43726adaaef3cd14fb104c16a133ce254561171f15d4fb1367e0abf889c
                                                                                      • Instruction ID: 9d4c8218ed67f21246cc04193c63c8dfdf27cb116421622a39a9b1632d74c0f0
                                                                                      • Opcode Fuzzy Hash: be68f43726adaaef3cd14fb104c16a133ce254561171f15d4fb1367e0abf889c
                                                                                      • Instruction Fuzzy Hash: CCE0C234A84211CFCB108F28F444BD577E5EF0A234F018580F964DB192C770DCC28780
                                                                                      APIs
                                                                                        • Part of subcall function 02EDDD05: GetTickCount.KERNEL32 ref: 02EDDD0F
                                                                                        • Part of subcall function 02EDDD05: InterlockedExchange.KERNEL32(02EE36B4,00000001), ref: 02EDDD44
                                                                                        • Part of subcall function 02EDDD05: GetCurrentThreadId.KERNEL32 ref: 02EDDD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,774D0F10,?,00000000,?,02EDA445), ref: 02EDE558
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,774D0F10,?,00000000,?,02EDA445), ref: 02EDE583
                                                                                      • CloseHandle.KERNEL32(00000000,?,774D0F10,?,00000000,?,02EDA445), ref: 02EDE5B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID:
                                                                                      • API String ID: 3683885500-0
                                                                                      • Opcode ID: d4c35ffd652bc4081109f63e8d5212f81b8fea68d720bc1145b1ad21c498335a
                                                                                      • Instruction ID: 3f7f1600495ba6194f83e619b6abf93a0545dbc9a52e3a4ba2dd4ad4015c055c
                                                                                      • Opcode Fuzzy Hash: d4c35ffd652bc4081109f63e8d5212f81b8fea68d720bc1145b1ad21c498335a
                                                                                      • Instruction Fuzzy Hash: 862129B29C03047BFA207A729C1AF6B3E0DDB55754F04A954FE0EBD1C3EA61D91289B1
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000003E8), ref: 02ED88A5
                                                                                        • Part of subcall function 02EDF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02EDE342,00000000,7597EA50,80000001,00000000,02EDE513,?,00000000,00000000,?,000000E4), ref: 02EDF089
                                                                                        • Part of subcall function 02EDF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02EDE342,00000000,7597EA50,80000001,00000000,02EDE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02EDF093
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$Sleep
                                                                                      • String ID: localcfg$rresolv
                                                                                      • API String ID: 1561729337-486471987
                                                                                      • Opcode ID: 5182ee7fdd9881b489f337ba143ba9e7f72536173b3f38df9d22eae67f98af82
                                                                                      • Instruction ID: 1179c3b996a3e2f12e1b18b6ecd26b2aace0a626e717eb708e8f535f289a5f06
                                                                                      • Opcode Fuzzy Hash: 5182ee7fdd9881b489f337ba143ba9e7f72536173b3f38df9d22eae67f98af82
                                                                                      • Instruction Fuzzy Hash: 1F21DC315C8300AAFB14FF66AC46B6A369DD700714FD4A819FF05AA0C1DFE14583C9A2
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02EE22F8,02ED42B6,00000000,00000001,02EE22F8,00000000,?,02ED98FD), ref: 02ED4021
                                                                                      • GetLastError.KERNEL32(?,02ED98FD,00000001,00000100,02EE22F8,02EDA3C7), ref: 02ED402C
                                                                                      • Sleep.KERNEL32(000001F4,?,02ED98FD,00000001,00000100,02EE22F8,02EDA3C7), ref: 02ED4046
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 04d4df8550adadfb0ebb8f3190f93a10dbbaa1a61861c8b1ab333448283d2a93
                                                                                      • Instruction ID: 48747803cf12e20516e508edc8b0b9e8c91415d27dfe4e827111439daacad1f9
                                                                                      • Opcode Fuzzy Hash: 04d4df8550adadfb0ebb8f3190f93a10dbbaa1a61861c8b1ab333448283d2a93
                                                                                      • Instruction Fuzzy Hash: 1AF082316C4101AADB314A25AC49B5A3261DB91728FA59E24F3B5F60D0C77044829A16
                                                                                      APIs
                                                                                      • GetEnvironmentVariableA.KERNEL32(02EDDC19,?,00000104), ref: 02EDDB7F
                                                                                      • lstrcpyA.KERNEL32(?,02EE28F8), ref: 02EDDBA4
                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02EDDBC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                      • String ID:
                                                                                      • API String ID: 2536392590-0
                                                                                      • Opcode ID: 1c7fe983faa11f777644466d06c3ca6123303c3715adb0969db9d617dcf29622
                                                                                      • Instruction ID: 1e97906e8c8c0ca5d66ad151e2492c7a597114048cd10f7a82d4b803a791e3ee
                                                                                      • Opcode Fuzzy Hash: 1c7fe983faa11f777644466d06c3ca6123303c3715adb0969db9d617dcf29622
                                                                                      • Instruction Fuzzy Hash: 6DF09071580209EBEF209F64DC49FD93B69AB00318F504994BB91A80D0D7F2D595CB10
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02EDEC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02EDEC72
                                                                                      • GetTickCount.KERNEL32 ref: 02EDEC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 971421b07118cec3af37e7b2eb6be9eae50ea4231c4faa52346e628b6ffd830b
                                                                                      • Instruction ID: 44da6d5d71b9164151cb0b120058b7762e0414053b01a91f247b8f4fd88b8e2f
                                                                                      • Opcode Fuzzy Hash: 971421b07118cec3af37e7b2eb6be9eae50ea4231c4faa52346e628b6ffd830b
                                                                                      • Instruction Fuzzy Hash: E2E09AF5C90104FFEB01EBB1DC4AE7B77BCEB08314F900A54B911EA080DAB09A548B60
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 02ED30D8
                                                                                      • gethostbyname.WS2_32(?), ref: 02ED30E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynamegethostname
                                                                                      • String ID:
                                                                                      • API String ID: 3961807697-0
                                                                                      • Opcode ID: afee3e601493326e6693b2caaf11a95e99f474c6a650d36ac9368607e54a129e
                                                                                      • Instruction ID: 03be3da248173916e071f44e553ec7461cf14da7caf98c35b8e27658900994ff
                                                                                      • Opcode Fuzzy Hash: afee3e601493326e6693b2caaf11a95e99f474c6a650d36ac9368607e54a129e
                                                                                      • Instruction Fuzzy Hash: 75E06571D40119ABCF009BA8EC89F9A77ECBB08208F084461F905E7241EA74E9058B90
                                                                                      APIs
                                                                                        • Part of subcall function 02EDEBA0: GetProcessHeap.KERNEL32(00000000,00000000,02EDEC0A,00000000,80000001,?,02EDDB55,7FFF0001), ref: 02EDEBAD
                                                                                        • Part of subcall function 02EDEBA0: HeapSize.KERNEL32(00000000,?,02EDDB55,7FFF0001), ref: 02EDEBB4
                                                                                      • GetProcessHeap.KERNEL32(00000000,02EDEA27,00000000,02EDEA27,00000000), ref: 02EDEC41
                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 02EDEC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$FreeSize
                                                                                      • String ID:
                                                                                      • API String ID: 1305341483-0
                                                                                      • Opcode ID: 3525a1e2fcee461c57d7fe82a595258cdb5e038d8859a9a99032ac9aef3f0373
                                                                                      • Instruction ID: d0ba48361fd7b6a34e11296a014e5a770bb6430aadf40133c181583eaab84baa
                                                                                      • Opcode Fuzzy Hash: 3525a1e2fcee461c57d7fe82a595258cdb5e038d8859a9a99032ac9aef3f0373
                                                                                      • Instruction Fuzzy Hash: 47C012328C6330EBC9612651F80CFDF6B589F45611F4D4809F4057F040D7A068814AF1
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02EDEBFE,7FFF0001,?,02EDDB55,7FFF0001), ref: 02EDEBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,02EDDB55,7FFF0001), ref: 02EDEBDA
                                                                                        • Part of subcall function 02EDEB74: GetProcessHeap.KERNEL32(00000000,00000000,02EDEC28,00000000,?,02EDDB55,7FFF0001), ref: 02EDEB81
                                                                                        • Part of subcall function 02EDEB74: HeapSize.KERNEL32(00000000,?,02EDDB55,7FFF0001), ref: 02EDEB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: 1e739358a3a35f57637854f067c5473f8b3c26a235ab1d5f8ec3561269b3a5f8
                                                                                      • Instruction ID: e1f41c00b834c1d11f0e9f73d99bebc644782bc83d807141d4bd98f1caa55603
                                                                                      • Opcode Fuzzy Hash: 1e739358a3a35f57637854f067c5473f8b3c26a235ab1d5f8ec3561269b3a5f8
                                                                                      • Instruction Fuzzy Hash: 03C01232584220E7CA1127A5B80CB9A2A94DB04252F044404F505DE150D66048918AA1
                                                                                      APIs
                                                                                      • recv.WS2_32(000000C8,?,00000000,02EDCA44), ref: 02EDF476
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: recv
                                                                                      • String ID:
                                                                                      • API String ID: 1507349165-0
                                                                                      • Opcode ID: 1b45cb175dc62c3706034beed5d03bda91f04a177eec3918b572514564da69c8
                                                                                      • Instruction ID: e6e091bac6c34562be042dd8f8c2cd0039267bbacbeacad8d6fe0b80651a5334
                                                                                      • Opcode Fuzzy Hash: 1b45cb175dc62c3706034beed5d03bda91f04a177eec3918b572514564da69c8
                                                                                      • Instruction Fuzzy Hash: 82F08C3264014ABB9F019E9AEC84CEB3BAEFB892147444122FA09D7110D631E8628BA0
                                                                                      APIs
                                                                                      • closesocket.WS2_32(00000000), ref: 02ED1992
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesocket
                                                                                      • String ID:
                                                                                      • API String ID: 2781271927-0
                                                                                      • Opcode ID: ae1f2fd8d05d6bb778d897156124505e4a40adc7f0a8f3377b970b30b6350eb6
                                                                                      • Instruction ID: efb24e70a7fd60358726c5a9a979da8c7929089b7e26659e9bcae58119b3c2c2
                                                                                      • Opcode Fuzzy Hash: ae1f2fd8d05d6bb778d897156124505e4a40adc7f0a8f3377b970b30b6350eb6
                                                                                      • Instruction Fuzzy Hash: ACD022322C8231AA42002319B80047FABCCDF08272700E41AFC4CC4000C730C8828791
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02EDDDB5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 1586166983-0
                                                                                      • Opcode ID: e7380156ee375a439c45d376d622c89e054ab6b618221561345dc85d1d714fd5
                                                                                      • Instruction ID: 1ab4a91a30633ca2b0c265eab29a0725ed1789c97b0d94255f2ce8f1fbabfaac
                                                                                      • Opcode Fuzzy Hash: e7380156ee375a439c45d376d622c89e054ab6b618221561345dc85d1d714fd5
                                                                                      • Instruction Fuzzy Hash: 49F01233684202CBCF20CE699C44656B7E8EB4B22DF159E2EE655D2180DB31D856CB61
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02ED9816,EntryPoint), ref: 02ED638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02ED9816,EntryPoint), ref: 02ED63A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02ED63CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02ED63EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: 9f922dd8eb74f60cb2091eb78dc3f2cf4f07d5875064521ba8f7fc2c94079d63
                                                                                      • Instruction ID: fc9a90564717b214f5f583def93e213da4b7e71f4a2a0a42cc3d87576c4707d7
                                                                                      • Opcode Fuzzy Hash: 9f922dd8eb74f60cb2091eb78dc3f2cf4f07d5875064521ba8f7fc2c94079d63
                                                                                      • Instruction Fuzzy Hash: E1117771A80219BFDB119F65EC49F9B3BACEB447A9F118424F919EB240D771DC118AB0
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02ED1839,02ED9646), ref: 02ED1012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02ED10C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02ED10E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02ED1101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02ED1121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02ED1140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02ED1160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02ED1180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02ED119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02ED11BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02ED11DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02ED11FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02ED121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 2955d7ca7c0b3467e11819169f7c1dc1c3ef9b1af16cad999cd011100d2701a6
                                                                                      • Instruction ID: a35eab460850d77a105b1d878d2fe363b96b12f00189f4c5b051e370e8ec9cea
                                                                                      • Opcode Fuzzy Hash: 2955d7ca7c0b3467e11819169f7c1dc1c3ef9b1af16cad999cd011100d2701a6
                                                                                      • Instruction Fuzzy Hash: F751B8719C6701E6EF109A6EAC4077133E46368228F8497D6B829DF2D4D775C8D2CF51
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 02EDB2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02EDB2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 02EDB2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02EDB2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 02EDB31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 02EDB329
                                                                                      • wsprintfA.USER32 ref: 02EDB3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: 394caeee76dba3ede0b51d1fc612b79999db58fb94a576a28acb7e031a4cc71f
                                                                                      • Instruction ID: a86699e0eb4db9d5414b77ec100738392456419fc19c15174c7cf0fd30c0462f
                                                                                      • Opcode Fuzzy Hash: 394caeee76dba3ede0b51d1fc612b79999db58fb94a576a28acb7e031a4cc71f
                                                                                      • Instruction Fuzzy Hash: F4511DB1E80218EBCF14CFD5D9855EFBBB9EF48308F519459E502BA150D3B44A89CB60
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: 610c5996e76fdff11660a3fe048cdcc4335d8147734b0d33559f8d0bf360bbbc
                                                                                      • Instruction ID: b515b665212ce5a30103f2aa926d387b584bdabb72251931993e881d89974c84
                                                                                      • Opcode Fuzzy Hash: 610c5996e76fdff11660a3fe048cdcc4335d8147734b0d33559f8d0bf360bbbc
                                                                                      • Instruction Fuzzy Hash: 39616D72980208EFEF609FB4DC45FEA77F9FB08300F148469F96AE6151EA7199558F10
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 02EDA7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02EDA87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 02EDA893
                                                                                      • wsprintfA.USER32 ref: 02EDA8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 02EDA8D2
                                                                                      • wsprintfA.USER32 ref: 02EDA8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02EDA97C
                                                                                      • wsprintfA.USER32 ref: 02EDA9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: 098715a3a00eb95dd5c6e42e38c42cc5680286fb14a26b3ec000dbca01a6c327
                                                                                      • Instruction ID: 53ae52d8408606af7224fb6c10019454d0de55e2eb870e8774475714782626b0
                                                                                      • Opcode Fuzzy Hash: 098715a3a00eb95dd5c6e42e38c42cc5680286fb14a26b3ec000dbca01a6c327
                                                                                      • Instruction Fuzzy Hash: 6BA12B719C4305AAEF208A54DC99FBE776AEB0030CF18E476F9066B280D7B19787CB55
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 02ED139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 02ED1571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-1839596206
                                                                                      • Opcode ID: afd8a7bb65e577a9e2764f1cd220d608ff3b7b6104e7e98f188ca8ba229a2578
                                                                                      • Instruction ID: bbfdee14ece2c6ad74e1bf962b512fac3aec9e22ba8d82b57b512e24007da46b
                                                                                      • Opcode Fuzzy Hash: afd8a7bb65e577a9e2764f1cd220d608ff3b7b6104e7e98f188ca8ba229a2578
                                                                                      • Instruction Fuzzy Hash: CFF1BDB5588341DFD720CF64C888BAAB7E5FB89308F408D1DF99A9B290D774D885CB52
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 02ED2A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 02ED2A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 02ED2AA0
                                                                                      • htons.WS2_32(00000000), ref: 02ED2ADB
                                                                                      • select.WS2_32 ref: 02ED2B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 02ED2B4A
                                                                                      • htons.WS2_32(?), ref: 02ED2B71
                                                                                      • htons.WS2_32(?), ref: 02ED2B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02ED2BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: a4299f7c0972143a3f535f86e5212c2f45bb9d946cbea3433f18f109d905560c
                                                                                      • Instruction ID: 0cf37687045a0007691525f15b0b120ae5fca72102cc42afc0016fea09154869
                                                                                      • Opcode Fuzzy Hash: a4299f7c0972143a3f535f86e5212c2f45bb9d946cbea3433f18f109d905560c
                                                                                      • Instruction Fuzzy Hash: E261D571984305DFDB209F65DC08BABB7E8FB48755F019C09FE49AB142D7B0D8818BA1
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 02ED70C2
                                                                                      • RegEnumValueA.ADVAPI32(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 02ED719E
                                                                                      • RegCloseKey.ADVAPI32(774D0F10,?,774D0F10,00000000), ref: 02ED71B2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 02ED7208
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 02ED7291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 02ED72C2
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 02ED72D0
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 02ED7314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02ED738D
                                                                                      • RegCloseKey.ADVAPI32(774D0F10), ref: 02ED73D8
                                                                                        • Part of subcall function 02EDF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02EE22F8,000000C8,02ED7150,?), ref: 02EDF1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: a571a85ccecf9474de2c39126421997ccfa26d59c3e9a064051f522827d517e2
                                                                                      • Instruction ID: fd60c26bda0d21595bd795fa757d40057d838c7d8cad395f68d05ba0476eff9c
                                                                                      • Opcode Fuzzy Hash: a571a85ccecf9474de2c39126421997ccfa26d59c3e9a064051f522827d517e2
                                                                                      • Instruction Fuzzy Hash: F4B18072C84209AFDF15EFA0DC44BEEB7B9EF04304F149566F905E6080EB719A96CB60
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 02EDAD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02EDADA6
                                                                                        • Part of subcall function 02EDAD08: gethostname.WS2_32(?,00000080), ref: 02EDAD1C
                                                                                        • Part of subcall function 02EDAD08: lstrlenA.KERNEL32(?), ref: 02EDAD60
                                                                                        • Part of subcall function 02EDAD08: lstrlenA.KERNEL32(?), ref: 02EDAD69
                                                                                        • Part of subcall function 02EDAD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02EDAD7F
                                                                                        • Part of subcall function 02ED30B5: gethostname.WS2_32(?,00000080), ref: 02ED30D8
                                                                                        • Part of subcall function 02ED30B5: gethostbyname.WS2_32(?), ref: 02ED30E2
                                                                                      • wsprintfA.USER32 ref: 02EDAEA5
                                                                                        • Part of subcall function 02EDA7A3: inet_ntoa.WS2_32(?), ref: 02EDA7A9
                                                                                      • wsprintfA.USER32 ref: 02EDAE4F
                                                                                      • wsprintfA.USER32 ref: 02EDAE5E
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02EDEF92
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(?), ref: 02EDEF99
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(00000000), ref: 02EDEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: 15f671e56f2256b6aa8063b52d351059faf41a6495a971e1b1a3f55e227b58d5
                                                                                      • Instruction ID: d6e8793b42593b373cc14eb1747ad02789b4d27cbef2c2d0363b421c3c313b32
                                                                                      • Opcode Fuzzy Hash: 15f671e56f2256b6aa8063b52d351059faf41a6495a971e1b1a3f55e227b58d5
                                                                                      • Instruction Fuzzy Hash: 4B4162B298020CBBDF25EFA1CC45EEF3BADFB08304F148426B915A6151EA71D655CF60
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02ED2E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2E4F
                                                                                      • htons.WS2_32(00000035), ref: 02ED2E88
                                                                                      • inet_addr.WS2_32(?), ref: 02ED2E93
                                                                                      • gethostbyname.WS2_32(?), ref: 02ED2EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,02ED2F0F,?,02ED20FF,02EE2000), ref: 02ED2EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: 0f09d267425e8be7263f5d97fecb3259eff3c8321a3f1b3ac0bf2b8cdd011205
                                                                                      • Instruction ID: c001164d1da5442eea57106dcaab7eb84789ba9b6d6c84c74de0a7112a949d2f
                                                                                      • Opcode Fuzzy Hash: 0f09d267425e8be7263f5d97fecb3259eff3c8321a3f1b3ac0bf2b8cdd011205
                                                                                      • Instruction Fuzzy Hash: 2331D531DC0205EBDF129BB9D844B6E77B8AF04328F14A515FE14FB181E770C5828B64
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,02ED9DD7,?,00000022,?,?,00000000,00000001), ref: 02ED9340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02ED9DD7,?,00000022,?,?,00000000,00000001), ref: 02ED936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,02ED9DD7,?,00000022,?,?,00000000,00000001), ref: 02ED9375
                                                                                      • wsprintfA.USER32 ref: 02ED93CE
                                                                                      • wsprintfA.USER32 ref: 02ED940C
                                                                                      • wsprintfA.USER32 ref: 02ED948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02ED94F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02ED9526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02ED9571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: 4c7d88abbed3f549090d3415f8e6c09fad73251fe4023045196ced2094f97611
                                                                                      • Instruction ID: b96310f7e6ab1064c68d1d946d69d052dedc896e0ccbc0293606661494923754
                                                                                      • Opcode Fuzzy Hash: 4c7d88abbed3f549090d3415f8e6c09fad73251fe4023045196ced2094f97611
                                                                                      • Instruction Fuzzy Hash: 14A18EB29C0248EFEF219FA1CC44FDE3BACEB04744F109465FA15A6142D7759686CFA1
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02ED2078
                                                                                      • GetTickCount.KERNEL32 ref: 02ED20D4
                                                                                      • GetTickCount.KERNEL32 ref: 02ED20DB
                                                                                      • GetTickCount.KERNEL32 ref: 02ED212B
                                                                                      • GetTickCount.KERNEL32 ref: 02ED2132
                                                                                      • GetTickCount.KERNEL32 ref: 02ED2142
                                                                                        • Part of subcall function 02EDF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02EDE342,00000000,7597EA50,80000001,00000000,02EDE513,?,00000000,00000000,?,000000E4), ref: 02EDF089
                                                                                        • Part of subcall function 02EDF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02EDE342,00000000,7597EA50,80000001,00000000,02EDE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02EDF093
                                                                                        • Part of subcall function 02EDE854: lstrcpyA.KERNEL32(00000001,?,?,02EDD8DF,00000001,localcfg,except_info,00100000,02EE0264), ref: 02EDE88B
                                                                                        • Part of subcall function 02EDE854: lstrlenA.KERNEL32(00000001,?,02EDD8DF,00000001,localcfg,except_info,00100000,02EE0264), ref: 02EDE899
                                                                                        • Part of subcall function 02ED1C5F: wsprintfA.USER32 ref: 02ED1CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: 31ab9a0d6c1687d50432c48834447cbc286ddcbb808311a8c31f8b7e028af8b9
                                                                                      • Instruction ID: 84ebaefc7bc76e71ca91740fd53bb49fc2d40a8f8f41772f1eea0bd7c34203af
                                                                                      • Opcode Fuzzy Hash: 31ab9a0d6c1687d50432c48834447cbc286ddcbb808311a8c31f8b7e028af8b9
                                                                                      • Instruction Fuzzy Hash: A7513830DC43458EEF28DF31ED45B563BDAAB09318F809819FF0A9E191DBF09596CA24
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 02EDB467
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02EDEF92
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(?), ref: 02EDEF99
                                                                                        • Part of subcall function 02EDEF7C: lstrlenA.KERNEL32(00000000), ref: 02EDEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-3679488032
                                                                                      • Opcode ID: db9610b7b9d12bbacc1085b3e8e6714f7347d6e84d5fa9f115fa0581ba438d50
                                                                                      • Instruction ID: 11840b4eddc978442fcfb220f73aa8e55cf30e690ab6599afaed045a90780515
                                                                                      • Opcode Fuzzy Hash: db9610b7b9d12bbacc1085b3e8e6714f7347d6e84d5fa9f115fa0581ba438d50
                                                                                      • Instruction Fuzzy Hash: 3F3189B25C01187EEF01BBA4CCC5CFF7B6EEE49348F189015F906B5100EB70AA168BA1
                                                                                      APIs
                                                                                        • Part of subcall function 02EDA4C7: GetTickCount.KERNEL32 ref: 02EDA4D1
                                                                                        • Part of subcall function 02EDA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02EDA4FA
                                                                                      • GetTickCount.KERNEL32 ref: 02EDC31F
                                                                                      • GetTickCount.KERNEL32 ref: 02EDC32B
                                                                                      • GetTickCount.KERNEL32 ref: 02EDC363
                                                                                      • GetTickCount.KERNEL32 ref: 02EDC378
                                                                                      • GetTickCount.KERNEL32 ref: 02EDC44D
                                                                                      • InterlockedIncrement.KERNEL32(02EDC4E4), ref: 02EDC4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,02EDB535,00000000,?,02EDC4E0), ref: 02EDC4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,02EDC4E0,02EE3588,02ED8810), ref: 02EDC4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: 1a5cfe5152bb219249e3e72babe1a0d1972a0d65c5b1e88efe779445a3d31d46
                                                                                      • Instruction ID: 50077627102460a7dae7929594043b342287662fb5710313de3762fbfe36e55d
                                                                                      • Opcode Fuzzy Hash: 1a5cfe5152bb219249e3e72babe1a0d1972a0d65c5b1e88efe779445a3d31d46
                                                                                      • Instruction Fuzzy Hash: D2514CB1A80B418FD7249F69C58452ABBE9FB48344B60BD3EE18BC7A90D774F845CB14
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02EDBE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02EDBE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02EDBE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02EDBF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02EDBF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02EDBF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: 1f066b6b7a49c538f7b9025c3ffff044e306dbf74a9149eea2d753de5d1c60db
                                                                                      • Instruction ID: 29125b5e4bb292d54de79ad9d0a83061093f63ac1d0a408c0a55cfb953eae590
                                                                                      • Opcode Fuzzy Hash: 1f066b6b7a49c538f7b9025c3ffff044e306dbf74a9149eea2d753de5d1c60db
                                                                                      • Instruction Fuzzy Hash: B151A871A80219EFDF119F65CD40B6DBBB9AF4434CF45E459E842AB210E770E942CF90
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(02ED9E9D,02ED9A60,?,?,?,02EE22F8,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02ED9A60,?,?,02ED9E9D), ref: 02ED6B80
                                                                                      • GetLastError.KERNEL32(?,?,?,02ED9A60,?,?,02ED9E9D,?,?,?,?,?,02ED9E9D,?,00000022,?), ref: 02ED6B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: 59e5645287f3fc9200d7e6eb77339a35a95ba09e525899adf037989a059e27a8
                                                                                      • Instruction ID: 5147a9127074861733f05c50cf9000e895cd37b1e9d40643dbecfc35aef3cb71
                                                                                      • Opcode Fuzzy Hash: 59e5645287f3fc9200d7e6eb77339a35a95ba09e525899adf037989a059e27a8
                                                                                      • Instruction Fuzzy Hash: 7F31EEB2DC0249EFCF019FA19884ADEBB7DEB48314F048866F651AB240D77096968F61
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,02EDD7C3), ref: 02ED6F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02EDD7C3), ref: 02ED6FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02ED6FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 02ED701F
                                                                                      • wsprintfA.USER32 ref: 02ED7036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: bb261e59558ebf3a645991de9a4a462d8a4cd392f7a15f1018e88343f31bbede
                                                                                      • Instruction ID: fdb77f79f5b2f869ad4d61cc8f45c20dd6a70f6fe230cbb560af621c8db61333
                                                                                      • Opcode Fuzzy Hash: bb261e59558ebf3a645991de9a4a462d8a4cd392f7a15f1018e88343f31bbede
                                                                                      • Instruction Fuzzy Hash: 60312772940209AFDB01DFA9D848BDA7BACEF04318F04D066F809DB140EA74D6098BA0
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02EE22F8,000000E4,02ED6DDC,000000C8), ref: 02ED6CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02ED6CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02ED6D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02ED6D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: e99128de8c91915e6637d3833a2e6aa045098ebeeafef965d2b3d66ee92c3dd4
                                                                                      • Instruction ID: 7810dc1ec451976429c00c9d5f5d3b5688467136b597ed0754cfb23cf84237a1
                                                                                      • Opcode Fuzzy Hash: e99128de8c91915e6637d3833a2e6aa045098ebeeafef965d2b3d66ee92c3dd4
                                                                                      • Instruction Fuzzy Hash: EB210451AC0254BDFF227A33BC88F672F5D8B43608F0CE444FA05AE095C7D4848782B6
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,02ED9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02EE22F8), ref: 02ED97B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02EE22F8), ref: 02ED97EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02EE22F8), ref: 02ED97F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02EE22F8), ref: 02ED9831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02EE22F8), ref: 02ED984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02EE22F8), ref: 02ED985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: c5e80b4254b13af911d0d35ca3a2ac81c3ef1a859a658b1c6d79a350c565c97a
                                                                                      • Instruction ID: cf1d55e9ca21d7d2b205f9fa0dfa9121f0026501d404df2e2d944305c37886a1
                                                                                      • Opcode Fuzzy Hash: c5e80b4254b13af911d0d35ca3a2ac81c3ef1a859a658b1c6d79a350c565c97a
                                                                                      • Instruction Fuzzy Hash: EE216B71D81219BBDF119FA2EC48FEF7BBCEF08654F404460BA09E9040EB709A55CAA0
                                                                                      APIs
                                                                                        • Part of subcall function 02EDDD05: GetTickCount.KERNEL32 ref: 02EDDD0F
                                                                                        • Part of subcall function 02EDDD05: InterlockedExchange.KERNEL32(02EE36B4,00000001), ref: 02EDDD44
                                                                                        • Part of subcall function 02EDDD05: GetCurrentThreadId.KERNEL32 ref: 02EDDD53
                                                                                        • Part of subcall function 02EDDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02EDDDB5
                                                                                      • lstrcpynA.KERNEL32(?,02ED1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02EDEAAA,?,?), ref: 02EDE8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02EDEAAA,?,?,00000001,?,02ED1E84,?), ref: 02EDE935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02EDEAAA,?,?,00000001,?,02ED1E84,?,0000000A), ref: 02EDE93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02EDEAAA,?,?,00000001,?,02ED1E84,?), ref: 02EDE94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: ba7d41ceecfdd338e8cd8795efa2d15a20d3a8fa7a9b0ccfab0a710e288547b2
                                                                                      • Instruction ID: 24eceaf62c7c45dc410859a199172944ed7c3fb3a95ac5b5dc77455a7a15be48
                                                                                      • Opcode Fuzzy Hash: ba7d41ceecfdd338e8cd8795efa2d15a20d3a8fa7a9b0ccfab0a710e288547b2
                                                                                      • Instruction Fuzzy Hash: DE512E7294020AAFCF11EFA8CD849AEB7F9BF48308F145569F505A7210E775EA15CF60
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: cbbe0252c52a836537b29fe0ecaad6867a3e997f37ea31f1eeed71f08389013e
                                                                                      • Instruction ID: 16d51ba0884d66ea66d1f9e03f534d83053f665630257ef9cf6c2286b264aa1b
                                                                                      • Opcode Fuzzy Hash: cbbe0252c52a836537b29fe0ecaad6867a3e997f37ea31f1eeed71f08389013e
                                                                                      • Instruction Fuzzy Hash: 1C215B72984105FEDF119BA1FD88DEF3BACDB44368B10AC15F502E5080EB719A52DA64
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,02EE22F8), ref: 02ED907B
                                                                                      • wsprintfA.USER32 ref: 02ED90E9
                                                                                      • CreateFileA.KERNEL32(02EE22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02ED910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02ED9122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02ED912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 02ED9134
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: e0f2af3a8227062c3c4d960b4533eefda256ce83e59e88a1e8f010039e0295f5
                                                                                      • Instruction ID: cb79468199240e6b2af28c7910a2508d474b6f1c8b948ef0f48a048d40c44eb0
                                                                                      • Opcode Fuzzy Hash: e0f2af3a8227062c3c4d960b4533eefda256ce83e59e88a1e8f010039e0295f5
                                                                                      • Instruction Fuzzy Hash: E0118BB2AC0154BBFB156672DC0DFEF366EDBC5710F04C865BB0AB9040DA7049528A70
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02EDDD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02EDDD20
                                                                                      • GetTickCount.KERNEL32 ref: 02EDDD2E
                                                                                      • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,02EDE538,?,774D0F10,?,00000000,?,02EDA445), ref: 02EDDD3B
                                                                                      • InterlockedExchange.KERNEL32(02EE36B4,00000001), ref: 02EDDD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02EDDD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: d2310a2a937436073b36bf93ef4e2016d34573d28e2120c61432f8f6b046a329
                                                                                      • Instruction ID: d6072c9ce199dda56a49dfeed3f7d262d7e88e307b1db80764c95e435f8f66ca
                                                                                      • Opcode Fuzzy Hash: d2310a2a937436073b36bf93ef4e2016d34573d28e2120c61432f8f6b046a329
                                                                                      • Instruction Fuzzy Hash: 20F09AB29C4205DFCF809AA6EC84B393BA4E746312F808D55F109DB240E76090A6CE22
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 02EDAD1C
                                                                                      • lstrlenA.KERNEL32(?), ref: 02EDAD60
                                                                                      • lstrlenA.KERNEL32(?), ref: 02EDAD69
                                                                                      • lstrcpyA.KERNEL32(?,LocalHost), ref: 02EDAD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: f875b34445f933a56d3cd3da9394fca92977580efeeea4fb6bc5d08e6cd0896c
                                                                                      • Instruction ID: fde9ae1632bcfda958f820aa2545416d072a858ca56a07c561f4b85fbd9ece5c
                                                                                      • Opcode Fuzzy Hash: f875b34445f933a56d3cd3da9394fca92977580efeeea4fb6bc5d08e6cd0896c
                                                                                      • Instruction Fuzzy Hash: 2601F520CC41899DDF315638D444BF93F66AB8760EF50F079E4C19B315EFA486878762
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02ED4BDD
                                                                                      • GetTickCount.KERNEL32 ref: 02ED4BEC
                                                                                      • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,02ED5D02,00000000,?,02EDB85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 02ED4BF9
                                                                                      • InterlockedExchange.KERNEL32(0321B1A8,00000001), ref: 02ED4C02
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 2207858713-2903620461
                                                                                      • Opcode ID: 3cdbfa2201868ef02a10a81e2c9682ecacc4bf55194259592869f17bdffb4490
                                                                                      • Instruction ID: e0fe8b717f08c0f352e32cfe47befd388dea2e3e4fe6e4b293b68ad261028c86
                                                                                      • Opcode Fuzzy Hash: 3cdbfa2201868ef02a10a81e2c9682ecacc4bf55194259592869f17bdffb4490
                                                                                      • Instruction Fuzzy Hash: F0E0CD376C121497DB1016F7DC80FAA775CDBA5371F464C72F708E61C0D5E6949245B1
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02ED98FD,00000001,00000100,02EE22F8,02EDA3C7), ref: 02ED4290
                                                                                      • CloseHandle.KERNEL32(02EDA3C7), ref: 02ED43AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 02ED43AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: 10805bbbb4af4f078d301896d39429c91d61db4b0b0a3566b78f98c1a0721da0
                                                                                      • Instruction ID: 08da86a1ac24f432e8cab6a66f5d9455c554cb90ade48f2ddea71a2e85073a7f
                                                                                      • Opcode Fuzzy Hash: 10805bbbb4af4f078d301896d39429c91d61db4b0b0a3566b78f98c1a0721da0
                                                                                      • Instruction Fuzzy Hash: 1C419CB1880209BBDF10ABA6DD85FEFBBB9EF40324F109955F604A61C0D7359642CFA1
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02ED64CF,00000000), ref: 02ED609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,02ED64CF,00000000), ref: 02ED60C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 02ED614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02ED619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: cb716786030f09d0d1920546d0508b93c3141eab46cca799e1169fd61e1dec70
                                                                                      • Instruction ID: 55842e8f5a21f3d79c0f914216608ae6512b2b0bcfd3ed17b596e61c090e10d4
                                                                                      • Opcode Fuzzy Hash: cb716786030f09d0d1920546d0508b93c3141eab46cca799e1169fd61e1dec70
                                                                                      • Instruction Fuzzy Hash: F4417F71E80106EFDB24CF59E884BA9B7B9FF04358F14C169E819DB291D730E942CBA0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5bc96c6fdb44bc0542741b463e0960039768a419d57ad125cfb45dc7c3b36488
                                                                                      • Instruction ID: 826043fe5784acbc1d3c7898faec98e2c15431471102415936913d6d89ffd41f
                                                                                      • Opcode Fuzzy Hash: 5bc96c6fdb44bc0542741b463e0960039768a419d57ad125cfb45dc7c3b36488
                                                                                      • Instruction Fuzzy Hash: 75319171980208EBDF109FA5CC81BBEB7F4EF48705F109456FA05EB242E374D6428B64
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02ED272E
                                                                                      • htons.WS2_32(00000001), ref: 02ED2752
                                                                                      • htons.WS2_32(0000000F), ref: 02ED27D5
                                                                                      • htons.WS2_32(00000001), ref: 02ED27E3
                                                                                      • sendto.WS2_32(?,02EE2BF8,00000009,00000000,00000010,00000010), ref: 02ED2802
                                                                                        • Part of subcall function 02EDEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02EDEBFE,7FFF0001,?,02EDDB55,7FFF0001), ref: 02EDEBD3
                                                                                        • Part of subcall function 02EDEBCC: RtlAllocateHeap.NTDLL(00000000,?,02EDDB55,7FFF0001), ref: 02EDEBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 63f9dc54ad024e08a077504d3576e8b91617559c9b3ae7ccbbb242b44a3d2832
                                                                                      • Instruction ID: 24b6f955fdbad644d650f3523373b040403bc3927ad11411fd138c58a9d559ed
                                                                                      • Opcode Fuzzy Hash: 63f9dc54ad024e08a077504d3576e8b91617559c9b3ae7ccbbb242b44a3d2832
                                                                                      • Instruction Fuzzy Hash: E1314634AC038ADFEB208F75D8A0A617768EF19318B59985DFE598F303D2729482CB14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02EE22F8), ref: 02ED915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02ED9166
                                                                                      • CharToOemA.USER32(?,?), ref: 02ED9174
                                                                                      • wsprintfA.USER32 ref: 02ED91A9
                                                                                        • Part of subcall function 02ED9064: GetTempPathA.KERNEL32(00000400,?,00000000,02EE22F8), ref: 02ED907B
                                                                                        • Part of subcall function 02ED9064: wsprintfA.USER32 ref: 02ED90E9
                                                                                        • Part of subcall function 02ED9064: CreateFileA.KERNEL32(02EE22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02ED910E
                                                                                        • Part of subcall function 02ED9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02ED9122
                                                                                        • Part of subcall function 02ED9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02ED912D
                                                                                        • Part of subcall function 02ED9064: CloseHandle.KERNEL32(00000000), ref: 02ED9134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02ED91E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: c926335fabd24ee592c069b3c8734e99284f45080c3cd601f1cd7eeb2a2833ff
                                                                                      • Instruction ID: 4c58e1bb030ffd270ab9a2f85f423ab5b50e3f14fabbcc382abe10d609a1d6bf
                                                                                      • Opcode Fuzzy Hash: c926335fabd24ee592c069b3c8734e99284f45080c3cd601f1cd7eeb2a2833ff
                                                                                      • Instruction Fuzzy Hash: BF0140F6980118BBEA20A662DD49FDF777CDB95701F400491BB49FA040D6B096868F71
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02ED2491,?,?,?,02EDE844,-00000030,?,?,?,00000001), ref: 02ED2429
                                                                                      • lstrlenA.KERNEL32(?,?,02ED2491,?,?,?,02EDE844,-00000030,?,?,?,00000001,02ED1E3D,00000001,localcfg,lid_file_upd), ref: 02ED243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 02ED2452
                                                                                      • lstrlenA.KERNEL32(?,?,02ED2491,?,?,?,02EDE844,-00000030,?,?,?,00000001,02ED1E3D,00000001,localcfg,lid_file_upd), ref: 02ED2467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: 83b245f5de3da1071840d15e11d9c9ab4cdcc939ff4720565b4e1c5ed7f410c0
                                                                                      • Instruction ID: 520037c6ca8b9341f8dfc636a69fe2d399b115f072fba24d0890627b96e86bbc
                                                                                      • Opcode Fuzzy Hash: 83b245f5de3da1071840d15e11d9c9ab4cdcc939ff4720565b4e1c5ed7f410c0
                                                                                      • Instruction Fuzzy Hash: 03011A31640218EFCF11EF69CC809DE7BB9EF44368B01D425FD59A7201E370EA518A90
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: e7ffb6700c5d351fd87ff424bc8b3544178fe32bdcf73e6a825ab9d89cf388de
                                                                                      • Instruction ID: 038f1aa280744d8088af2da8f25df74f43aaba424986d9187abb6eab32fb4e9a
                                                                                      • Opcode Fuzzy Hash: e7ffb6700c5d351fd87ff424bc8b3544178fe32bdcf73e6a825ab9d89cf388de
                                                                                      • Instruction Fuzzy Hash: C741A9729442989FDB21CFB88844BEE3BE99F4A311F244056FDA4DB142D634DA06CBA0
                                                                                      APIs
                                                                                        • Part of subcall function 02EDDD05: GetTickCount.KERNEL32 ref: 02EDDD0F
                                                                                        • Part of subcall function 02EDDD05: InterlockedExchange.KERNEL32(02EE36B4,00000001), ref: 02EDDD44
                                                                                        • Part of subcall function 02EDDD05: GetCurrentThreadId.KERNEL32 ref: 02EDDD53
                                                                                      • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,02ED5EC1), ref: 02EDE693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,02ED5EC1), ref: 02EDE6E9
                                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,774D0F10,00000000,?,02ED5EC1), ref: 02EDE722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: 89ABCDEF
                                                                                      • API String ID: 3343386518-71641322
                                                                                      • Opcode ID: 413b1ea6737e1dd5175c238cff3c888b7698f50794c0d39a96b1d31d70a616b5
                                                                                      • Instruction ID: 804b8d5d4d30f2733e1d8da834415ccf7f3a1c4bb403278eb882a59e4b5a1c36
                                                                                      • Opcode Fuzzy Hash: 413b1ea6737e1dd5175c238cff3c888b7698f50794c0d39a96b1d31d70a616b5
                                                                                      • Instruction Fuzzy Hash: B031C435980705DFCF318F65D88876677E9BB01328F18D92EE5658F581E770E882CB91
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,02EDE2A3,00000000,00000000,00000000,00020106,00000000,02EDE2A3,00000000,000000E4), ref: 02EDE0B2
                                                                                      • RegSetValueExA.ADVAPI32(02EDE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02EE22F8), ref: 02EDE127
                                                                                      • RegDeleteValueA.ADVAPI32(02EDE2A3,?,?,?,?,?,000000C8,02EE22F8), ref: 02EDE158
                                                                                      • RegCloseKey.ADVAPI32(02EDE2A3,?,?,?,?,000000C8,02EE22F8,?,?,?,?,?,?,?,?,02EDE2A3), ref: 02EDE161
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: 91b001ddf07161c89bbc01899b16da9b11ca27e767efc1fc3472ec8c485a0c3e
                                                                                      • Instruction ID: 4dcc91538844b41b35a58a3b0f08c700dafe740044d13060a64cca9fa687ea1b
                                                                                      • Opcode Fuzzy Hash: 91b001ddf07161c89bbc01899b16da9b11ca27e767efc1fc3472ec8c485a0c3e
                                                                                      • Instruction Fuzzy Hash: 1F218E71E80219BBDF209EA5DC89EDE7F79EF08754F048061F904AA150E7718A55CBA0
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,02EDA3C7,00000000,00000000,000007D0,00000001), ref: 02ED3FB8
                                                                                      • GetLastError.KERNEL32 ref: 02ED3FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02ED3FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02ED3FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 6232dfd48b695ae9f91c6a0adedef2b09780c9bc0aea6087ecf911feca0ca0f9
                                                                                      • Instruction ID: 6715ea2af36f8e6b30f46815e59d37ed091cd82075aa2423ff3fb426247e0c27
                                                                                      • Opcode Fuzzy Hash: 6232dfd48b695ae9f91c6a0adedef2b09780c9bc0aea6087ecf911feca0ca0f9
                                                                                      • Instruction Fuzzy Hash: 3801297295010EABDF01DF92D985BEE3B7CEB04355F408851F902E6040D770DA658FB2
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,02EDA3C7,00000000,00000000,000007D0,00000001), ref: 02ED3F44
                                                                                      • GetLastError.KERNEL32 ref: 02ED3F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02ED3F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02ED3F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: d83ecc1bfb0a658cfe1386c6059439f6f816e173569c35a79fcde457e69ff131
                                                                                      • Instruction ID: ec10eb4684c850446ddba82add6fcf013838e0a7ae2393865e55c9093fbfda25
                                                                                      • Opcode Fuzzy Hash: d83ecc1bfb0a658cfe1386c6059439f6f816e173569c35a79fcde457e69ff131
                                                                                      • Instruction Fuzzy Hash: 4101D3B2991109ABDF01DE92D984BEE7BBCEB04359F508865FA01E6040D7709A658BA2
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02EDA4D1
                                                                                      • GetTickCount.KERNEL32 ref: 02EDA4E4
                                                                                      • Sleep.KERNEL32(00000000,?,02EDC2E9,02EDC4E0,00000000,localcfg,?,02EDC4E0,02EE3588,02ED8810), ref: 02EDA4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02EDA4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 0baca5e55062813d890238d29237af02e2b5780df74d9e61eae2daa185ba0416
                                                                                      • Instruction ID: a345639be9fa10a8500931e39a06aa5b4438b76c8aea919ead62f95d1c3745bd
                                                                                      • Opcode Fuzzy Hash: 0baca5e55062813d890238d29237af02e2b5780df74d9e61eae2daa185ba0416
                                                                                      • Instruction Fuzzy Hash: 15E026332C020497CA0017A6EC84FAA3398EB89761F418831FA04E7240D696A69285B6
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02ED4E9E
                                                                                      • GetTickCount.KERNEL32 ref: 02ED4EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 02ED4EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02ED4EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 80927fca17c04bee2c9e6cc8c9f264e832b27cc29f8270d8e7c7021ae98bfc29
                                                                                      • Instruction ID: 01e21cdc1bb38b6d5e50e431480ce5294eb34a5a6648ba2d0f22191d4af1813a
                                                                                      • Opcode Fuzzy Hash: 80927fca17c04bee2c9e6cc8c9f264e832b27cc29f8270d8e7c7021ae98bfc29
                                                                                      • Instruction Fuzzy Hash: FFE086326C1214A7DA1026BAEC84F5776999B95371F410D31FA09EA1C0D6A7A49345B1
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 02ED3103
                                                                                      • GetTickCount.KERNEL32 ref: 02ED310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 02ED311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02ED3128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: f2323871047479aec9d8efa5890607213cc9373c576c6a02ed59c808c0fd0424
                                                                                      • Instruction ID: 2dbbb42939f031c951c6ecc82dead9941b057345ec93f3d26ec952949e4913a8
                                                                                      • Opcode Fuzzy Hash: f2323871047479aec9d8efa5890607213cc9373c576c6a02ed59c808c0fd0424
                                                                                      • Instruction Fuzzy Hash: 01E0C2366C0216EBDF102BB6EE45B896B5AEF847A1F416C71F201EA090C69048528D72
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: abef8006fa9413fa620a1fe1832cf520c9fc8d0724bcd6744fc317b212d3ad5f
                                                                                      • Instruction ID: 64ea041b5efc189d175a3c45a1fe087aa30daaeaf0a16cc3859c64271fba8d46
                                                                                      • Opcode Fuzzy Hash: abef8006fa9413fa620a1fe1832cf520c9fc8d0724bcd6744fc317b212d3ad5f
                                                                                      • Instruction Fuzzy Hash: 4C21E732A90515EFCF10DFB5C88196A77BEFF62318B65A499E401DB581CB30E943CB50
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02EDC057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 24f743bacb900bd4c3661d3f1092aeadc496ca307540925bba361301f40c58d1
                                                                                      • Instruction ID: 16b51550cac66dbe09dc9b9298d3bc98291045a467fd04d71469c9370796e131
                                                                                      • Opcode Fuzzy Hash: 24f743bacb900bd4c3661d3f1092aeadc496ca307540925bba361301f40c58d1
                                                                                      • Instruction Fuzzy Hash: 00119772540100FFDB429AA9CD44E567FA6FF88318B34959CF6188E126D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 02ED30FA: GetTickCount.KERNEL32 ref: 02ED3103
                                                                                        • Part of subcall function 02ED30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02ED3128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02ED3929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02ED3939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: 026402a983616bacfc26ed0329cd2bc334a5f7eacb433b5088f2188581d7e27c
                                                                                      • Instruction ID: 1a5b2cccd35e3238b258a0a948bc8bbb39e30deecf9a7dbc852326aaaa1f3312
                                                                                      • Opcode Fuzzy Hash: 026402a983616bacfc26ed0329cd2bc334a5f7eacb433b5088f2188581d7e27c
                                                                                      • Instruction Fuzzy Hash: 3F113D71980204EFDB20DF1AD481A58F3F5FB04715F50D99EED459B285C770AA82CFA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02EDBD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02EDABB9
                                                                                      • InterlockedIncrement.KERNEL32(02EE3640), ref: 02EDABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: a9023a2d46cef322bc82ff9413dcad3094e38653d247d02aba34f2853872ce3e
                                                                                      • Instruction ID: 5297f851d99bfb3daf912ecda0e1bf0fea5431dd4b8bf7454d7ca2e0f82ef2d7
                                                                                      • Opcode Fuzzy Hash: a9023a2d46cef322bc82ff9413dcad3094e38653d247d02aba34f2853872ce3e
                                                                                      • Instruction Fuzzy Hash: 11019271588284AFEF11CE18D891F957BA6AF45314F149894F5805B302C3B0E786CBA0
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02ED26C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 02ED26E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: 2490427343fec07d47bee98683704c7e78aeeab6c1628c42e17486d19df146c3
                                                                                      • Instruction ID: 47b71e36a7ee355c43508d54d5b2f7f5c2244356fbafad6d83b6d7a801ea40f0
                                                                                      • Opcode Fuzzy Hash: 2490427343fec07d47bee98683704c7e78aeeab6c1628c42e17486d19df146c3
                                                                                      • Instruction Fuzzy Hash: F9F082361C8309AFEF006EA0EC09AAA379CDB09254F14C421FA18DE091DBB1D9518798
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,02EDEB54,_alldiv,02EDF0B7,80000001,00000000,00989680,00000000,?,?,?,02EDE342,00000000,7597EA50,80000001,00000000), ref: 02EDEAF2
                                                                                      • GetProcAddress.KERNEL32(77600000,00000000), ref: 02EDEB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: 01ad8388ee342ea5f7d294a946e6690fcf12c8a1a353123691090c52016e98b1
                                                                                      • Instruction ID: 63909a49d7c745c934a92f526c9349d4e5cb6f3d1f0a1473d5f67121cd938ac8
                                                                                      • Opcode Fuzzy Hash: 01ad8388ee342ea5f7d294a946e6690fcf12c8a1a353123691090c52016e98b1
                                                                                      • Instruction Fuzzy Hash: CDD0C978AC0303DB9F32CFB6D91EA2677E8AB44706BC09855B40BEE100E774E4E5DA10
                                                                                      APIs
                                                                                        • Part of subcall function 02ED2D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,02ED2F01,?,02ED20FF,02EE2000), ref: 02ED2D3A
                                                                                        • Part of subcall function 02ED2D21: LoadLibraryA.KERNEL32(?), ref: 02ED2D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02ED2F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 02ED2F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.2528935050.0000000002ED0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_2ed0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: f332c5db67a9356283509a40c5ca38b25c5af0345894c40c95985b973a65d7c5
                                                                                      • Instruction ID: f3a6d2720c3fb12518a87ed0eb2b75f4e52663d858eae9d8eeccc1104183b0be
                                                                                      • Opcode Fuzzy Hash: f332c5db67a9356283509a40c5ca38b25c5af0345894c40c95985b973a65d7c5
                                                                                      • Instruction Fuzzy Hash: 7F51AD7194020AEFCF019F64D888AFAB775FF05304F1495A9ED96DB210E7329A1ACF90