Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OPgjjiInNK.exe

Overview

General Information

Sample name:OPgjjiInNK.exe
renamed because original name is a hash value
Original sample name:bfabf02b846c1cd0634fa1bf8a95e4aa.exe
Analysis ID:1517808
MD5:bfabf02b846c1cd0634fa1bf8a95e4aa
SHA1:912bf8c8c515c98ed82f6ac94ce3517dde29fc6d
SHA256:f4de268ea469d180cfe44713d1b0f5fcf8ea3270af525c6e040497b43a414e1b
Tags:exeuser-abuse_ch
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • OPgjjiInNK.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\OPgjjiInNK.exe" MD5: BFABF02B846C1CD0634FA1BF8A95E4AA)
    • cmd.exe (PID: 7860 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pomunxzj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7916 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxavuooi.exe" C:\Windows\SysWOW64\pomunxzj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7972 cmdline: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8028 cmdline: "C:\Windows\System32\sc.exe" description pomunxzj "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8084 cmdline: "C:\Windows\System32\sc.exe" start pomunxzj MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 8164 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1028 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • qxavuooi.exe (PID: 8144 cmdline: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d"C:\Users\user\Desktop\OPgjjiInNK.exe" MD5: 27370B7DFBEDCB3761138C7185EEFAB9)
    • svchost.exe (PID: 920 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 6428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 584 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 8184 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7420 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.OPgjjiInNK.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.OPgjjiInNK.exe.400000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.2.OPgjjiInNK.exe.400000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        12.2.qxavuooi.exe.3340e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.qxavuooi.exe.3340e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xe110:$s2: loader_id
        • 0xe140:$s3: start_srv
        • 0xe170:$s4: lid_file_upd
        • 0xe164:$s5: localcfg
        • 0xe894:$s6: Incorrect respons
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d"C:\Users\user\Desktop\OPgjjiInNK.exe", ParentImage: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe, ParentProcessId: 8144, ParentProcessName: qxavuooi.exe, ProcessCommandLine: svchost.exe, ProcessId: 920, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\OPgjjiInNK.exe", ParentImage: C:\Users\user\Desktop\OPgjjiInNK.exe, ParentProcessId: 7736, ParentProcessName: OPgjjiInNK.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7972, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.42.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 920, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49707
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d"C:\Users\user\Desktop\OPgjjiInNK.exe", ParentImage: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe, ParentProcessId: 8144, ParentProcessName: qxavuooi.exe, ProcessCommandLine: svchost.exe, ProcessId: 920, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 920, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\pomunxzj
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\OPgjjiInNK.exe", ParentImage: C:\Users\user\Desktop\OPgjjiInNK.exe, ParentProcessId: 7736, ParentProcessName: OPgjjiInNK.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7972, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 8184, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: OPgjjiInNK.exeAvira: detected
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: OPgjjiInNK.exeReversingLabs: Detection: 91%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\AppData\Local\Temp\qxavuooi.exeJoe Sandbox ML: detected
        Source: OPgjjiInNK.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeUnpacked PE file: 0.2.OPgjjiInNK.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeUnpacked PE file: 12.2.qxavuooi.exe.400000.0.unpack
        Source: OPgjjiInNK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\pomunxzjJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.76 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.250.110.27 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.42.0 52.101.42.0
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewIP Address: 98.136.96.76 98.136.96.76
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: URALTRANSCOM-ASUA URALTRANSCOM-ASUA
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: global trafficTCP traffic: 192.168.2.10:49707 -> 52.101.42.0:25
        Source: global trafficTCP traffic: 192.168.2.10:49713 -> 98.136.96.76:25
        Source: global trafficTCP traffic: 192.168.2.10:62561 -> 142.250.110.27:25
        Source: global trafficTCP traffic: 192.168.2.10:62563 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62564 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 62562 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62562
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62564
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OPgjjiInNK.exe PID: 7736, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qxavuooi.exe PID: 8144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.3340e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.3340e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.qxavuooi.exe.3360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.qxavuooi.exe.3360000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1533258866.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\pomunxzj\Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0041A4100_2_0041A410
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_0041A41012_2_0041A410
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C235F912_2_02C235F9
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C2359112_2_02C23591
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C2365912_2_02C23659
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C2353112_2_02C23531
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_0040C91318_2_0040C913
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: String function: 02BC27AB appears 35 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736
        Source: OPgjjiInNK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.3340e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.3340e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.qxavuooi.exe.3360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.qxavuooi.exe.3360000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.OPgjjiInNK.exe.2c30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1533258866.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: OPgjjiInNK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@10/5
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7B176 CreateToolhelp32Snapshot,Module32First,0_2_02C7B176
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00409A6B
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7420:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2764:64:WilError_03
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile created: C:\Users\user\AppData\Local\Temp\qxavuooi.exeJump to behavior
        Source: OPgjjiInNK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: OPgjjiInNK.exeReversingLabs: Detection: 91%
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile read: C:\Users\user\Desktop\OPgjjiInNK.exeJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15381
        Source: unknownProcess created: C:\Users\user\Desktop\OPgjjiInNK.exe "C:\Users\user\Desktop\OPgjjiInNK.exe"
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pomunxzj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxavuooi.exe" C:\Windows\SysWOW64\pomunxzj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description pomunxzj "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start pomunxzj
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d"C:\Users\user\Desktop\OPgjjiInNK.exe"
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1028
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 584
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pomunxzj\Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxavuooi.exe" C:\Windows\SysWOW64\pomunxzj\Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description pomunxzj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start pomunxzjJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1028Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 584Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeUnpacked PE file: 0.2.OPgjjiInNK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeUnpacked PE file: 12.2.qxavuooi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeUnpacked PE file: 0.2.OPgjjiInNK.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeUnpacked PE file: 12.2.qxavuooi.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7A4EB push ebp; retn 000Ch0_2_02C7A4F2
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7E45E push 0000002Bh; iretd 0_2_02C7E464
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7A613 push ebp; retn 000Ch0_2_02C7A61A
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7A5B3 push ebp; retn 000Ch0_2_02C7A5BA
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7A54B push ebp; retn 000Ch0_2_02C7A552
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C2755E push 0000002Bh; iretd 12_2_02C27564
        Source: OPgjjiInNK.exeStatic PE information: section name: .text entropy: 7.416821607938147

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeFile created: C:\Users\user\AppData\Local\Temp\qxavuooi.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pomunxzjJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\opgjjiinnk.exeJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,18_2_0040199C
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15806
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-16554
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_18-7166
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_18-6135
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16310
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_18-7320
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15762
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15351
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-16402
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-15127
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15397
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeAPI coverage: 8.1 %
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeAPI coverage: 6.7 %
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0041A410 GetSystemTimes followed by cmp: cmp dword ptr [02b3bd3ch], 0ah and CTI: jne 0041A668h0_2_0041A410
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_0041A410 GetSystemTimes followed by cmp: cmp dword ptr [02b3bd3ch], 0ah and CTI: jne 0041A668h12_2_0041A410
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000012.00000002.2638261144.0000000000800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_18-6425

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_18-7487
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16585
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02BC0D90 mov eax, dword ptr fs:[00000030h]0_2_02BC0D90
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02BC092B mov eax, dword ptr fs:[00000030h]0_2_02BC092B
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_02C7AA53 push dword ptr fs:[00000030h]0_2_02C7AA53
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_02C23B53 push dword ptr fs:[00000030h]12_2_02C23B53
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_0334092B mov eax, dword ptr fs:[00000030h]12_2_0334092B
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_03340D90 mov eax, dword ptr fs:[00000030h]12_2_03340D90
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00409A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.76 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.58.54.132 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.250.110.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3A1008Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pomunxzj\Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxavuooi.exe" C:\Windows\SysWOW64\pomunxzj\Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description pomunxzj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start pomunxzjJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1028Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 584Jump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OPgjjiInNK.exe PID: 7736, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qxavuooi.exe PID: 8144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.OPgjjiInNK.exe.2c30000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.qxavuooi.exe.3360000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3340e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.OPgjjiInNK.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.qxavuooi.exe.3360000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: OPgjjiInNK.exe PID: 7736, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qxavuooi.exe PID: 8144, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR
        Source: C:\Users\user\Desktop\OPgjjiInNK.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,18_2_004088B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping12
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials1
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517808 Sample: OPgjjiInNK.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 10 other signatures 2->77 8 qxavuooi.exe 2->8         started        11 OPgjjiInNK.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Writes to foreign memory regions 8->83 91 2 other signatures 8->91 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\qxavuooi.exe, PE32 11->49 dropped 85 Found API chain indicative of debugger detection 11->85 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta7.am0.yahoodns.net 98.136.96.76, 25 YAHOO-NE1US United States 16->51 53 vanaheim.cn 195.58.54.132, 443, 49712, 62562 URALTRANSCOM-ASUA Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\qxavuooi.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        OPgjjiInNK.exe92%ReversingLabsWin32.Trojan.Smokeloader
        OPgjjiInNK.exe100%AviraTR/AD.Tofsee.xduze
        OPgjjiInNK.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\qxavuooi.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        94.100.180.31
        truetrue
          unknown
          mta7.am0.yahoodns.net
          98.136.96.76
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.42.0
            truetrue
              unknown
              vanaheim.cn
              195.58.54.132
              truetrue
                unknown
                smtp.google.com
                142.250.110.27
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.42.0
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        195.58.54.132
                        vanaheim.cnRussian Federation
                        41082URALTRANSCOM-ASUAtrue
                        142.250.110.27
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        94.100.180.31
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        98.136.96.76
                        mta7.am0.yahoodns.netUnited States
                        36646YAHOO-NE1UStrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1517808
                        Start date and time:2024-09-25 07:46:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 56s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:OPgjjiInNK.exe
                        renamed because original name is a hash value
                        Original Sample Name:bfabf02b846c1cd0634fa1bf8a95e4aa.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@31/3@10/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 69
                        • Number of non-executed functions: 263
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 20.70.246.20, 20.112.250.133, 20.76.201.171, 20.231.239.246, 20.236.44.162
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: OPgjjiInNK.exe
                        TimeTypeDescription
                        01:48:04API Interceptor2x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.42.0H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                          874A7cigvX.exeGet hashmaliciousTofseeBrowse
                            qkkcfptf.exeGet hashmaliciousTofseeBrowse
                              fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                .exeGet hashmaliciousUnknownBrowse
                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                      DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                        L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                          file.exeGet hashmaliciousTofseeBrowse
                                            195.58.54.132rXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                              2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                  94.100.180.312IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                    H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                      2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                        qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                              igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                      98.136.96.76foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                        .exeGet hashmaliciousUnknownBrowse
                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                            file.exeGet hashmaliciousPhorpiexBrowse
                                                                              file.exeGet hashmaliciousPhorpiexBrowse
                                                                                gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                                        Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mxs.mail.rurXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          mta7.am0.yahoodns.net2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.74
                                                                                          RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.111
                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.109
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.77
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.109
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.77
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.74
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          microsoft-com.mail.protection.outlook.comrXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.9
                                                                                          874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          Uc84uB877e.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          URALTRANSCOM-ASUArXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.58.54.132
                                                                                          2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.58.54.132
                                                                                          H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.58.54.132
                                                                                          cQOoKCZyG3.elfGet hashmaliciousMiraiBrowse
                                                                                          • 91.215.129.108
                                                                                          09M6JXwjtO.elfGet hashmaliciousMiraiBrowse
                                                                                          • 195.133.84.147
                                                                                          Pb0GaINSjK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 194.87.3.81
                                                                                          QN5PrDr5St.elfGet hashmaliciousUnknownBrowse
                                                                                          • 195.133.84.180
                                                                                          8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                                                          • 91.215.129.145
                                                                                          wsskM49eA3.elfGet hashmaliciousUnknownBrowse
                                                                                          • 195.133.89.28
                                                                                          quhEKAdhFU.elfGet hashmaliciousMiraiBrowse
                                                                                          • 91.215.129.137
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttp://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/tsunami.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.57
                                                                                          http://flleo4.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                                                          • 150.171.28.10
                                                                                          http://roberthaveman.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                                                          • 150.171.27.10
                                                                                          http://pub-828054e57dc44bfab8358f5f079acd7e.r2.dev/relogin.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          http://propertyinaustralia.github.io/propertyinaustralia/property.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          https://metamasks.netlify.app/Get hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.45
                                                                                          https://aptos-web-git-chore-shows-the-staking-token-website.pancake.run/liquidityGet hashmaliciousUnknownBrowse
                                                                                          • 20.69.148.152
                                                                                          https://aptos-web-git-chore-shows-the-staking-token-website.pancake.run/swapGet hashmaliciousUnknownBrowse
                                                                                          • 20.51.76.24
                                                                                          https://aptos-web-git-chore-shows-the-staking-token-website.pancake.run/ifoGet hashmaliciousUnknownBrowse
                                                                                          • 20.69.148.152
                                                                                          https://aptos-web-git-chore-shows-the-staking-token-website.pancake.run/farmsGet hashmaliciousUnknownBrowse
                                                                                          • 20.51.76.24
                                                                                          YAHOO-NE1USrXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          Tsunami.arm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.87.86
                                                                                          2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                          • 216.252.107.64
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          MAILRU-ASMailRuRUrXTqHar5Ud.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          2IFYYPRUgO.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          H3nfKrgQbi.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
                                                                                          • 5.61.23.57
                                                                                          2FnvReiPU6.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                          • 178.237.20.50
                                                                                          OuZGkt7xKK.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                          • 178.237.20.50
                                                                                          874A7cigvX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          No context
                                                                                          No context
                                                                                          Process:C:\Users\user\Desktop\OPgjjiInNK.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14440448
                                                                                          Entropy (8bit):5.296571874216493
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:sSuGGjERRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRd:sSu
                                                                                          MD5:27370B7DFBEDCB3761138C7185EEFAB9
                                                                                          SHA1:8E0A3565C2A078DB3F976B70C298B14C05BE2036
                                                                                          SHA-256:19BD26E24604A03566F3DF9BDC54EDA081A7101DAE549EA2C2E34DBBC69AA533
                                                                                          SHA-512:4BB22A31DAFC23E31B4E51EA3613CE74B70DA752227EF1DC0D4FD0FE63052B8E52798A33A3C59051D0E4B7176D3836411DEA2299BE233FBEF2594F2153C2674F
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.v................./...A...7...A...<...A...H...'...+.......]...A.../...A.../...A.../...Rich............................PE..L......d.....................Dt.....(.............@...........................u......?......................................d...<.....s..............................................................................................................text...?........................... ..`.rdata...(.......*..................@..@.data.....q...... ..................@....rsrc.........s..p..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14440448
                                                                                          Entropy (8bit):5.296571874216493
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:sSuGGjERRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRd:sSu
                                                                                          MD5:27370B7DFBEDCB3761138C7185EEFAB9
                                                                                          SHA1:8E0A3565C2A078DB3F976B70C298B14C05BE2036
                                                                                          SHA-256:19BD26E24604A03566F3DF9BDC54EDA081A7101DAE549EA2C2E34DBBC69AA533
                                                                                          SHA-512:4BB22A31DAFC23E31B4E51EA3613CE74B70DA752227EF1DC0D4FD0FE63052B8E52798A33A3C59051D0E4B7176D3836411DEA2299BE233FBEF2594F2153C2674F
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.v................./...A...7...A...<...A...H...'...+.......]...A.../...A.../...A.../...Rich............................PE..L......d.....................Dt.....(.............@...........................u......?......................................d...<.....s..............................................................................................................text...?........................... ..`.rdata...(.......*..................@..@.data.....q...... ..................@....rsrc.........s..p..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):6.408288251081041
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:OPgjjiInNK.exe
                                                                                          File size:244'224 bytes
                                                                                          MD5:bfabf02b846c1cd0634fa1bf8a95e4aa
                                                                                          SHA1:912bf8c8c515c98ed82f6ac94ce3517dde29fc6d
                                                                                          SHA256:f4de268ea469d180cfe44713d1b0f5fcf8ea3270af525c6e040497b43a414e1b
                                                                                          SHA512:464b3969a5e5ea0d7d00be5a7a606139a254ee603ad9ff30bfba1b1f70723d85312e76287e88ad7cc47a171f6f4e21723319df0f2404b68dff06e1318d9dd7ae
                                                                                          SSDEEP:3072:EVW80fS45N6hqQLAp+b6+y9vZvTDmnCVN3Z4S4y9gkkhf3FCWs/xy/Q:1fS45N6hk+yfnrjZ4SteGw/Q
                                                                                          TLSH:7E344A01A1F2EC67ED22473D5E29C6A4F62EBC618F39226F22587D1F4D731E0855272D
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.v................./...A...7...A...<...A...H...'...+.......]...A.../...A.../...A.../...Rich............................PE..L..
                                                                                          Icon Hash:738733b18bab93e4
                                                                                          Entrypoint:0x401a28
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x6414C3B9 [Fri Mar 17 19:47:05 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:f5c87d796889e88604948d41c98c5353
                                                                                          Instruction
                                                                                          call 00007FC20CB35A48h
                                                                                          jmp 00007FC20CB3148Eh
                                                                                          mov edi, edi
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 00000328h
                                                                                          mov dword ptr [0041FB10h], eax
                                                                                          mov dword ptr [0041FB0Ch], ecx
                                                                                          mov dword ptr [0041FB08h], edx
                                                                                          mov dword ptr [0041FB04h], ebx
                                                                                          mov dword ptr [0041FB00h], esi
                                                                                          mov dword ptr [0041FAFCh], edi
                                                                                          mov word ptr [0041FB28h], ss
                                                                                          mov word ptr [0041FB1Ch], cs
                                                                                          mov word ptr [0041FAF8h], ds
                                                                                          mov word ptr [0041FAF4h], es
                                                                                          mov word ptr [0041FAF0h], fs
                                                                                          mov word ptr [0041FAECh], gs
                                                                                          pushfd
                                                                                          pop dword ptr [0041FB20h]
                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                          mov dword ptr [0041FB14h], eax
                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                          mov dword ptr [0041FB18h], eax
                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                          mov dword ptr [0041FB24h], eax
                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                          mov dword ptr [0041FA60h], 00010001h
                                                                                          mov eax, dword ptr [0041FB18h]
                                                                                          mov dword ptr [0041FA14h], eax
                                                                                          mov dword ptr [0041FA08h], C0000409h
                                                                                          mov dword ptr [0041FA0Ch], 00000001h
                                                                                          mov eax, dword ptr [0041E004h]
                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                          mov eax, dword ptr [0041E008h]
                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                          call dword ptr [000000ECh]
                                                                                          Programming Language:
                                                                                          • [C++] VS2010 build 30319
                                                                                          • [ASM] VS2010 build 30319
                                                                                          • [ C ] VS2010 build 30319
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [RES] VS2010 build 30319
                                                                                          • [LNK] VS2010 build 30319
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1cf640x3c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x273e0000x1d180.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x19c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x1983f0x19a0000ccba6c4d7006d8dd63ffc2ae27bec0False0.7731802591463415data7.416821607938147IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x1b0000x28da0x2a00bfe5cdbaaf26f8cefdd13acf0e43f919False0.3470052083333333data4.890764374656339IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x1e0000x271fea00x2000b7c4d4b1e606ef77f73cd53aa1f9fa1aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x273e0000x1d1800x1d2000059d8fc82f25b1de8646aef568dfb42False0.4395704801502146data5.2717714417499675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          WETISEC0x27554a00xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.604309500489716
                                                                                          RT_CURSOR0x27560c00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                          RT_CURSOR0x27561f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                          RT_ICON0x273ea300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5863539445628998
                                                                                          RT_ICON0x273f8d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6570397111913358
                                                                                          RT_ICON0x27401800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7200460829493087
                                                                                          RT_ICON0x27408480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.759393063583815
                                                                                          RT_ICON0x2740db00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5427385892116182
                                                                                          RT_ICON0x27433580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6575984990619137
                                                                                          RT_ICON0x27444000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6770491803278689
                                                                                          RT_ICON0x2744d880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8023049645390071
                                                                                          RT_ICON0x27452680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.35047974413646055
                                                                                          RT_ICON0x27461100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5451263537906137
                                                                                          RT_ICON0x27469b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6273041474654378
                                                                                          RT_ICON0x27470800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6813583815028902
                                                                                          RT_ICON0x27475e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.425103734439834
                                                                                          RT_ICON0x2749b900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5176229508196721
                                                                                          RT_ICON0x274a5180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5035460992907801
                                                                                          RT_ICON0x274a9e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.40751599147121537
                                                                                          RT_ICON0x274b8900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5699458483754513
                                                                                          RT_ICON0x274c1380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.630184331797235
                                                                                          RT_ICON0x274c8000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6358381502890174
                                                                                          RT_ICON0x274cd680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4643527204502814
                                                                                          RT_ICON0x274de100x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.44754098360655736
                                                                                          RT_ICON0x274e7980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5
                                                                                          RT_ICON0x274ec680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.2806503198294243
                                                                                          RT_ICON0x274fb100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.3677797833935018
                                                                                          RT_ICON0x27503b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.3807603686635945
                                                                                          RT_ICON0x2750a800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.37572254335260113
                                                                                          RT_ICON0x2750fe80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.26016597510373446
                                                                                          RT_ICON0x27535900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.274859287054409
                                                                                          RT_ICON0x27546380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.28852459016393445
                                                                                          RT_ICON0x2754fc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.324468085106383
                                                                                          RT_DIALOG0x27589700x84data0.7651515151515151
                                                                                          RT_STRING0x27589f80x49adata0.44482173174872663
                                                                                          RT_STRING0x2758e980x690data0.430952380952381
                                                                                          RT_STRING0x27595280x162data0.5056497175141242
                                                                                          RT_STRING0x27596900x7f4data0.4204322200392927
                                                                                          RT_STRING0x2759e880x6c2data0.4369942196531792
                                                                                          RT_STRING0x275a5500x598data0.44622905027932963
                                                                                          RT_STRING0x275aae80x612data0.42857142857142855
                                                                                          RT_STRING0x275b1000x7edata0.626984126984127
                                                                                          RT_ACCELERATOR0x27560980x28data1.025
                                                                                          RT_GROUP_CURSOR0x27587980x22data1.088235294117647
                                                                                          RT_GROUP_ICON0x274a9800x68dataTurkishTurkey0.7019230769230769
                                                                                          RT_GROUP_ICON0x27554280x76dataTurkishTurkey0.6779661016949152
                                                                                          RT_GROUP_ICON0x27451f00x76dataTurkishTurkey0.6610169491525424
                                                                                          RT_GROUP_ICON0x274ec000x68dataTurkishTurkey0.7211538461538461
                                                                                          RT_VERSION0x27587c00x1acdata0.5911214953271028
                                                                                          DLLImport
                                                                                          KERNEL32.dllDebugActiveProcess, GetComputerNameA, SearchPathW, GetConsoleAliasesLengthW, CopyFileExW, GetNumaProcessorNode, WriteConsoleOutputW, HeapAlloc, InterlockedIncrement, GlobalSize, CreateDirectoryW, GetSystemDefaultLCID, CallNamedPipeW, GetModuleHandleW, GetCommandLineA, GetSystemTimes, GetEnvironmentStrings, LoadLibraryW, GetConsoleAliasExesLengthW, SetConsoleMode, GetFileAttributesW, GetBinaryTypeA, GetShortPathNameA, InterlockedExchange, GetStartupInfoA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, CopyFileA, SetStdHandle, EnterCriticalSection, BuildCommDCBW, GetNumaHighestNodeNumber, OpenWaitableTimerA, UnhandledExceptionFilter, LocalAlloc, WritePrivateProfileStringA, QueryDosDeviceW, VirtualLock, FindAtomA, FoldStringA, GetModuleFileNameA, GetDefaultCommConfigA, SetConsoleTitleW, FreeEnvironmentStringsW, SetCalendarInfoA, SetFileAttributesW, WriteConsoleW, CloseHandle, MultiByteToWideChar, EncodePointer, DecodePointer, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, Sleep, HeapSize, WriteFile, GetModuleFileNameW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, LCMapStringW, GetStringTypeW, HeapFree, RtlUnwind, ReadFile, HeapReAlloc, IsProcessorFeaturePresent, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CreateFileW
                                                                                          USER32.dllGetUserObjectInformationW
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          TurkishTurkey
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 25, 2024 07:47:22.541750908 CEST4970725192.168.2.1052.101.42.0
                                                                                          Sep 25, 2024 07:47:23.548072100 CEST4970725192.168.2.1052.101.42.0
                                                                                          Sep 25, 2024 07:47:25.548177958 CEST4970725192.168.2.1052.101.42.0
                                                                                          Sep 25, 2024 07:47:25.900480032 CEST49712443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:47:25.900506973 CEST44349712195.58.54.132192.168.2.10
                                                                                          Sep 25, 2024 07:47:25.900676966 CEST49712443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:47:29.548187971 CEST4970725192.168.2.1052.101.42.0
                                                                                          Sep 25, 2024 07:47:37.548146963 CEST4970725192.168.2.1052.101.42.0
                                                                                          Sep 25, 2024 07:47:42.548573017 CEST4971325192.168.2.1098.136.96.76
                                                                                          Sep 25, 2024 07:47:43.563777924 CEST4971325192.168.2.1098.136.96.76
                                                                                          Sep 25, 2024 07:47:45.563754082 CEST4971325192.168.2.1098.136.96.76
                                                                                          Sep 25, 2024 07:47:49.579368114 CEST4971325192.168.2.1098.136.96.76
                                                                                          Sep 25, 2024 07:47:57.579402924 CEST4971325192.168.2.1098.136.96.76
                                                                                          Sep 25, 2024 07:48:02.568509102 CEST6256125192.168.2.10142.250.110.27
                                                                                          Sep 25, 2024 07:48:03.579421043 CEST6256125192.168.2.10142.250.110.27
                                                                                          Sep 25, 2024 07:48:05.579442024 CEST6256125192.168.2.10142.250.110.27
                                                                                          Sep 25, 2024 07:48:05.892189026 CEST49712443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:05.892292976 CEST44349712195.58.54.132192.168.2.10
                                                                                          Sep 25, 2024 07:48:05.892489910 CEST49712443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:06.002299070 CEST62562443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:06.002372980 CEST44362562195.58.54.132192.168.2.10
                                                                                          Sep 25, 2024 07:48:06.002453089 CEST62562443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:09.595109940 CEST6256125192.168.2.10142.250.110.27
                                                                                          Sep 25, 2024 07:48:17.610750914 CEST6256125192.168.2.10142.250.110.27
                                                                                          Sep 25, 2024 07:48:22.580359936 CEST6256325192.168.2.1094.100.180.31
                                                                                          Sep 25, 2024 07:48:23.595016956 CEST6256325192.168.2.1094.100.180.31
                                                                                          Sep 25, 2024 07:48:25.595113039 CEST6256325192.168.2.1094.100.180.31
                                                                                          Sep 25, 2024 07:48:29.597076893 CEST6256325192.168.2.1094.100.180.31
                                                                                          Sep 25, 2024 07:48:37.610649109 CEST6256325192.168.2.1094.100.180.31
                                                                                          Sep 25, 2024 07:48:46.001457930 CEST62562443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:46.001610994 CEST44362562195.58.54.132192.168.2.10
                                                                                          Sep 25, 2024 07:48:46.001830101 CEST62562443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:46.111591101 CEST62564443192.168.2.10195.58.54.132
                                                                                          Sep 25, 2024 07:48:46.111643076 CEST44362564195.58.54.132192.168.2.10
                                                                                          Sep 25, 2024 07:48:46.111792088 CEST62564443192.168.2.10195.58.54.132
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 25, 2024 07:47:22.505718946 CEST6213753192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:47:22.538645983 CEST53621371.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:47:25.392596960 CEST6159653192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:47:25.899607897 CEST53615961.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:47:38.736850023 CEST5038153192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:47:39.333460093 CEST53503811.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:47:42.533287048 CEST5988653192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:47:42.540275097 CEST53598861.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:47:42.540901899 CEST6178953192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST53617891.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:47:52.790116072 CEST5361056162.159.36.2192.168.2.10
                                                                                          Sep 25, 2024 07:47:53.272361040 CEST53599231.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:48:02.548736095 CEST5778253192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:48:02.557162046 CEST53577821.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:48:02.557940960 CEST4916553192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST53491651.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:48:22.564462900 CEST5892753192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:48:22.571475029 CEST53589271.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:48:22.572410107 CEST5351053192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:48:22.579725981 CEST53535101.1.1.1192.168.2.10
                                                                                          Sep 25, 2024 07:49:13.382874012 CEST5859353192.168.2.101.1.1.1
                                                                                          Sep 25, 2024 07:49:13.413796902 CEST53585931.1.1.1192.168.2.10
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Sep 25, 2024 07:47:22.505718946 CEST192.168.2.101.1.1.10xbc11Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:25.392596960 CEST192.168.2.101.1.1.10xcefdStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:38.736850023 CEST192.168.2.101.1.1.10x16aaStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.533287048 CEST192.168.2.101.1.1.10x2bf8Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.540901899 CEST192.168.2.101.1.1.10xe949Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.548736095 CEST192.168.2.101.1.1.10x3029Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.557940960 CEST192.168.2.101.1.1.10xb0c0Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:22.564462900 CEST192.168.2.101.1.1.10x3289Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:22.572410107 CEST192.168.2.101.1.1.10x679eStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:49:13.382874012 CEST192.168.2.101.1.1.10xd4fdStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Sep 25, 2024 07:47:22.538645983 CEST1.1.1.1192.168.2.100xbc11No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:22.538645983 CEST1.1.1.1192.168.2.100xbc11No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:22.538645983 CEST1.1.1.1192.168.2.100xbc11No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:22.538645983 CEST1.1.1.1192.168.2.100xbc11No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:25.899607897 CEST1.1.1.1192.168.2.100xcefdNo error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:39.333460093 CEST1.1.1.1192.168.2.100x16aaNo error (0)vanaheim.cn195.58.54.132A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.540275097 CEST1.1.1.1192.168.2.100x2bf8No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.540275097 CEST1.1.1.1192.168.2.100x2bf8No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.540275097 CEST1.1.1.1192.168.2.100x2bf8No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:47:42.547858953 CEST1.1.1.1192.168.2.100xe949No error (0)mta7.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.557162046 CEST1.1.1.1192.168.2.100x3029No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST1.1.1.1192.168.2.100xb0c0No error (0)smtp.google.com142.250.110.27A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST1.1.1.1192.168.2.100xb0c0No error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST1.1.1.1192.168.2.100xb0c0No error (0)smtp.google.com66.102.1.26A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST1.1.1.1192.168.2.100xb0c0No error (0)smtp.google.com66.102.1.27A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:02.567943096 CEST1.1.1.1192.168.2.100xb0c0No error (0)smtp.google.com142.250.110.26A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:22.571475029 CEST1.1.1.1192.168.2.100x3289No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:22.579725981 CEST1.1.1.1192.168.2.100x679eNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:48:22.579725981 CEST1.1.1.1192.168.2.100x679eNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:49:13.413796902 CEST1.1.1.1192.168.2.100xd4fdNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:49:13.413796902 CEST1.1.1.1192.168.2.100xd4fdNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:49:13.413796902 CEST1.1.1.1192.168.2.100xd4fdNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 25, 2024 07:49:13.413796902 CEST1.1.1.1192.168.2.100xd4fdNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:01:47:06
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Users\user\Desktop\OPgjjiInNK.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\OPgjjiInNK.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:244'224 bytes
                                                                                          MD5 hash:BFABF02B846C1CD0634FA1BF8A95E4AA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1438321778.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:01:47:12
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pomunxzj\
                                                                                          Imagebase:0xd70000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:01:47:12
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:01:47:13
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxavuooi.exe" C:\Windows\SysWOW64\pomunxzj\
                                                                                          Imagebase:0xd70000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:01:47:13
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:01:47:13
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create pomunxzj binPath= "C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d\"C:\Users\user\Desktop\OPgjjiInNK.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0x990000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:01:47:13
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:01:47:14
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description pomunxzj "wifi internet conection"
                                                                                          Imagebase:0x990000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:01:47:14
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:01:47:14
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start pomunxzj
                                                                                          Imagebase:0x990000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:01:47:14
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:01:47:14
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe /d"C:\Users\user\Desktop\OPgjjiInNK.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:14'440'448 bytes
                                                                                          MD5 hash:27370B7DFBEDCB3761138C7185EEFAB9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.1533258866.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.1533467618.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.1524662493.0000000003360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:13
                                                                                          Start time:01:47:15
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x1160000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:14
                                                                                          Start time:01:47:15
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff7df220000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Target ID:15
                                                                                          Start time:01:47:15
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:16
                                                                                          Start time:01:47:15
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7736 -ip 7736
                                                                                          Imagebase:0xea0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:17
                                                                                          Start time:01:47:15
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1028
                                                                                          Imagebase:0xea0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:18
                                                                                          Start time:01:47:21
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0xe80000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          Target ID:19
                                                                                          Start time:01:47:21
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144
                                                                                          Imagebase:0xea0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:20
                                                                                          Start time:01:47:21
                                                                                          Start date:25/09/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 584
                                                                                          Imagebase:0xea0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:4.5%
                                                                                            Dynamic/Decrypted Code Coverage:2.1%
                                                                                            Signature Coverage:26.5%
                                                                                            Total number of Nodes:1556
                                                                                            Total number of Limit Nodes:20
                                                                                            execution_graph 15053 2c7a9d6 15054 2c7a9e5 15053->15054 15057 2c7b176 15054->15057 15063 2c7b191 15057->15063 15058 2c7b19a CreateToolhelp32Snapshot 15059 2c7b1b6 Module32First 15058->15059 15058->15063 15060 2c7b1c5 15059->15060 15061 2c7a9ee 15059->15061 15064 2c7ae35 15060->15064 15063->15058 15063->15059 15065 2c7ae60 15064->15065 15066 2c7ae71 VirtualAlloc 15065->15066 15067 2c7aea9 15065->15067 15066->15067 15067->15067 15096 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15214 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15096->15214 15098 409a95 15099 409aa3 GetModuleHandleA GetModuleFileNameA 15098->15099 15104 40a3c7 15098->15104 15113 409ac4 15099->15113 15100 40a41c CreateThread WSAStartup 15383 40e52e 15100->15383 16262 40405e CreateEventA 15100->16262 15102 409afd GetCommandLineA 15111 409b22 15102->15111 15103 40a406 DeleteFileA 15103->15104 15105 40a40d 15103->15105 15104->15100 15104->15103 15104->15105 15108 40a3ed GetLastError 15104->15108 15105->15100 15106 40a445 15402 40eaaf 15106->15402 15108->15105 15110 40a3f8 Sleep 15108->15110 15109 40a44d 15406 401d96 15109->15406 15110->15103 15116 409c0c 15111->15116 15125 409b47 15111->15125 15113->15102 15114 40a457 15454 4080c9 15114->15454 15215 4096aa 15116->15215 15122 40a1d2 15133 40a1e3 GetCommandLineA 15122->15133 15123 409c39 15127 40a167 GetModuleHandleA GetModuleFileNameA 15123->15127 15221 404280 CreateEventA 15123->15221 15126 409b96 lstrlenA 15125->15126 15132 409b58 15125->15132 15126->15132 15130 409c05 ExitProcess 15127->15130 15131 40a189 15127->15131 15131->15130 15140 40a1b2 GetDriveTypeA 15131->15140 15132->15130 15138 40675c 21 API calls 15132->15138 15157 40a205 15133->15157 15141 409be3 15138->15141 15140->15130 15142 40a1c5 15140->15142 15141->15130 15320 406a60 CreateFileA 15141->15320 15364 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15142->15364 15148 40a491 15149 40a49f GetTickCount 15148->15149 15151 40a4be Sleep 15148->15151 15156 40a4b7 GetTickCount 15148->15156 15500 40c913 15148->15500 15149->15148 15149->15151 15151->15148 15153 409ca0 GetTempPathA 15154 409e3e 15153->15154 15155 409cba 15153->15155 15162 409e6b GetEnvironmentVariableA 15154->15162 15164 409e04 15154->15164 15276 4099d2 lstrcpyA 15155->15276 15156->15151 15163 40a285 lstrlenA 15157->15163 15171 40a239 15157->15171 15162->15164 15165 409e7d 15162->15165 15163->15171 15359 40ec2e 15164->15359 15166 4099d2 16 API calls 15165->15166 15168 409e9d 15166->15168 15168->15164 15173 409eb0 lstrcpyA lstrlenA 15168->15173 15169 409d5f 15339 406cc9 15169->15339 15372 406ec3 15171->15372 15172 40a3c2 15376 4098f2 15172->15376 15176 409ef4 15173->15176 15177 406dc2 6 API calls 15176->15177 15181 409f03 15176->15181 15177->15181 15178 40a39d StartServiceCtrlDispatcherA 15178->15172 15180 40a35f 15180->15172 15180->15180 15184 40a37b 15180->15184 15183 409f32 RegOpenKeyExA 15181->15183 15182 409cf6 15283 409326 15182->15283 15185 409f48 RegSetValueExA RegCloseKey 15183->15185 15188 409f70 15183->15188 15184->15178 15185->15188 15195 409f9d GetModuleHandleA GetModuleFileNameA 15188->15195 15189 409e0c DeleteFileA 15189->15154 15190 409dde GetFileAttributesExA 15190->15189 15192 409df7 15190->15192 15192->15164 15193 409dff 15192->15193 15349 4096ff 15193->15349 15196 409fc2 15195->15196 15197 40a093 15195->15197 15196->15197 15203 409ff1 GetDriveTypeA 15196->15203 15198 40a103 CreateProcessA 15197->15198 15199 40a0a4 wsprintfA 15197->15199 15200 40a13a 15198->15200 15201 40a12a DeleteFileA 15198->15201 15355 402544 15199->15355 15200->15164 15207 4096ff 3 API calls 15200->15207 15201->15200 15203->15197 15205 40a00d 15203->15205 15209 40a02d lstrcatA 15205->15209 15207->15164 15210 40a046 15209->15210 15211 40a052 lstrcatA 15210->15211 15212 40a064 lstrcatA 15210->15212 15211->15212 15212->15197 15213 40a081 lstrcatA 15212->15213 15213->15197 15214->15098 15216 4096b9 15215->15216 15603 4073ff 15216->15603 15218 4096e2 15219 4096f7 15218->15219 15623 40704c 15218->15623 15219->15122 15219->15123 15222 4042a5 15221->15222 15223 40429d 15221->15223 15648 403ecd 15222->15648 15223->15127 15248 40675c 15223->15248 15225 4042b0 15652 404000 15225->15652 15228 4043c1 CloseHandle 15228->15223 15229 4042ce 15658 403f18 WriteFile 15229->15658 15234 4043ba CloseHandle 15234->15228 15235 404318 15236 403f18 4 API calls 15235->15236 15237 404331 15236->15237 15238 403f18 4 API calls 15237->15238 15239 40434a 15238->15239 15666 40ebcc GetProcessHeap RtlAllocateHeap 15239->15666 15242 403f18 4 API calls 15243 404389 15242->15243 15244 40ec2e codecvt 4 API calls 15243->15244 15245 40438f 15244->15245 15246 403f8c 4 API calls 15245->15246 15247 40439f CloseHandle CloseHandle 15246->15247 15247->15223 15249 406784 CreateFileA 15248->15249 15250 40677a SetFileAttributesA 15248->15250 15251 4067a4 CreateFileA 15249->15251 15252 4067b5 15249->15252 15250->15249 15251->15252 15253 4067c5 15252->15253 15254 4067ba SetFileAttributesA 15252->15254 15255 406977 15253->15255 15256 4067cf GetFileSize 15253->15256 15254->15253 15255->15127 15255->15153 15255->15154 15257 4067e5 15256->15257 15275 406965 15256->15275 15258 4067ed ReadFile 15257->15258 15257->15275 15260 406811 SetFilePointer 15258->15260 15258->15275 15259 40696e CloseHandle 15259->15255 15261 40682a ReadFile 15260->15261 15260->15275 15262 406848 SetFilePointer 15261->15262 15261->15275 15263 406867 15262->15263 15262->15275 15264 4068d5 15263->15264 15265 406878 ReadFile 15263->15265 15264->15259 15267 40ebcc 4 API calls 15264->15267 15266 4068d0 15265->15266 15269 406891 15265->15269 15266->15264 15268 4068f8 15267->15268 15270 406900 SetFilePointer 15268->15270 15268->15275 15269->15265 15269->15266 15271 40695a 15270->15271 15272 40690d ReadFile 15270->15272 15274 40ec2e codecvt 4 API calls 15271->15274 15272->15271 15273 406922 15272->15273 15273->15259 15274->15275 15275->15259 15277 4099eb 15276->15277 15278 409a2f lstrcatA 15277->15278 15279 40ee2a 15278->15279 15280 409a4b lstrcatA 15279->15280 15281 406a60 13 API calls 15280->15281 15282 409a60 15281->15282 15282->15154 15282->15182 15333 406dc2 15282->15333 15672 401910 15283->15672 15286 40934a GetModuleHandleA GetModuleFileNameA 15288 40937f 15286->15288 15289 4093a4 15288->15289 15290 4093d9 15288->15290 15291 4093c3 wsprintfA 15289->15291 15292 409401 wsprintfA 15290->15292 15293 409415 15291->15293 15292->15293 15296 406cc9 5 API calls 15293->15296 15316 4094a0 15293->15316 15295 4094ac 15297 40962f 15295->15297 15298 4094e8 RegOpenKeyExA 15295->15298 15299 409439 15296->15299 15307 409646 15297->15307 15702 401820 15297->15702 15301 409502 15298->15301 15305 4094fb 15298->15305 15687 40ef1e lstrlenA 15299->15687 15303 40951f RegQueryValueExA 15301->15303 15308 409530 15303->15308 15309 409539 15303->15309 15305->15297 15306 40958a 15305->15306 15306->15307 15311 409593 15306->15311 15313 4095d6 15307->15313 15682 4091eb 15307->15682 15312 40956e RegCloseKey 15308->15312 15314 409556 RegQueryValueExA 15309->15314 15310 409462 15315 40947e wsprintfA 15310->15315 15311->15313 15689 40f0e4 15311->15689 15312->15305 15313->15189 15313->15190 15314->15308 15314->15312 15315->15316 15674 406edd 15316->15674 15318 4095bb 15318->15313 15696 4018e0 15318->15696 15321 406b8c GetLastError 15320->15321 15322 406a8f GetDiskFreeSpaceA 15320->15322 15324 406b86 15321->15324 15323 406ac5 15322->15323 15332 406ad7 15322->15332 15751 40eb0e 15323->15751 15324->15130 15328 406b56 CloseHandle 15328->15324 15331 406b65 GetLastError CloseHandle 15328->15331 15329 406b36 GetLastError CloseHandle 15330 406b7f DeleteFileA 15329->15330 15330->15324 15331->15330 15745 406987 15332->15745 15334 406dd7 15333->15334 15338 406e24 15333->15338 15335 406cc9 5 API calls 15334->15335 15336 406ddc 15335->15336 15337 406e02 GetVolumeInformationA 15336->15337 15336->15338 15337->15338 15338->15169 15340 406cdc GetModuleHandleA GetProcAddress 15339->15340 15341 406dbe lstrcpyA lstrcatA lstrcatA 15339->15341 15342 406d12 GetSystemDirectoryA 15340->15342 15343 406cfd 15340->15343 15341->15182 15344 406d27 GetWindowsDirectoryA 15342->15344 15345 406d1e 15342->15345 15343->15342 15347 406d8b 15343->15347 15346 406d42 15344->15346 15345->15344 15345->15347 15348 40ef1e lstrlenA 15346->15348 15347->15341 15348->15347 15350 402544 15349->15350 15351 40972d RegOpenKeyExA 15350->15351 15352 409740 15351->15352 15353 409765 15351->15353 15354 40974f RegDeleteValueA RegCloseKey 15352->15354 15353->15164 15354->15353 15356 402554 lstrcatA 15355->15356 15357 40ee2a 15356->15357 15358 40a0ec lstrcatA 15357->15358 15358->15198 15360 40ec37 15359->15360 15361 40a15d 15359->15361 15759 40eba0 15360->15759 15361->15127 15361->15130 15365 402544 15364->15365 15366 40919e wsprintfA 15365->15366 15367 4091bb 15366->15367 15762 409064 GetTempPathA 15367->15762 15370 4091d5 ShellExecuteA 15371 4091e7 15370->15371 15371->15130 15373 406ed5 15372->15373 15374 406ecc 15372->15374 15373->15180 15375 406e36 2 API calls 15374->15375 15375->15373 15378 4098f6 15376->15378 15377 404280 30 API calls 15377->15378 15378->15377 15379 409904 Sleep 15378->15379 15380 409915 15378->15380 15379->15378 15379->15380 15382 409947 15380->15382 15769 40977c 15380->15769 15382->15104 15791 40dd05 GetTickCount 15383->15791 15385 40e538 15798 40dbcf 15385->15798 15387 40e544 15388 40e555 GetFileSize 15387->15388 15392 40e5b8 15387->15392 15389 40e5b1 CloseHandle 15388->15389 15390 40e566 15388->15390 15389->15392 15808 40db2e 15390->15808 15817 40e3ca RegOpenKeyExA 15392->15817 15394 40e576 ReadFile 15394->15389 15396 40e58d 15394->15396 15812 40e332 15396->15812 15399 40e5f2 15400 40e3ca 19 API calls 15399->15400 15401 40e629 15399->15401 15400->15401 15401->15106 15403 40eabe 15402->15403 15405 40eaba 15402->15405 15404 40dd05 6 API calls 15403->15404 15403->15405 15404->15405 15405->15109 15407 40ee2a 15406->15407 15408 401db4 GetVersionExA 15407->15408 15409 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15408->15409 15411 401e24 15409->15411 15412 401e16 GetCurrentProcess 15409->15412 15870 40e819 15411->15870 15412->15411 15414 401e3d 15415 40e819 11 API calls 15414->15415 15416 401e4e 15415->15416 15417 401e77 15416->15417 15877 40df70 15416->15877 15886 40ea84 15417->15886 15421 401e6c 15423 40df70 12 API calls 15421->15423 15422 40e819 11 API calls 15424 401e93 15422->15424 15423->15417 15890 40199c inet_addr LoadLibraryA 15424->15890 15427 40e819 11 API calls 15428 401eb9 15427->15428 15429 401ed8 15428->15429 15431 40f04e 4 API calls 15428->15431 15430 40e819 11 API calls 15429->15430 15432 401eee 15430->15432 15433 401ec9 15431->15433 15434 401f0a 15432->15434 15903 401b71 15432->15903 15435 40ea84 30 API calls 15433->15435 15437 40e819 11 API calls 15434->15437 15435->15429 15439 401f23 15437->15439 15438 401efd 15440 40ea84 30 API calls 15438->15440 15449 401f3f 15439->15449 15907 401bdf 15439->15907 15440->15434 15441 40e819 11 API calls 15444 401f5e 15441->15444 15445 401f77 15444->15445 15447 40ea84 30 API calls 15444->15447 15914 4030b5 15445->15914 15446 40ea84 30 API calls 15446->15449 15447->15445 15449->15441 15452 406ec3 2 API calls 15453 401f8e GetTickCount 15452->15453 15453->15114 15455 406ec3 2 API calls 15454->15455 15456 4080eb 15455->15456 15457 4080f9 15456->15457 15458 4080ef 15456->15458 15460 40704c 16 API calls 15457->15460 15962 407ee6 15458->15962 15462 408110 15460->15462 15461 408269 CreateThread 15479 405e6c 15461->15479 16291 40877e 15461->16291 15464 408156 RegOpenKeyExA 15462->15464 15465 4080f4 15462->15465 15463 40675c 21 API calls 15470 408244 15463->15470 15464->15465 15466 40816d RegQueryValueExA 15464->15466 15465->15461 15465->15463 15467 4081f7 15466->15467 15468 40818d 15466->15468 15469 40820d RegCloseKey 15467->15469 15472 40ec2e codecvt 4 API calls 15467->15472 15468->15467 15473 40ebcc 4 API calls 15468->15473 15469->15465 15470->15461 15471 40ec2e codecvt 4 API calls 15470->15471 15471->15461 15478 4081dd 15472->15478 15474 4081a0 15473->15474 15474->15469 15475 4081aa RegQueryValueExA 15474->15475 15475->15467 15476 4081c4 15475->15476 15477 40ebcc 4 API calls 15476->15477 15477->15478 15478->15469 16030 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15479->16030 15481 405e71 16031 40e654 15481->16031 15483 405ec1 15484 403132 15483->15484 15485 40df70 12 API calls 15484->15485 15486 40313b 15485->15486 15487 40c125 15486->15487 16042 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15487->16042 15489 40c12d 15490 40e654 13 API calls 15489->15490 15491 40c2bd 15490->15491 15492 40e654 13 API calls 15491->15492 15493 40c2c9 15492->15493 15494 40e654 13 API calls 15493->15494 15495 40a47a 15494->15495 15496 408db1 15495->15496 15497 408dbc 15496->15497 15498 40e654 13 API calls 15497->15498 15499 408dec Sleep 15498->15499 15499->15148 15501 40c92f 15500->15501 15502 40c93c 15501->15502 16043 40c517 15501->16043 15504 40ca2b 15502->15504 15505 40e819 11 API calls 15502->15505 15504->15148 15506 40c96a 15505->15506 15507 40e819 11 API calls 15506->15507 15508 40c97d 15507->15508 15509 40e819 11 API calls 15508->15509 15510 40c990 15509->15510 15511 40c9aa 15510->15511 15512 40ebcc 4 API calls 15510->15512 15511->15504 16060 402684 15511->16060 15512->15511 15517 40ca26 16067 40c8aa 15517->16067 15520 40ca44 15521 40ca4b closesocket 15520->15521 15522 40ca83 15520->15522 15521->15517 15523 40ea84 30 API calls 15522->15523 15524 40caac 15523->15524 15525 40f04e 4 API calls 15524->15525 15526 40cab2 15525->15526 15527 40ea84 30 API calls 15526->15527 15528 40caca 15527->15528 15529 40ea84 30 API calls 15528->15529 15530 40cad9 15529->15530 16075 40c65c 15530->16075 15533 40cb60 closesocket 15533->15504 15535 40dad2 closesocket 15536 40e318 23 API calls 15535->15536 15536->15504 15537 40df4c 20 API calls 15549 40cb70 15537->15549 15542 40e654 13 API calls 15542->15549 15545 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15545->15549 15549->15535 15549->15537 15549->15542 15549->15545 15550 40ea84 30 API calls 15549->15550 15551 40d569 closesocket Sleep 15549->15551 15552 40d815 wsprintfA 15549->15552 15553 40cc1c GetTempPathA 15549->15553 15554 40c517 23 API calls 15549->15554 15556 407ead 6 API calls 15549->15556 15557 40e8a1 30 API calls 15549->15557 15559 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15549->15559 15560 40cfe3 GetSystemDirectoryA 15549->15560 15561 40cfad GetEnvironmentVariableA 15549->15561 15562 40675c 21 API calls 15549->15562 15563 40d027 GetSystemDirectoryA 15549->15563 15564 40d105 lstrcatA 15549->15564 15565 40ef1e lstrlenA 15549->15565 15566 40cc9f CreateFileA 15549->15566 15567 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15549->15567 15569 40d15b CreateFileA 15549->15569 15574 40d149 SetFileAttributesA 15549->15574 15575 40d36e GetEnvironmentVariableA 15549->15575 15576 40d1bf SetFileAttributesA 15549->15576 15577 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15549->15577 15579 40d22d GetEnvironmentVariableA 15549->15579 15580 40d3af lstrcatA 15549->15580 15582 40d3f2 CreateFileA 15549->15582 15584 407fcf 64 API calls 15549->15584 15590 40d3e0 SetFileAttributesA 15549->15590 15591 40d26e lstrcatA 15549->15591 15593 40d4b1 CreateProcessA 15549->15593 15595 40d2b1 CreateFileA 15549->15595 15596 407ee6 64 API calls 15549->15596 15597 40d452 SetFileAttributesA 15549->15597 15600 40d29f SetFileAttributesA 15549->15600 15602 40d31d SetFileAttributesA 15549->15602 16083 40c75d 15549->16083 16095 407e2f 15549->16095 16117 407ead 15549->16117 16127 4031d0 15549->16127 16144 403c09 15549->16144 16154 403a00 15549->16154 16158 40e7b4 15549->16158 16161 40c06c 15549->16161 16167 406f5f GetUserNameA 15549->16167 16178 40e854 15549->16178 16188 407dd6 15549->16188 15550->15549 16122 40e318 15551->16122 15552->15549 15553->15549 15554->15549 15556->15549 15557->15549 15558 40d582 ExitProcess 15559->15549 15560->15549 15561->15549 15562->15549 15563->15549 15564->15549 15565->15549 15566->15549 15568 40ccc6 WriteFile 15566->15568 15567->15549 15570 40cdcc CloseHandle 15568->15570 15571 40cced CloseHandle 15568->15571 15569->15549 15572 40d182 WriteFile CloseHandle 15569->15572 15570->15549 15578 40cd2f 15571->15578 15572->15549 15573 40cd16 wsprintfA 15573->15578 15574->15569 15575->15549 15576->15549 15577->15549 15578->15573 16104 407fcf 15578->16104 15579->15549 15580->15549 15580->15582 15582->15549 15585 40d415 WriteFile CloseHandle 15582->15585 15584->15549 15585->15549 15586 40cd81 WaitForSingleObject CloseHandle CloseHandle 15588 40f04e 4 API calls 15586->15588 15587 40cda5 15589 407ee6 64 API calls 15587->15589 15588->15587 15592 40cdbd DeleteFileA 15589->15592 15590->15582 15591->15549 15591->15595 15592->15549 15593->15549 15594 40d4e8 CloseHandle CloseHandle 15593->15594 15594->15549 15595->15549 15598 40d2d8 WriteFile CloseHandle 15595->15598 15596->15549 15597->15549 15598->15549 15600->15595 15602->15549 15604 40741b 15603->15604 15605 406dc2 6 API calls 15604->15605 15606 40743f 15605->15606 15607 407469 RegOpenKeyExA 15606->15607 15608 4077f9 15607->15608 15619 407487 ___ascii_stricmp 15607->15619 15608->15218 15609 407703 RegEnumKeyA 15610 407714 RegCloseKey 15609->15610 15609->15619 15610->15608 15611 40f1a5 lstrlenA 15611->15619 15612 4074d2 RegOpenKeyExA 15612->15619 15613 40772c 15615 407742 RegCloseKey 15613->15615 15616 40774b 15613->15616 15614 407521 RegQueryValueExA 15614->15619 15615->15616 15618 4077ec RegCloseKey 15616->15618 15617 4076e4 RegCloseKey 15617->15619 15618->15608 15619->15609 15619->15611 15619->15612 15619->15613 15619->15614 15619->15617 15620 407769 15619->15620 15622 40777e GetFileAttributesExA 15619->15622 15621 4077e3 RegCloseKey 15620->15621 15621->15618 15622->15620 15624 407073 15623->15624 15625 4070b9 RegOpenKeyExA 15624->15625 15626 4070d0 15625->15626 15640 4071b8 15625->15640 15627 406dc2 6 API calls 15626->15627 15630 4070d5 15627->15630 15628 40719b RegEnumValueA 15629 4071af RegCloseKey 15628->15629 15628->15630 15629->15640 15630->15628 15632 4071d0 15630->15632 15646 40f1a5 lstrlenA 15630->15646 15633 407205 RegCloseKey 15632->15633 15634 407227 15632->15634 15633->15640 15635 4072b8 ___ascii_stricmp 15634->15635 15636 40728e RegCloseKey 15634->15636 15637 4072cd RegCloseKey 15635->15637 15638 4072dd 15635->15638 15636->15640 15637->15640 15639 407311 RegCloseKey 15638->15639 15642 407335 15638->15642 15639->15640 15640->15219 15641 4073d5 RegCloseKey 15643 4073e4 15641->15643 15642->15641 15644 40737e GetFileAttributesExA 15642->15644 15645 407397 15642->15645 15644->15645 15645->15641 15647 40f1c3 15646->15647 15647->15630 15647->15647 15649 403edc 15648->15649 15651 403ee2 15648->15651 15650 406dc2 6 API calls 15649->15650 15650->15651 15651->15225 15653 40400b CreateFileA 15652->15653 15654 40402c GetLastError 15653->15654 15656 404052 15653->15656 15655 404037 15654->15655 15654->15656 15655->15656 15657 404041 Sleep 15655->15657 15656->15223 15656->15228 15656->15229 15657->15653 15657->15656 15659 403f7c 15658->15659 15660 403f4e GetLastError 15658->15660 15662 403f8c ReadFile 15659->15662 15660->15659 15661 403f5b WaitForSingleObject GetOverlappedResult 15660->15661 15661->15659 15663 403ff0 15662->15663 15664 403fc2 GetLastError 15662->15664 15663->15234 15663->15235 15664->15663 15665 403fcf WaitForSingleObject GetOverlappedResult 15664->15665 15665->15663 15669 40eb74 15666->15669 15670 40eb7b GetProcessHeap HeapSize 15669->15670 15671 404350 15669->15671 15670->15671 15671->15242 15673 401924 GetVersionExA 15672->15673 15673->15286 15675 406f55 15674->15675 15676 406eef AllocateAndInitializeSid 15674->15676 15675->15295 15677 406f44 15676->15677 15678 406f1c CheckTokenMembership 15676->15678 15677->15675 15708 406e36 GetUserNameW 15677->15708 15679 406f3b FreeSid 15678->15679 15680 406f2e 15678->15680 15679->15677 15680->15679 15683 409308 15682->15683 15685 40920e 15682->15685 15683->15313 15684 4092f1 Sleep 15684->15685 15685->15683 15685->15684 15685->15685 15686 4092bf ShellExecuteA 15685->15686 15686->15683 15686->15685 15688 40ef32 15687->15688 15688->15310 15690 40f0f1 15689->15690 15691 40f0ed 15689->15691 15692 40f119 15690->15692 15693 40f0fa lstrlenA SysAllocStringByteLen 15690->15693 15691->15318 15695 40f11c MultiByteToWideChar 15692->15695 15694 40f117 15693->15694 15693->15695 15694->15318 15695->15694 15697 401820 17 API calls 15696->15697 15698 4018f2 15697->15698 15699 4018f9 15698->15699 15711 401280 15698->15711 15699->15313 15701 401908 15701->15313 15724 401000 15702->15724 15704 401839 15705 401851 GetCurrentProcess 15704->15705 15706 40183d 15704->15706 15707 401864 15705->15707 15706->15307 15707->15307 15709 406e5f LookupAccountNameW 15708->15709 15710 406e97 15708->15710 15709->15710 15710->15675 15714 4012e1 ShellExecuteExW 15711->15714 15713 4016f9 GetLastError 15715 401699 15713->15715 15714->15713 15721 4013a8 15714->15721 15715->15701 15716 401570 lstrlenW 15716->15721 15717 4015be GetStartupInfoW 15717->15721 15718 4015ff CreateProcessWithLogonW 15719 4016bf GetLastError 15718->15719 15720 40163f WaitForSingleObject 15718->15720 15719->15715 15720->15721 15722 401659 CloseHandle 15720->15722 15721->15715 15721->15716 15721->15717 15721->15718 15723 401668 CloseHandle 15721->15723 15722->15721 15723->15721 15725 40100d LoadLibraryA 15724->15725 15732 401023 15724->15732 15727 401021 15725->15727 15725->15732 15726 4010b5 GetProcAddress 15728 4010d1 GetProcAddress 15726->15728 15729 40127b 15726->15729 15727->15704 15728->15729 15730 4010f0 GetProcAddress 15728->15730 15729->15704 15730->15729 15731 401110 GetProcAddress 15730->15731 15731->15729 15733 401130 GetProcAddress 15731->15733 15732->15726 15744 4010ae 15732->15744 15733->15729 15734 40114f GetProcAddress 15733->15734 15734->15729 15735 40116f GetProcAddress 15734->15735 15735->15729 15736 40118f GetProcAddress 15735->15736 15736->15729 15737 4011ae GetProcAddress 15736->15737 15737->15729 15738 4011ce GetProcAddress 15737->15738 15738->15729 15739 4011ee GetProcAddress 15738->15739 15739->15729 15740 401209 GetProcAddress 15739->15740 15740->15729 15741 401225 GetProcAddress 15740->15741 15741->15729 15742 401241 GetProcAddress 15741->15742 15742->15729 15743 40125c GetProcAddress 15742->15743 15743->15729 15744->15704 15747 4069b9 WriteFile 15745->15747 15748 406a3c 15747->15748 15750 4069ff 15747->15750 15748->15328 15748->15329 15749 406a10 WriteFile 15749->15748 15749->15750 15750->15748 15750->15749 15752 40eb17 15751->15752 15753 40eb21 15751->15753 15755 40eae4 15752->15755 15753->15332 15756 40eb02 GetProcAddress 15755->15756 15757 40eaed LoadLibraryA 15755->15757 15756->15753 15757->15756 15758 40eb01 15757->15758 15758->15753 15760 40eba7 GetProcessHeap HeapSize 15759->15760 15761 40ebbf GetProcessHeap HeapFree 15759->15761 15760->15761 15761->15361 15763 40908d 15762->15763 15764 4090e2 wsprintfA 15763->15764 15765 40ee2a 15764->15765 15766 4090fd CreateFileA 15765->15766 15767 40911a lstrlenA WriteFile CloseHandle 15766->15767 15768 40913f 15766->15768 15767->15768 15768->15370 15768->15371 15770 40ee2a 15769->15770 15771 409794 CreateProcessA 15770->15771 15772 4097c2 15771->15772 15773 4097bb 15771->15773 15774 4097d4 GetThreadContext 15772->15774 15773->15382 15775 409801 15774->15775 15776 4097f5 15774->15776 15783 40637c 15775->15783 15777 4097f6 TerminateProcess 15776->15777 15777->15773 15779 409816 15779->15777 15780 40981e WriteProcessMemory 15779->15780 15780->15776 15781 40983b SetThreadContext 15780->15781 15781->15776 15782 409858 ResumeThread 15781->15782 15782->15773 15784 406386 15783->15784 15785 40638a GetModuleHandleA VirtualAlloc 15783->15785 15784->15779 15786 4063f5 15785->15786 15787 4063b6 15785->15787 15786->15779 15788 4063be VirtualAllocEx 15787->15788 15788->15786 15789 4063d6 15788->15789 15790 4063df WriteProcessMemory 15789->15790 15790->15786 15792 40dd41 InterlockedExchange 15791->15792 15793 40dd20 GetCurrentThreadId 15792->15793 15794 40dd4a 15792->15794 15795 40dd53 GetCurrentThreadId 15793->15795 15796 40dd2e GetTickCount 15793->15796 15794->15795 15795->15385 15796->15794 15797 40dd39 Sleep 15796->15797 15797->15792 15799 40dbf0 15798->15799 15831 40db67 GetEnvironmentVariableA 15799->15831 15801 40dc19 15802 40dcda 15801->15802 15803 40db67 3 API calls 15801->15803 15802->15387 15804 40dc5c 15803->15804 15804->15802 15805 40db67 3 API calls 15804->15805 15806 40dc9b 15805->15806 15806->15802 15807 40db67 3 API calls 15806->15807 15807->15802 15809 40db3a 15808->15809 15811 40db55 15808->15811 15835 40ebed 15809->15835 15811->15389 15811->15394 15844 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15812->15844 15814 40e3be 15814->15389 15815 40e342 15815->15814 15847 40de24 15815->15847 15818 40e528 15817->15818 15819 40e3f4 15817->15819 15818->15399 15820 40e434 RegQueryValueExA 15819->15820 15821 40e458 15820->15821 15822 40e51d RegCloseKey 15820->15822 15823 40e46e RegQueryValueExA 15821->15823 15822->15818 15823->15821 15824 40e488 15823->15824 15824->15822 15825 40db2e 8 API calls 15824->15825 15826 40e499 15825->15826 15826->15822 15827 40e4b9 RegQueryValueExA 15826->15827 15828 40e4e8 15826->15828 15827->15826 15827->15828 15828->15822 15829 40e332 14 API calls 15828->15829 15830 40e513 15829->15830 15830->15822 15832 40db89 lstrcpyA CreateFileA 15831->15832 15833 40dbca 15831->15833 15832->15801 15833->15801 15836 40ec01 15835->15836 15837 40ebf6 15835->15837 15838 40eba0 codecvt 2 API calls 15836->15838 15839 40ebcc 4 API calls 15837->15839 15841 40ec0a GetProcessHeap HeapReAlloc 15838->15841 15840 40ebfe 15839->15840 15840->15811 15842 40eb74 2 API calls 15841->15842 15843 40ec28 15842->15843 15843->15811 15858 40eb41 15844->15858 15848 40de3a 15847->15848 15854 40de4e 15848->15854 15862 40dd84 15848->15862 15851 40ebed 8 API calls 15856 40def6 15851->15856 15852 40de9e 15852->15851 15852->15854 15853 40de76 15866 40ddcf 15853->15866 15854->15815 15856->15854 15857 40ddcf lstrcmpA 15856->15857 15857->15854 15859 40eb54 15858->15859 15860 40eb4a 15858->15860 15859->15815 15861 40eae4 2 API calls 15860->15861 15861->15859 15863 40ddc5 15862->15863 15864 40dd96 15862->15864 15863->15852 15863->15853 15864->15863 15865 40ddad lstrcmpiA 15864->15865 15865->15863 15865->15864 15867 40dddd 15866->15867 15869 40de20 15866->15869 15868 40ddfa lstrcmpA 15867->15868 15867->15869 15868->15867 15869->15854 15871 40dd05 6 API calls 15870->15871 15872 40e821 15871->15872 15873 40dd84 lstrcmpiA 15872->15873 15874 40e82c 15873->15874 15875 40e844 15874->15875 15918 402480 15874->15918 15875->15414 15878 40dd05 6 API calls 15877->15878 15879 40df7c 15878->15879 15880 40dd84 lstrcmpiA 15879->15880 15884 40df89 15880->15884 15881 40dfc4 15881->15421 15882 40ddcf lstrcmpA 15882->15884 15883 40ec2e codecvt 4 API calls 15883->15884 15884->15881 15884->15882 15884->15883 15885 40dd84 lstrcmpiA 15884->15885 15885->15884 15887 40ea98 15886->15887 15927 40e8a1 15887->15927 15889 401e84 15889->15422 15891 4019d5 GetProcAddress GetProcAddress GetProcAddress 15890->15891 15892 4019ce 15890->15892 15893 401ab3 FreeLibrary 15891->15893 15894 401a04 15891->15894 15892->15427 15893->15892 15894->15893 15895 401a14 GetProcessHeap 15894->15895 15895->15892 15897 401a2e HeapAlloc 15895->15897 15897->15892 15898 401a42 15897->15898 15899 401a52 HeapReAlloc 15898->15899 15901 401a62 15898->15901 15899->15901 15900 401aa1 FreeLibrary 15900->15892 15901->15900 15902 401a96 HeapFree 15901->15902 15902->15900 15955 401ac3 LoadLibraryA 15903->15955 15906 401bcf 15906->15438 15908 401ac3 12 API calls 15907->15908 15909 401c09 15908->15909 15910 401c41 15909->15910 15911 401c0d GetComputerNameA 15909->15911 15910->15446 15912 401c45 GetVolumeInformationA 15911->15912 15913 401c1f 15911->15913 15912->15910 15913->15910 15913->15912 15915 40ee2a 15914->15915 15916 4030d0 gethostname gethostbyname 15915->15916 15917 401f82 15916->15917 15917->15452 15917->15453 15921 402419 lstrlenA 15918->15921 15920 402491 15920->15875 15922 40243d lstrlenA 15921->15922 15926 402474 15921->15926 15923 402464 lstrlenA 15922->15923 15924 40244e lstrcmpiA 15922->15924 15923->15922 15923->15926 15924->15923 15925 40245c 15924->15925 15925->15923 15925->15926 15926->15920 15928 40dd05 6 API calls 15927->15928 15929 40e8b4 15928->15929 15930 40dd84 lstrcmpiA 15929->15930 15931 40e8c0 15930->15931 15932 40e90a 15931->15932 15933 40e8c8 lstrcpynA 15931->15933 15935 402419 4 API calls 15932->15935 15943 40ea27 15932->15943 15934 40e8f5 15933->15934 15948 40df4c 15934->15948 15936 40e926 lstrlenA lstrlenA 15935->15936 15938 40e96a 15936->15938 15939 40e94c lstrlenA 15936->15939 15942 40ebcc 4 API calls 15938->15942 15938->15943 15939->15938 15940 40e901 15941 40dd84 lstrcmpiA 15940->15941 15941->15932 15944 40e98f 15942->15944 15943->15889 15944->15943 15945 40df4c 20 API calls 15944->15945 15946 40ea1e 15945->15946 15947 40ec2e codecvt 4 API calls 15946->15947 15947->15943 15949 40dd05 6 API calls 15948->15949 15950 40df51 15949->15950 15951 40f04e 4 API calls 15950->15951 15952 40df58 15951->15952 15953 40de24 10 API calls 15952->15953 15954 40df63 15953->15954 15954->15940 15956 401ae2 GetProcAddress 15955->15956 15957 401b68 GetComputerNameA GetVolumeInformationA 15955->15957 15956->15957 15958 401af5 15956->15958 15957->15906 15959 40ebed 8 API calls 15958->15959 15960 401b29 15958->15960 15959->15958 15960->15957 15960->15960 15961 40ec2e codecvt 4 API calls 15960->15961 15961->15957 15963 406ec3 2 API calls 15962->15963 15964 407ef4 15963->15964 15965 407fc9 15964->15965 15966 4073ff 17 API calls 15964->15966 15965->15465 15967 407f16 15966->15967 15967->15965 15975 407809 GetUserNameA 15967->15975 15969 407f63 15969->15965 15970 40ef1e lstrlenA 15969->15970 15971 407fa6 15970->15971 15972 40ef1e lstrlenA 15971->15972 15973 407fb7 15972->15973 15999 407a95 RegOpenKeyExA 15973->15999 15976 40783d LookupAccountNameA 15975->15976 15977 407a8d 15975->15977 15976->15977 15978 407874 GetLengthSid GetFileSecurityA 15976->15978 15977->15969 15978->15977 15979 4078a8 GetSecurityDescriptorOwner 15978->15979 15980 4078c5 EqualSid 15979->15980 15981 40791d GetSecurityDescriptorDacl 15979->15981 15980->15981 15982 4078dc LocalAlloc 15980->15982 15981->15977 15989 407941 15981->15989 15982->15981 15983 4078ef InitializeSecurityDescriptor 15982->15983 15984 407916 LocalFree 15983->15984 15985 4078fb SetSecurityDescriptorOwner 15983->15985 15984->15981 15985->15984 15987 40790b SetFileSecurityA 15985->15987 15986 40795b GetAce 15986->15989 15987->15984 15988 407980 EqualSid 15988->15989 15989->15977 15989->15986 15989->15988 15990 407a3d 15989->15990 15991 4079be EqualSid 15989->15991 15992 40799d DeleteAce 15989->15992 15990->15977 15993 407a43 LocalAlloc 15990->15993 15991->15989 15992->15989 15993->15977 15994 407a56 InitializeSecurityDescriptor 15993->15994 15995 407a62 SetSecurityDescriptorDacl 15994->15995 15996 407a86 LocalFree 15994->15996 15995->15996 15997 407a73 SetFileSecurityA 15995->15997 15996->15977 15997->15996 15998 407a83 15997->15998 15998->15996 16000 407ac4 15999->16000 16001 407acb GetUserNameA 15999->16001 16000->15965 16002 407da7 RegCloseKey 16001->16002 16003 407aed LookupAccountNameA 16001->16003 16002->16000 16003->16002 16004 407b24 RegGetKeySecurity 16003->16004 16004->16002 16005 407b49 GetSecurityDescriptorOwner 16004->16005 16006 407b63 EqualSid 16005->16006 16007 407bb8 GetSecurityDescriptorDacl 16005->16007 16006->16007 16008 407b74 LocalAlloc 16006->16008 16009 407da6 16007->16009 16016 407bdc 16007->16016 16008->16007 16010 407b8a InitializeSecurityDescriptor 16008->16010 16009->16002 16012 407bb1 LocalFree 16010->16012 16013 407b96 SetSecurityDescriptorOwner 16010->16013 16011 407bf8 GetAce 16011->16016 16012->16007 16013->16012 16014 407ba6 RegSetKeySecurity 16013->16014 16014->16012 16015 407c1d EqualSid 16015->16016 16016->16009 16016->16011 16016->16015 16017 407cd9 16016->16017 16018 407c5f EqualSid 16016->16018 16019 407c3a DeleteAce 16016->16019 16017->16009 16020 407d5a LocalAlloc 16017->16020 16021 407cf2 RegOpenKeyExA 16017->16021 16018->16016 16019->16016 16020->16009 16022 407d70 InitializeSecurityDescriptor 16020->16022 16021->16020 16027 407d0f 16021->16027 16023 407d7c SetSecurityDescriptorDacl 16022->16023 16024 407d9f LocalFree 16022->16024 16023->16024 16025 407d8c RegSetKeySecurity 16023->16025 16024->16009 16025->16024 16026 407d9c 16025->16026 16026->16024 16028 407d43 RegSetValueExA 16027->16028 16028->16020 16029 407d54 16028->16029 16029->16020 16030->15481 16032 40dd05 6 API calls 16031->16032 16033 40e65f 16032->16033 16034 40e6a5 16033->16034 16037 40e68c lstrcmpA 16033->16037 16035 40ebcc 4 API calls 16034->16035 16038 40e6f5 16034->16038 16036 40e6b0 16035->16036 16036->16038 16040 40e6b7 16036->16040 16041 40e6e0 lstrcpynA 16036->16041 16037->16033 16039 40e71d lstrcmpA 16038->16039 16038->16040 16039->16038 16040->15483 16041->16038 16042->15489 16044 40c525 16043->16044 16045 40c532 16043->16045 16044->16045 16047 40ec2e codecvt 4 API calls 16044->16047 16046 40c548 16045->16046 16195 40e7ff 16045->16195 16049 40e7ff lstrcmpiA 16046->16049 16057 40c54f 16046->16057 16047->16045 16050 40c615 16049->16050 16051 40ebcc 4 API calls 16050->16051 16050->16057 16051->16057 16052 40c5d1 16055 40ebcc 4 API calls 16052->16055 16054 40e819 11 API calls 16056 40c5b7 16054->16056 16055->16057 16058 40f04e 4 API calls 16056->16058 16057->15502 16059 40c5bf 16058->16059 16059->16046 16059->16052 16061 402692 inet_addr 16060->16061 16062 40268e 16060->16062 16061->16062 16063 40269e gethostbyname 16061->16063 16064 40f428 16062->16064 16063->16062 16198 40f315 16064->16198 16069 40c8d2 16067->16069 16068 40c907 16068->15504 16069->16068 16070 40c517 23 API calls 16069->16070 16070->16068 16071 40f43e 16072 40f473 recv 16071->16072 16073 40f458 16072->16073 16074 40f47c 16072->16074 16073->16072 16073->16074 16074->15520 16076 40c670 16075->16076 16077 40c67d 16075->16077 16078 40ebcc 4 API calls 16076->16078 16079 40ebcc 4 API calls 16077->16079 16080 40c699 16077->16080 16078->16077 16079->16080 16081 40c6f3 16080->16081 16082 40c73c send 16080->16082 16081->15533 16081->15549 16082->16081 16084 40c770 16083->16084 16085 40c77d 16083->16085 16086 40ebcc 4 API calls 16084->16086 16087 40c799 16085->16087 16088 40ebcc 4 API calls 16085->16088 16086->16085 16089 40c7b5 16087->16089 16090 40ebcc 4 API calls 16087->16090 16088->16087 16091 40f43e recv 16089->16091 16090->16089 16092 40c7cb 16091->16092 16093 40f43e recv 16092->16093 16094 40c7d3 16092->16094 16093->16094 16094->15549 16211 407db7 16095->16211 16098 407e70 16100 407e96 16098->16100 16102 40f04e 4 API calls 16098->16102 16099 40f04e 4 API calls 16101 407e4c 16099->16101 16100->15549 16101->16098 16103 40f04e 4 API calls 16101->16103 16102->16100 16103->16098 16105 406ec3 2 API calls 16104->16105 16106 407fdd 16105->16106 16107 4073ff 17 API calls 16106->16107 16116 4080c2 CreateProcessA 16106->16116 16108 407fff 16107->16108 16109 407809 21 API calls 16108->16109 16108->16116 16110 40804d 16109->16110 16111 40ef1e lstrlenA 16110->16111 16110->16116 16112 40809e 16111->16112 16113 40ef1e lstrlenA 16112->16113 16114 4080af 16113->16114 16115 407a95 24 API calls 16114->16115 16115->16116 16116->15586 16116->15587 16118 407db7 2 API calls 16117->16118 16119 407eb8 16118->16119 16120 40f04e 4 API calls 16119->16120 16121 407ece DeleteFileA 16120->16121 16121->15549 16123 40dd05 6 API calls 16122->16123 16124 40e31d 16123->16124 16215 40e177 16124->16215 16126 40e326 16126->15558 16128 4031f3 16127->16128 16138 4031ec 16127->16138 16129 40ebcc 4 API calls 16128->16129 16136 4031fc 16129->16136 16130 403459 16132 40f04e 4 API calls 16130->16132 16131 40349d 16133 40ec2e codecvt 4 API calls 16131->16133 16134 40345f 16132->16134 16133->16138 16135 4030fa 4 API calls 16134->16135 16135->16138 16136->16136 16137 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 16136->16137 16136->16138 16139 40344d 16136->16139 16141 40344b 16136->16141 16143 403141 lstrcmpiA 16136->16143 16241 4030fa GetTickCount 16136->16241 16137->16136 16138->15549 16140 40ec2e codecvt 4 API calls 16139->16140 16140->16141 16141->16130 16141->16131 16143->16136 16145 4030fa 4 API calls 16144->16145 16146 403c1a 16145->16146 16147 403ce6 16146->16147 16246 403a72 16146->16246 16147->15549 16150 403a72 9 API calls 16151 403c5e 16150->16151 16151->16147 16152 403a72 9 API calls 16151->16152 16153 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16151->16153 16152->16151 16153->16151 16155 403a10 16154->16155 16156 4030fa 4 API calls 16155->16156 16157 403a1a 16156->16157 16157->15549 16159 40dd05 6 API calls 16158->16159 16160 40e7be 16159->16160 16160->15549 16162 40c07e wsprintfA 16161->16162 16166 40c105 16161->16166 16255 40bfce GetTickCount wsprintfA 16162->16255 16164 40c0ef 16256 40bfce GetTickCount wsprintfA 16164->16256 16166->15549 16168 407047 16167->16168 16169 406f88 16167->16169 16168->15549 16169->16169 16170 406f94 LookupAccountNameA 16169->16170 16171 407025 16170->16171 16172 406fcb 16170->16172 16173 406edd 5 API calls 16171->16173 16175 406fdb ConvertSidToStringSidA 16172->16175 16174 40702a wsprintfA 16173->16174 16174->16168 16175->16171 16176 406ff1 16175->16176 16177 407013 LocalFree 16176->16177 16177->16171 16179 40dd05 6 API calls 16178->16179 16180 40e85c 16179->16180 16181 40dd84 lstrcmpiA 16180->16181 16182 40e867 16181->16182 16183 40e885 lstrcpyA 16182->16183 16257 4024a5 16182->16257 16260 40dd69 16183->16260 16189 407db7 2 API calls 16188->16189 16190 407de1 16189->16190 16191 407e16 16190->16191 16192 40f04e 4 API calls 16190->16192 16191->15549 16193 407df2 16192->16193 16193->16191 16194 40f04e 4 API calls 16193->16194 16194->16191 16196 40dd84 lstrcmpiA 16195->16196 16197 40c58e 16196->16197 16197->16046 16197->16052 16197->16054 16199 40ca1d 16198->16199 16200 40f33b 16198->16200 16199->15517 16199->16071 16201 40f347 htons socket 16200->16201 16202 40f382 ioctlsocket 16201->16202 16203 40f374 closesocket 16201->16203 16204 40f3aa connect select 16202->16204 16205 40f39d 16202->16205 16203->16199 16204->16199 16207 40f3f2 __WSAFDIsSet 16204->16207 16206 40f39f closesocket 16205->16206 16206->16199 16207->16206 16208 40f403 ioctlsocket 16207->16208 16210 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16208->16210 16210->16199 16212 407dc8 InterlockedExchange 16211->16212 16213 407dc0 Sleep 16212->16213 16214 407dd4 16212->16214 16213->16212 16214->16098 16214->16099 16216 40e184 16215->16216 16217 40e2e4 16216->16217 16218 40e223 16216->16218 16231 40dfe2 16216->16231 16217->16126 16218->16217 16221 40dfe2 8 API calls 16218->16221 16220 40e1be 16220->16218 16222 40dbcf 3 API calls 16220->16222 16225 40e23c 16221->16225 16223 40e1d6 16222->16223 16223->16218 16224 40e21a CloseHandle 16223->16224 16226 40e1f9 WriteFile 16223->16226 16224->16218 16225->16217 16235 40e095 RegCreateKeyExA 16225->16235 16226->16224 16228 40e213 16226->16228 16228->16224 16229 40e2a3 16229->16217 16230 40e095 4 API calls 16229->16230 16230->16217 16232 40dffc 16231->16232 16234 40e024 16231->16234 16233 40db2e 8 API calls 16232->16233 16232->16234 16233->16234 16234->16220 16236 40e0c0 16235->16236 16237 40e172 16235->16237 16238 40e13d 16236->16238 16240 40e115 RegSetValueExA 16236->16240 16237->16229 16239 40e14e RegDeleteValueA RegCloseKey 16238->16239 16239->16237 16240->16236 16240->16238 16242 403122 InterlockedExchange 16241->16242 16243 40312e 16242->16243 16244 40310f GetTickCount 16242->16244 16243->16136 16244->16243 16245 40311a Sleep 16244->16245 16245->16242 16247 40f04e 4 API calls 16246->16247 16248 403a83 16247->16248 16251 403bc0 16248->16251 16252 403b66 lstrlenA 16248->16252 16253 403ac1 16248->16253 16249 403be6 16250 40ec2e codecvt 4 API calls 16249->16250 16250->16253 16251->16249 16254 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16251->16254 16252->16248 16252->16253 16253->16147 16253->16150 16254->16251 16255->16164 16256->16166 16258 402419 4 API calls 16257->16258 16259 4024b6 16258->16259 16259->16183 16261 40dd79 lstrlenA 16260->16261 16261->15549 16263 404084 16262->16263 16264 40407d 16262->16264 16265 403ecd 6 API calls 16263->16265 16266 40408f 16265->16266 16267 404000 3 API calls 16266->16267 16269 404095 16267->16269 16268 404130 16270 403ecd 6 API calls 16268->16270 16269->16268 16274 403f18 4 API calls 16269->16274 16271 404159 CreateNamedPipeA 16270->16271 16272 404167 Sleep 16271->16272 16273 404188 ConnectNamedPipe 16271->16273 16272->16268 16276 404176 CloseHandle 16272->16276 16275 404195 GetLastError 16273->16275 16286 4041ab 16273->16286 16277 4040da 16274->16277 16278 40425e DisconnectNamedPipe 16275->16278 16275->16286 16276->16273 16279 403f8c 4 API calls 16277->16279 16278->16273 16280 4040ec 16279->16280 16281 404127 CloseHandle 16280->16281 16282 404101 16280->16282 16281->16268 16283 403f18 4 API calls 16282->16283 16284 40411c ExitProcess 16283->16284 16285 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16285->16286 16286->16273 16286->16278 16286->16285 16287 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16286->16287 16288 40426a CloseHandle CloseHandle 16286->16288 16287->16286 16289 40e318 23 API calls 16288->16289 16290 40427b 16289->16290 16290->16290 16292 408791 16291->16292 16293 40879f 16291->16293 16294 40f04e 4 API calls 16292->16294 16295 4087bc 16293->16295 16296 40f04e 4 API calls 16293->16296 16294->16293 16297 40e819 11 API calls 16295->16297 16296->16295 16298 4087d7 16297->16298 16303 408803 16298->16303 16314 4026b2 gethostbyaddr 16298->16314 16301 4087eb 16301->16303 16304 40e8a1 30 API calls 16301->16304 16319 408cee 16303->16319 16327 40c4d6 16303->16327 16330 40c4e2 16303->16330 16333 402011 16303->16333 16304->16303 16307 40e819 11 API calls 16312 40881f 16307->16312 16308 4088a0 Sleep 16308->16303 16309 4026b2 2 API calls 16309->16312 16310 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16310->16312 16312->16307 16312->16308 16312->16309 16312->16310 16313 40e8a1 30 API calls 16312->16313 16368 408328 16312->16368 16313->16312 16315 4026fb 16314->16315 16316 4026cd 16314->16316 16315->16301 16317 4026e1 inet_ntoa 16316->16317 16318 4026de 16316->16318 16317->16318 16318->16301 16320 408d02 GetTickCount 16319->16320 16321 408dae 16319->16321 16320->16321 16322 408d19 16320->16322 16321->16303 16323 408da1 GetTickCount 16322->16323 16326 408d89 16322->16326 16420 40a677 16322->16420 16423 40a688 16322->16423 16323->16321 16326->16323 16431 40c2dc 16327->16431 16331 40c2dc 124 API calls 16330->16331 16332 40c4ec 16331->16332 16332->16303 16334 402020 16333->16334 16335 40202e 16333->16335 16336 40f04e 4 API calls 16334->16336 16337 40204b 16335->16337 16338 40f04e 4 API calls 16335->16338 16336->16335 16339 40206e GetTickCount 16337->16339 16340 40f04e 4 API calls 16337->16340 16338->16337 16341 402090 16339->16341 16342 4020db GetTickCount 16339->16342 16345 402068 16340->16345 16346 4020d4 GetTickCount 16341->16346 16349 402684 2 API calls 16341->16349 16356 4020ce 16341->16356 16694 401978 16341->16694 16343 402132 GetTickCount GetTickCount 16342->16343 16344 4020e7 16342->16344 16347 40f04e 4 API calls 16343->16347 16348 40212b GetTickCount 16344->16348 16358 401978 15 API calls 16344->16358 16359 402125 16344->16359 16699 402ef8 16344->16699 16345->16339 16346->16342 16350 402159 16347->16350 16348->16343 16349->16341 16353 40e854 13 API calls 16350->16353 16365 4021b4 16350->16365 16352 40f04e 4 API calls 16355 4021d1 16352->16355 16357 40218e 16353->16357 16360 4021f2 16355->16360 16362 40ea84 30 API calls 16355->16362 16356->16346 16361 40e819 11 API calls 16357->16361 16358->16344 16359->16348 16360->16312 16363 40219c 16361->16363 16364 4021ec 16362->16364 16363->16365 16707 401c5f 16363->16707 16366 40f04e 4 API calls 16364->16366 16365->16352 16366->16360 16369 407dd6 6 API calls 16368->16369 16370 40833c 16369->16370 16371 406ec3 2 API calls 16370->16371 16395 408340 16370->16395 16372 40834f 16371->16372 16373 40835c 16372->16373 16378 40846b 16372->16378 16374 4073ff 17 API calls 16373->16374 16397 408373 16374->16397 16375 4085df 16376 408626 GetTempPathA 16375->16376 16384 408762 16375->16384 16396 408638 16375->16396 16376->16396 16377 40675c 21 API calls 16377->16375 16380 4084a7 RegOpenKeyExA 16378->16380 16393 408450 16378->16393 16382 4084c0 RegQueryValueExA 16380->16382 16383 40852f 16380->16383 16381 4086ad 16381->16384 16387 407e2f 6 API calls 16381->16387 16385 408521 RegCloseKey 16382->16385 16386 4084dd 16382->16386 16388 408564 RegOpenKeyExA 16383->16388 16400 4085a5 16383->16400 16392 40ec2e codecvt 4 API calls 16384->16392 16384->16395 16385->16383 16386->16385 16390 40ebcc 4 API calls 16386->16390 16401 4086bb 16387->16401 16389 408573 RegSetValueExA RegCloseKey 16388->16389 16388->16400 16389->16400 16394 4084f0 16390->16394 16391 40875b DeleteFileA 16391->16384 16392->16395 16393->16375 16393->16377 16394->16385 16399 4084f8 RegQueryValueExA 16394->16399 16395->16312 16782 406ba7 IsBadCodePtr 16396->16782 16397->16393 16397->16395 16402 4083ea RegOpenKeyExA 16397->16402 16399->16385 16403 408515 16399->16403 16400->16393 16404 40ec2e codecvt 4 API calls 16400->16404 16401->16391 16407 4086e0 lstrcpyA lstrlenA 16401->16407 16402->16393 16405 4083fd RegQueryValueExA 16402->16405 16406 40ec2e codecvt 4 API calls 16403->16406 16404->16393 16408 40842d RegSetValueExA 16405->16408 16409 40841e 16405->16409 16411 40851d 16406->16411 16412 407fcf 64 API calls 16407->16412 16410 408447 RegCloseKey 16408->16410 16409->16408 16409->16410 16410->16393 16411->16385 16413 408719 CreateProcessA 16412->16413 16414 40873d CloseHandle CloseHandle 16413->16414 16415 40874f 16413->16415 16414->16384 16416 407ee6 64 API calls 16415->16416 16417 408754 16416->16417 16418 407ead 6 API calls 16417->16418 16419 40875a 16418->16419 16419->16391 16426 40a63d 16420->16426 16422 40a685 16422->16322 16424 40a63d GetTickCount 16423->16424 16425 40a696 16424->16425 16425->16322 16427 40a645 16426->16427 16428 40a64d 16426->16428 16427->16422 16429 40a66e 16428->16429 16430 40a65e GetTickCount 16428->16430 16429->16422 16430->16429 16447 40a4c7 GetTickCount 16431->16447 16434 40c300 GetTickCount 16436 40c337 16434->16436 16435 40c326 16435->16436 16437 40c32b GetTickCount 16435->16437 16441 40c363 GetTickCount 16436->16441 16442 40c45e 16436->16442 16437->16436 16438 40c4d2 16438->16303 16439 40c4ab InterlockedIncrement CreateThread 16439->16438 16440 40c4cb CloseHandle 16439->16440 16452 40b535 16439->16452 16440->16438 16441->16442 16443 40c373 16441->16443 16442->16438 16442->16439 16444 40c378 GetTickCount 16443->16444 16445 40c37f 16443->16445 16444->16445 16446 40c43b GetTickCount 16445->16446 16446->16442 16448 40a4f7 InterlockedExchange 16447->16448 16449 40a500 16448->16449 16450 40a4e4 GetTickCount 16448->16450 16449->16434 16449->16435 16449->16442 16450->16449 16451 40a4ef Sleep 16450->16451 16451->16448 16453 40b566 16452->16453 16454 40ebcc 4 API calls 16453->16454 16455 40b587 16454->16455 16456 40ebcc 4 API calls 16455->16456 16498 40b590 16456->16498 16457 40bdcd InterlockedDecrement 16458 40bde2 16457->16458 16460 40ec2e codecvt 4 API calls 16458->16460 16461 40bdea 16460->16461 16463 40ec2e codecvt 4 API calls 16461->16463 16462 40bdb7 Sleep 16462->16498 16464 40bdf2 16463->16464 16465 40be05 16464->16465 16467 40ec2e codecvt 4 API calls 16464->16467 16466 40bdcc 16466->16457 16467->16465 16468 40ebed 8 API calls 16468->16498 16471 40b6b6 lstrlenA 16471->16498 16472 4030b5 2 API calls 16472->16498 16473 40e819 11 API calls 16473->16498 16474 40b6ed lstrcpyA 16526 405ce1 16474->16526 16477 40b731 lstrlenA 16477->16498 16478 40b71f lstrcmpA 16478->16477 16478->16498 16479 40b772 GetTickCount 16479->16498 16480 40bd49 InterlockedIncrement 16589 40a628 16480->16589 16483 40b7ce InterlockedIncrement 16536 40acd7 16483->16536 16484 40bc5b InterlockedIncrement 16484->16498 16487 40b912 GetTickCount 16487->16498 16488 40b932 GetTickCount 16491 40bc6d InterlockedIncrement 16488->16491 16488->16498 16489 40bcdc closesocket 16489->16498 16490 40b826 InterlockedIncrement 16490->16479 16491->16498 16492 405ce1 22 API calls 16492->16498 16493 4038f0 6 API calls 16493->16498 16495 40a7c1 22 API calls 16495->16498 16497 40bba6 InterlockedIncrement 16497->16498 16498->16457 16498->16462 16498->16466 16498->16468 16498->16471 16498->16472 16498->16473 16498->16474 16498->16477 16498->16478 16498->16479 16498->16480 16498->16483 16498->16484 16498->16487 16498->16488 16498->16489 16498->16490 16498->16492 16498->16493 16498->16495 16498->16497 16500 40bc4c closesocket 16498->16500 16502 40ba71 wsprintfA 16498->16502 16504 40ab81 lstrcpynA InterlockedIncrement 16498->16504 16505 40ef1e lstrlenA 16498->16505 16506 405ded 12 API calls 16498->16506 16507 40a688 GetTickCount 16498->16507 16508 403e10 16498->16508 16511 403e4f 16498->16511 16514 40384f 16498->16514 16534 40a7a3 inet_ntoa 16498->16534 16541 40abee 16498->16541 16553 401feb GetTickCount 16498->16553 16574 403cfb 16498->16574 16577 40ab81 16498->16577 16500->16498 16554 40a7c1 16502->16554 16504->16498 16505->16498 16506->16498 16507->16498 16509 4030fa 4 API calls 16508->16509 16510 403e1d 16509->16510 16510->16498 16512 4030fa 4 API calls 16511->16512 16513 403e5c 16512->16513 16513->16498 16515 4030fa 4 API calls 16514->16515 16517 403863 16515->16517 16516 4038b2 16516->16498 16517->16516 16518 4038b9 16517->16518 16519 403889 16517->16519 16598 4035f9 16518->16598 16592 403718 16519->16592 16524 4035f9 6 API calls 16524->16516 16525 403718 6 API calls 16525->16516 16527 405cf4 16526->16527 16528 405cec 16526->16528 16530 404bd1 4 API calls 16527->16530 16604 404bd1 GetTickCount 16528->16604 16531 405d02 16530->16531 16609 405472 16531->16609 16535 40a7b9 16534->16535 16535->16498 16537 40f315 14 API calls 16536->16537 16538 40aceb 16537->16538 16539 40acff 16538->16539 16540 40f315 14 API calls 16538->16540 16539->16498 16540->16539 16542 40abfb 16541->16542 16546 40ac65 16542->16546 16672 402f22 16542->16672 16544 40ac23 16544->16546 16550 402684 2 API calls 16544->16550 16545 40f315 14 API calls 16545->16546 16546->16545 16547 40ac6f 16546->16547 16548 40ac8a 16546->16548 16549 40ab81 2 API calls 16547->16549 16548->16498 16551 40ac81 16549->16551 16550->16544 16680 4038f0 16551->16680 16553->16498 16555 40a87d lstrlenA send 16554->16555 16556 40a7df 16554->16556 16558 40a899 16555->16558 16559 40a8bf 16555->16559 16556->16555 16557 40a80a 16556->16557 16564 40a7fa wsprintfA 16556->16564 16566 40a8f2 16556->16566 16557->16555 16562 40a8a5 wsprintfA 16558->16562 16573 40a89e 16558->16573 16560 40a8c4 send 16559->16560 16559->16566 16563 40a8d8 wsprintfA 16560->16563 16560->16566 16561 40a978 recv 16561->16566 16567 40a982 16561->16567 16562->16573 16563->16573 16564->16557 16565 40a9b0 wsprintfA 16565->16573 16566->16561 16566->16565 16566->16567 16568 4030b5 2 API calls 16567->16568 16567->16573 16569 40ab05 16568->16569 16570 40e819 11 API calls 16569->16570 16571 40ab17 16570->16571 16572 40a7a3 inet_ntoa 16571->16572 16572->16573 16573->16498 16575 4030fa 4 API calls 16574->16575 16576 403d0b 16575->16576 16576->16498 16578 40abe9 GetTickCount 16577->16578 16580 40ab8c 16577->16580 16582 40a51d 16578->16582 16579 40aba8 lstrcpynA 16579->16580 16580->16578 16580->16579 16581 40abe1 InterlockedIncrement 16580->16581 16581->16580 16583 40a4c7 4 API calls 16582->16583 16584 40a52c 16583->16584 16585 40a542 GetTickCount 16584->16585 16586 40a539 GetTickCount 16584->16586 16585->16586 16588 40a56c 16586->16588 16588->16498 16590 40a4c7 4 API calls 16589->16590 16591 40a633 16590->16591 16591->16498 16593 40f04e 4 API calls 16592->16593 16595 40372a 16593->16595 16594 403847 16594->16516 16594->16525 16595->16594 16596 4037b3 GetCurrentThreadId 16595->16596 16596->16595 16597 4037c8 GetCurrentThreadId 16596->16597 16597->16595 16599 40f04e 4 API calls 16598->16599 16600 40360c 16599->16600 16601 4036da GetCurrentThreadId 16600->16601 16603 4036f1 16600->16603 16602 4036e5 GetCurrentThreadId 16601->16602 16601->16603 16602->16603 16603->16516 16603->16524 16605 404bff InterlockedExchange 16604->16605 16606 404c08 16605->16606 16607 404bec GetTickCount 16605->16607 16606->16527 16607->16606 16608 404bf7 Sleep 16607->16608 16608->16605 16628 404763 16609->16628 16611 405b58 16638 404699 16611->16638 16614 404763 lstrlenA 16615 405b6e 16614->16615 16659 404f9f 16615->16659 16617 405b79 16617->16498 16618 40548a 16618->16611 16621 405472 13 API calls 16618->16621 16623 40558d lstrcpynA 16618->16623 16624 405a9f lstrcpyA 16618->16624 16625 405935 lstrcpynA 16618->16625 16626 4058e7 lstrcpyA 16618->16626 16627 404ae6 8 API calls 16618->16627 16632 404ae6 16618->16632 16636 40ef7c lstrlenA lstrlenA lstrlenA 16618->16636 16620 405549 lstrlenA 16620->16618 16621->16618 16623->16618 16624->16618 16625->16618 16626->16618 16627->16618 16630 40477a 16628->16630 16629 404859 16629->16618 16630->16629 16631 40480d lstrlenA 16630->16631 16631->16630 16633 404af3 16632->16633 16635 404b03 16632->16635 16634 40ebed 8 API calls 16633->16634 16634->16635 16635->16620 16637 40efb4 16636->16637 16637->16618 16664 4045b3 16638->16664 16641 4045b3 7 API calls 16642 4046c6 16641->16642 16643 4045b3 7 API calls 16642->16643 16644 4046d8 16643->16644 16645 4045b3 7 API calls 16644->16645 16646 4046ea 16645->16646 16647 4045b3 7 API calls 16646->16647 16648 4046ff 16647->16648 16649 4045b3 7 API calls 16648->16649 16650 404711 16649->16650 16651 4045b3 7 API calls 16650->16651 16652 404723 16651->16652 16653 40ef7c 3 API calls 16652->16653 16654 404735 16653->16654 16655 40ef7c 3 API calls 16654->16655 16656 40474a 16655->16656 16657 40ef7c 3 API calls 16656->16657 16658 40475c 16657->16658 16658->16614 16660 404fac 16659->16660 16663 404fb0 16659->16663 16660->16617 16661 404ffd 16661->16617 16662 404fd5 IsBadCodePtr 16662->16663 16663->16661 16663->16662 16665 4045c1 16664->16665 16666 4045c8 16664->16666 16667 40ebcc 4 API calls 16665->16667 16668 40ebcc 4 API calls 16666->16668 16670 4045e1 16666->16670 16667->16666 16668->16670 16669 404691 16669->16641 16670->16669 16671 40ef7c 3 API calls 16670->16671 16671->16670 16687 402d21 GetModuleHandleA 16672->16687 16675 402fcf GetProcessHeap HeapFree 16679 402f44 16675->16679 16676 402f85 16676->16675 16676->16676 16677 402f4f 16678 402f6b GetProcessHeap HeapFree 16677->16678 16678->16679 16679->16544 16681 403900 16680->16681 16683 403980 16680->16683 16682 4030fa 4 API calls 16681->16682 16686 40390a 16682->16686 16683->16548 16684 40391b GetCurrentThreadId 16684->16686 16685 403939 GetCurrentThreadId 16685->16686 16686->16683 16686->16684 16686->16685 16688 402d46 LoadLibraryA 16687->16688 16689 402d5b GetProcAddress 16687->16689 16688->16689 16690 402d54 16688->16690 16689->16690 16691 402d6b 16689->16691 16690->16676 16690->16677 16690->16679 16691->16690 16692 402d97 GetProcessHeap HeapAlloc 16691->16692 16693 402db5 lstrcpynA 16691->16693 16692->16690 16692->16691 16693->16691 16695 40f428 14 API calls 16694->16695 16696 40198a 16695->16696 16697 401990 closesocket 16696->16697 16698 401998 16696->16698 16697->16698 16698->16341 16700 402d21 6 API calls 16699->16700 16701 402f01 16700->16701 16702 402f0f 16701->16702 16715 402df2 GetModuleHandleA 16701->16715 16704 402684 2 API calls 16702->16704 16706 402f1f 16702->16706 16705 402f1d 16704->16705 16705->16344 16706->16344 16708 401c80 16707->16708 16709 401cc2 wsprintfA 16708->16709 16710 401d1c 16708->16710 16714 401d79 16708->16714 16711 402684 2 API calls 16709->16711 16712 401d47 wsprintfA 16710->16712 16711->16708 16713 402684 2 API calls 16712->16713 16713->16714 16714->16365 16716 402e10 LoadLibraryA 16715->16716 16717 402e0b 16715->16717 16718 402e17 16716->16718 16717->16716 16717->16718 16719 402ef1 16718->16719 16720 402e28 GetProcAddress 16718->16720 16719->16702 16720->16719 16721 402e3e GetProcessHeap HeapAlloc 16720->16721 16722 402e62 16721->16722 16722->16719 16723 402ede GetProcessHeap HeapFree 16722->16723 16724 402e7f htons inet_addr 16722->16724 16725 402ea5 gethostbyname 16722->16725 16728 402ceb 16722->16728 16723->16719 16724->16722 16724->16725 16725->16722 16726 402eb0 16725->16726 16726->16722 16729 402cf2 16728->16729 16731 402d1c 16729->16731 16732 402d0e Sleep 16729->16732 16733 402a62 GetProcessHeap HeapAlloc 16729->16733 16731->16722 16732->16729 16732->16731 16734 402a92 16733->16734 16735 402a99 socket 16733->16735 16734->16729 16736 402cd3 GetProcessHeap HeapFree 16735->16736 16737 402ab4 16735->16737 16736->16734 16737->16736 16742 402abd 16737->16742 16738 402adb htons 16754 4026ff 16738->16754 16740 402b04 select 16740->16742 16750 402ac3 16740->16750 16741 402ca4 16743 402cb3 GetProcessHeap HeapFree closesocket 16741->16743 16742->16738 16742->16740 16744 402b3f recv 16742->16744 16745 402b66 htons 16742->16745 16746 402b87 htons 16742->16746 16742->16750 16761 402923 16742->16761 16743->16734 16744->16742 16744->16750 16745->16741 16745->16742 16746->16741 16746->16742 16749 402bf3 GetProcessHeap HeapAlloc 16749->16750 16750->16741 16750->16742 16750->16743 16750->16749 16751 402c17 htons 16750->16751 16753 402c4d GetProcessHeap HeapFree 16750->16753 16774 402904 16750->16774 16770 402871 16751->16770 16753->16750 16755 40271d 16754->16755 16756 402717 16754->16756 16758 40272b GetTickCount htons 16755->16758 16757 40ebcc 4 API calls 16756->16757 16757->16755 16759 4027cc htons htons sendto 16758->16759 16760 40278a 16758->16760 16759->16742 16760->16759 16762 402944 16761->16762 16764 40293d 16761->16764 16778 402816 htons 16762->16778 16764->16750 16765 402871 htons 16766 402950 16765->16766 16766->16764 16766->16765 16767 4029bd htons htons htons 16766->16767 16767->16764 16768 4029f6 GetProcessHeap HeapAlloc 16767->16768 16768->16764 16769 402a10 16768->16769 16769->16764 16769->16766 16771 4028e3 16770->16771 16772 402889 16770->16772 16771->16750 16772->16771 16773 4028c3 htons 16772->16773 16773->16771 16773->16772 16775 402921 16774->16775 16776 402908 16774->16776 16775->16750 16777 402909 GetProcessHeap HeapFree 16776->16777 16777->16775 16777->16777 16779 40286b 16778->16779 16780 402836 16778->16780 16779->16766 16780->16779 16781 40285c htons 16780->16781 16781->16779 16781->16780 16783 406bbc 16782->16783 16784 406bc0 16782->16784 16783->16381 16785 40ebcc 4 API calls 16784->16785 16795 406bd4 16784->16795 16786 406be4 16785->16786 16787 406c07 CreateFileA 16786->16787 16788 406bfc 16786->16788 16786->16795 16790 406c34 WriteFile 16787->16790 16791 406c2a 16787->16791 16789 40ec2e codecvt 4 API calls 16788->16789 16789->16795 16792 406c49 CloseHandle DeleteFileA 16790->16792 16793 406c5a CloseHandle 16790->16793 16794 40ec2e codecvt 4 API calls 16791->16794 16792->16791 16796 40ec2e codecvt 4 API calls 16793->16796 16794->16795 16795->16381 16796->16795 14992 41a830 14995 41a410 14992->14995 14994 41a835 14996 41a438 14995->14996 14997 41a4c8 6 API calls 14996->14997 15005 41a5d8 14996->15005 14998 41a52f 6 API calls 14997->14998 15001 41a5a5 GetSystemDefaultLCID 14998->15001 14999 41a622 GetSystemTimes 15004 41a646 14999->15004 14999->15005 15000 41a612 GetUserObjectInformationW 15000->14999 15002 41a5b4 RtlEnterCriticalSection 15001->15002 15003 41a5bf 15001->15003 15002->15003 15003->15005 15006 41a5c8 LoadLibraryW 15003->15006 15007 41a644 15004->15007 15008 41a64f FoldStringA 15004->15008 15005->14999 15005->15000 15005->15007 15006->15005 15009 41a717 LocalAlloc 15007->15009 15010 41a676 8 API calls 15007->15010 15008->15007 15012 41a734 15009->15012 15013 41a75c LoadLibraryW 15009->15013 15019 41a6e1 15010->15019 15012->15013 15022 41a130 15013->15022 15015 41a76c 15025 41a3a0 15015->15025 15017 41a789 GlobalSize 15018 41a771 15017->15018 15018->15017 15020 41a7b3 InterlockedExchange 15018->15020 15021 41a7c9 15018->15021 15019->15009 15020->15018 15021->14994 15024 41a136 GetModuleHandleW GetProcAddress VirtualProtect 15022->15024 15024->15015 15026 41a3c2 15025->15026 15027 41a3b6 QueryDosDeviceW 15025->15027 15036 41a280 15026->15036 15027->15026 15030 41a3d5 FreeEnvironmentStringsW 15031 41a3dd 15030->15031 15039 41a2c0 15031->15039 15034 41a3f4 RtlAllocateHeap GetNumaProcessorNode 15035 41a40a 15034->15035 15035->15018 15037 41a297 GetStartupInfoA LoadLibraryW 15036->15037 15038 41a2a9 15036->15038 15037->15038 15038->15030 15038->15031 15040 41a2f5 15039->15040 15041 41a2e4 BuildCommDCBW 15039->15041 15042 41a2fd WritePrivateProfileStringA UnhandledExceptionFilter 15040->15042 15045 41a313 15040->15045 15041->15045 15042->15045 15043 41a370 15043->15034 15043->15035 15045->15043 15046 41a349 SetCalendarInfoA GetShortPathNameA 15045->15046 15047 41a2b0 15045->15047 15046->15045 15050 41a230 15047->15050 15051 41a25b 15050->15051 15052 41a24c VirtualLock 15050->15052 15051->15045 15052->15051 15068 2bc0005 15073 2bc092b GetPEB 15068->15073 15070 2bc0030 15075 2bc003c 15070->15075 15074 2bc0972 15073->15074 15074->15070 15076 2bc0049 15075->15076 15090 2bc0e0f SetErrorMode SetErrorMode 15076->15090 15081 2bc0265 15082 2bc02ce VirtualProtect 15081->15082 15084 2bc030b 15082->15084 15083 2bc0439 VirtualFree 15088 2bc05f4 LoadLibraryA 15083->15088 15089 2bc04be 15083->15089 15084->15083 15085 2bc04e3 LoadLibraryA 15085->15089 15087 2bc08c7 15088->15087 15089->15085 15089->15088 15091 2bc0223 15090->15091 15092 2bc0d90 15091->15092 15093 2bc0dad 15092->15093 15094 2bc0dbb GetPEB 15093->15094 15095 2bc0238 VirtualAlloc 15093->15095 15094->15095 15095->15081
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 41a410-41a435 265 41a438-41a43e 264->265 266 41a440-41a44a 265->266 267 41a44f-41a459 265->267 266->267 268 41a45b-41a476 267->268 269 41a47c-41a483 267->269 268->269 269->265 270 41a485-41a48d 269->270 272 41a490-41a496 270->272 273 41a4a4-41a4ae 272->273 274 41a498-41a49e 272->274 275 41a4b0 273->275 276 41a4b2-41a4b9 273->276 274->273 275->276 276->272 277 41a4bb-41a4c2 276->277 278 41a4c8-41a5b2 InterlockedIncrement SetConsoleTitleW GlobalSize FindAtomA SearchPathW SetConsoleMode GetDefaultCommConfigA CopyFileExW GetEnvironmentStrings WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcess GetSystemDefaultLCID 277->278 279 41a5fa-41a606 277->279 286 41a5b4-41a5b9 RtlEnterCriticalSection 278->286 287 41a5bf-41a5c6 278->287 280 41a608-41a610 279->280 283 41a622-41a639 GetSystemTimes 280->283 284 41a612-41a61c GetUserObjectInformationW 280->284 288 41a646-41a64d 283->288 289 41a63b-41a642 283->289 284->283 286->287 290 41a5d8-41a5f7 287->290 291 41a5c8-41a5d2 LoadLibraryW 287->291 293 41a668-41a670 288->293 294 41a64f-41a662 FoldStringA 288->294 289->280 292 41a644 289->292 290->279 291->290 292->293 295 41a717-41a732 LocalAlloc 293->295 296 41a676-41a711 GetConsoleAliasesLengthW CallNamedPipeW GetComputerNameA CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryType 293->296 294->293 299 41a734-41a73f 295->299 300 41a75c-41a767 LoadLibraryW call 41a130 295->300 296->295 301 41a740-41a750 299->301 307 41a76c-41a77f call 41a3a0 300->307 305 41a752 301->305 306 41a757-41a75a 301->306 305->306 306->300 306->301 312 41a780-41a787 307->312 314 41a789-41a799 GlobalSize 312->314 315 41a79d-41a7a3 312->315 314->315 316 41a7a5 call 41a120 315->316 317 41a7aa-41a7b1 315->317 316->317 321 41a7c0-41a7c7 317->321 322 41a7b3-41a7ba InterlockedExchange 317->322 321->312 324 41a7c9-41a7d9 321->324 322->321 325 41a7e0-41a7f0 324->325 327 41a7f2-41a7f4 325->327 328 41a7fb-41a7fc 325->328 327->328 328->325 329 41a7fe-41a802 328->329 330 41a804-41a809 329->330 332 41a813-41a819 330->332 333 41a80b-41a811 330->333 332->330 334 41a81b-41a82f 332->334 333->332 333->334
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0041A4CD
                                                                                            • SetConsoleTitleW.KERNEL32(00000000), ref: 0041A4D5
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A4DD
                                                                                            • FindAtomA.KERNEL32(00000000), ref: 0041A4E5
                                                                                            • SearchPathW.KERNEL32(0041C9EC,0041C9D4,0041C990,00000000,?,?), ref: 0041A509
                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A513
                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 0041A53B
                                                                                            • CopyFileExW.KERNEL32(0041CABC,0041CA28,00000000,00000000,00000000,00000000), ref: 0041A553
                                                                                            • GetEnvironmentStrings.KERNEL32 ref: 0041A559
                                                                                            • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A578
                                                                                            • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A583
                                                                                            • DebugActiveProcess.KERNEL32(00000000), ref: 0041A58B
                                                                                            • GetSystemDefaultLCID.KERNEL32 ref: 0041A5A5
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0041A5B9
                                                                                            • LoadLibraryW.KERNEL32(00000000), ref: 0041A5D2
                                                                                            • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A61C
                                                                                            • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A631
                                                                                            • FoldStringA.KERNEL32(00000000,0041CB20,00000000,?,00000000), ref: 0041A662
                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A685
                                                                                            • CallNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A692
                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0041A6A5
                                                                                            • CopyFileA.KERNEL32(0041CBB0,0041CB74,00000000), ref: 0041A6B6
                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041A6BD
                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A6C3
                                                                                            • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A6CC
                                                                                            • GetBinaryType.KERNEL32(00000000,00000000), ref: 0041A6D4
                                                                                            • LocalAlloc.KERNELBASE(00000000,02B3BD3C), ref: 0041A71A
                                                                                            • LoadLibraryW.KERNELBASE(0041CBD4), ref: 0041A761
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A78B
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A7BA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477498011.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_OPgjjiInNK.jbxd
                                                                                            Similarity
                                                                                            • API ID: Console$File$CopyDefaultGlobalInterlockedLengthLibraryLoadSizeSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugEnterEnvironmentExchangeExesFindFoldHighestIncrementInformationLocalModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                            • String ID: G8@$k`$}$
                                                                                            • API String ID: 2021998368-2454866677
                                                                                            • Opcode ID: c20b0f9132504e20e45857b70263f7ed5fda3a721a27f081dae6514de2f19790
                                                                                            • Instruction ID: 1cb56033e5bb0cfc049956454b03617a232e848171a59f9ca16378ab9defabf1
                                                                                            • Opcode Fuzzy Hash: c20b0f9132504e20e45857b70263f7ed5fda3a721a27f081dae6514de2f19790
                                                                                            • Instruction Fuzzy Hash: 97A13871985310ABD320AB61DC49FDF3BA8EB4C715F00843AF259A61D1CB789941CBEE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 569 409326-409348 call 401910 GetVersionExA 572 409358-40935c 569->572 573 40934a-409356 569->573 574 409360-40937d GetModuleHandleA GetModuleFileNameA 572->574 573->574 575 409385-4093a2 574->575 576 40937f 574->576 577 4093a4-4093d7 call 402544 wsprintfA 575->577 578 4093d9-409412 call 402544 wsprintfA 575->578 576->575 583 409415-40942c call 40ee2a 577->583 578->583 586 4094a3-4094b3 call 406edd 583->586 587 40942e-409432 583->587 592 4094b9-4094f9 call 402544 RegOpenKeyExA 586->592 593 40962f-409632 586->593 587->586 589 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 587->589 589->586 605 409502-40952e call 402544 RegQueryValueExA 592->605 606 4094fb-409500 592->606 595 409634-409637 593->595 599 409639-40964a call 401820 595->599 600 40967b-409682 595->600 617 40964c-409662 599->617 618 40966d-409679 599->618 603 409683 call 4091eb 600->603 614 409688-409690 603->614 621 409530-409537 605->621 622 409539-409565 call 402544 RegQueryValueExA 605->622 607 40957a-40957f 606->607 615 409581-409584 607->615 616 40958a-40958d 607->616 624 409692 614->624 625 409698-4096a0 614->625 615->595 615->616 616->600 626 409593-40959a 616->626 619 409664-40966b 617->619 620 40962b-40962d 617->620 618->603 619->620 630 4096a2-4096a9 620->630 627 40956e-409577 RegCloseKey 621->627 622->627 637 409567 622->637 624->625 625->630 631 40961a-40961f 626->631 632 40959c-4095a1 626->632 627->607 635 409625 631->635 632->631 636 4095a3-4095c0 call 40f0e4 632->636 635->620 642 4095c2-4095db call 4018e0 636->642 643 40960c-409618 636->643 637->627 642->630 646 4095e1-4095f9 642->646 643->635 646->630 647 4095ff-409607 646->647 647->630
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 686 406a60-406a89 CreateFileA 687 406b8c-406ba1 GetLastError 686->687 688 406a8f-406ac3 GetDiskFreeSpaceA 686->688 691 406ba3-406ba6 687->691 689 406ac5-406adc call 40eb0e 688->689 690 406b1d-406b34 call 406987 688->690 689->690 698 406ade 689->698 696 406b56-406b63 CloseHandle 690->696 697 406b36-406b54 GetLastError CloseHandle 690->697 700 406b65-406b7d GetLastError CloseHandle 696->700 701 406b86-406b8a 696->701 699 406b7f-406b80 DeleteFileA 697->699 702 406ae0-406ae5 698->702 703 406ae7-406afb call 40eca5 698->703 699->701 700->699 701->691 702->703 704 406afd-406aff 702->704 703->690 704->690 707 406b01 704->707 708 406b03-406b08 707->708 709 406b0a-406b17 call 40eca5 707->709 708->690 708->709 709->690
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3188212458-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C7B19E
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02C7B1BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2c7a000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 5a6188c3c2243eb2b8e12d8488a43ae01ace68566147740a00d65498840ebc65
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: DDF090322007116FD7203BF9AC8CB6FBAF8EF89729F100528E686D11C0DB70ED458A61
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 336 4073ff-407419 337 40741b 336->337 338 40741d-407422 336->338 337->338 339 407424 338->339 340 407426-40742b 338->340 339->340 341 407430-407435 340->341 342 40742d 340->342 343 407437 341->343 344 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 341->344 342->341 343->344 349 407487-40749d call 40ee2a 344->349 350 4077f9-4077fe call 40ee2a 344->350 356 407703-40770e RegEnumKeyA 349->356 355 407801 350->355 359 407804-407808 355->359 357 4074a2-4074b1 call 406cad 356->357 358 407714-40771d RegCloseKey 356->358 362 4074b7-4074cc call 40f1a5 357->362 363 4076ed-407700 357->363 358->355 362->363 366 4074d2-4074f8 RegOpenKeyExA 362->366 363->356 367 407727-40772a 366->367 368 4074fe-407530 call 402544 RegQueryValueExA 366->368 369 407755-407764 call 40ee2a 367->369 370 40772c-407740 call 40ef00 367->370 368->367 376 407536-40753c 368->376 378 4076df-4076e2 369->378 379 407742-407745 RegCloseKey 370->379 380 40774b-40774e 370->380 381 40753f-407544 376->381 378->363 382 4076e4-4076e7 RegCloseKey 378->382 379->380 384 4077ec-4077f7 RegCloseKey 380->384 381->381 383 407546-40754b 381->383 382->363 383->369 385 407551-40756b call 40ee95 383->385 384->359 385->369 388 407571-407593 call 402544 call 40ee95 385->388 393 407753 388->393 394 407599-4075a0 388->394 393->369 395 4075a2-4075c6 call 40ef00 call 40ed03 394->395 396 4075c8-4075d7 call 40ed03 394->396 402 4075d8-4075da 395->402 396->402 404 4075dc 402->404 405 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 402->405 404->405 414 407626-40762b 405->414 414->414 415 40762d-407634 414->415 416 407637-40763c 415->416 416->416 417 40763e-407642 416->417 418 407644-407656 call 40ed77 417->418 419 40765c-407673 call 40ed23 417->419 418->419 426 407769-40777c call 40ef00 418->426 424 407680 419->424 425 407675-40767e 419->425 428 407683-40768e call 406cad 424->428 425->428 431 4077e3-4077e6 RegCloseKey 426->431 433 407722-407725 428->433 434 407694-4076bf call 40f1a5 call 406c96 428->434 431->384 435 4076dd 433->435 440 4076c1-4076c7 434->440 441 4076d8 434->441 435->378 440->441 442 4076c9-4076d2 440->442 441->435 442->441 443 40777e-407797 GetFileAttributesExA 442->443 444 407799 443->444 445 40779a-40779f 443->445 444->445 446 4077a1 445->446 447 4077a3-4077a8 445->447 446->447 448 4077c4-4077c8 447->448 449 4077aa-4077c0 call 40ee08 447->449 451 4077d7-4077dc 448->451 452 4077ca-4077d6 call 40ef00 448->452 449->448 453 4077e0-4077e2 451->453 454 4077de 451->454 452->451 453->431 454->453
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 458 40704c-407071 459 407073 458->459 460 407075-40707a 458->460 459->460 461 40707c 460->461 462 40707e-407083 460->462 461->462 463 407085 462->463 464 407087-40708c 462->464 463->464 465 407090-4070ca call 402544 RegOpenKeyExA 464->465 466 40708e 464->466 469 4070d0-4070f6 call 406dc2 465->469 470 4071b8-4071c8 call 40ee2a 465->470 466->465 476 40719b-4071a9 RegEnumValueA 469->476 475 4071cb-4071cf 470->475 477 4070fb-4070fd 476->477 478 4071af-4071b2 RegCloseKey 476->478 479 40716e-407194 477->479 480 4070ff-407102 477->480 478->470 479->476 480->479 481 407104-407107 480->481 481->479 482 407109-40710d 481->482 482->479 483 40710f-407133 call 402544 call 40eed1 482->483 488 4071d0-407203 call 402544 call 40ee95 call 40ee2a 483->488 489 407139-407145 call 406cad 483->489 504 407205-407212 RegCloseKey 488->504 505 407227-40722e 488->505 495 407147-40715c call 40f1a5 489->495 496 40715e-40716b call 40ee2a 489->496 495->488 495->496 496->479 508 407222-407225 504->508 509 407214-407221 call 40ef00 504->509 506 407230-407256 call 40ef00 call 40ed23 505->506 507 40725b-40728c call 402544 call 40ee95 call 40ee2a 505->507 506->507 520 407258 506->520 523 4072b8-4072cb call 40ed77 507->523 524 40728e-40729a RegCloseKey 507->524 508->475 509->508 520->507 531 4072dd-4072f4 call 40ed23 523->531 532 4072cd-4072d8 RegCloseKey 523->532 526 4072aa-4072b3 524->526 527 40729c-4072a9 call 40ef00 524->527 526->475 527->526 535 407301 531->535 536 4072f6-4072ff 531->536 532->475 537 407304-40730f call 406cad 535->537 536->537 540 407311-40731d RegCloseKey 537->540 541 407335-40735d call 406c96 537->541 543 40732d-407330 540->543 544 40731f-40732c call 40ef00 540->544 548 4073d5-4073e2 RegCloseKey 541->548 549 40735f-407365 541->549 543->526 544->543 551 4073f2-4073f7 548->551 552 4073e4-4073f1 call 40ef00 548->552 549->548 550 407367-407370 549->550 550->548 553 407372-40737c 550->553 552->551 555 40739d-4073a2 553->555 556 40737e-407395 GetFileAttributesExA 553->556 559 4073a4 555->559 560 4073a6-4073a9 555->560 556->555 558 407397 556->558 558->555 559->560 561 4073b9-4073bc 560->561 562 4073ab-4073b8 call 40ef00 560->562 563 4073cb-4073cd 561->563 564 4073be-4073ca call 40ef00 561->564 562->561 563->548 564->563
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(774D0F10,?,774D0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 648 40675c-406778 649 406784-4067a2 CreateFileA 648->649 650 40677a-40677e SetFileAttributesA 648->650 651 4067a4-4067b2 CreateFileA 649->651 652 4067b5-4067b8 649->652 650->649 651->652 653 4067c5-4067c9 652->653 654 4067ba-4067bf SetFileAttributesA 652->654 655 406977-406986 653->655 656 4067cf-4067df GetFileSize 653->656 654->653 657 4067e5-4067e7 656->657 658 40696b 656->658 657->658 659 4067ed-40680b ReadFile 657->659 660 40696e-406971 CloseHandle 658->660 659->658 661 406811-406824 SetFilePointer 659->661 660->655 661->658 662 40682a-406842 ReadFile 661->662 662->658 663 406848-406861 SetFilePointer 662->663 663->658 664 406867-406876 663->664 665 4068d5-4068df 664->665 666 406878-40688f ReadFile 664->666 665->660 667 4068e5-4068eb 665->667 668 406891-40689e 666->668 669 4068d2 666->669 670 4068f0-4068fe call 40ebcc 667->670 671 4068ed 667->671 672 4068a0-4068b5 668->672 673 4068b7-4068ba 668->673 669->665 670->658 679 406900-40690b SetFilePointer 670->679 671->670 675 4068bd-4068c3 672->675 673->675 677 4068c5 675->677 678 4068c8-4068ce 675->678 677->678 678->666 680 4068d0 678->680 681 40695a-406969 call 40ec2e 679->681 682 40690d-406920 ReadFile 679->682 680->665 681->660 682->681 683 406922-406958 682->683 683->660
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,774D0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,774D0F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNELBASE(000000FF,?,774D0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 712 2bc003c-2bc0047 713 2bc004c-2bc0263 call 2bc0a3f call 2bc0e0f call 2bc0d90 VirtualAlloc 712->713 714 2bc0049 712->714 729 2bc028b-2bc0292 713->729 730 2bc0265-2bc0289 call 2bc0a69 713->730 714->713 732 2bc02a1-2bc02b0 729->732 734 2bc02ce-2bc03c2 VirtualProtect call 2bc0cce call 2bc0ce7 730->734 732->734 735 2bc02b2-2bc02cc 732->735 741 2bc03d1-2bc03e0 734->741 735->732 742 2bc0439-2bc04b8 VirtualFree 741->742 743 2bc03e2-2bc0437 call 2bc0ce7 741->743 745 2bc04be-2bc04cd 742->745 746 2bc05f4-2bc05fe 742->746 743->741 748 2bc04d3-2bc04dd 745->748 749 2bc077f-2bc0789 746->749 750 2bc0604-2bc060d 746->750 748->746 754 2bc04e3-2bc0505 LoadLibraryA 748->754 752 2bc078b-2bc07a3 749->752 753 2bc07a6-2bc07b0 749->753 750->749 755 2bc0613-2bc0637 750->755 752->753 756 2bc086e-2bc08be LoadLibraryA 753->756 757 2bc07b6-2bc07cb 753->757 758 2bc0517-2bc0520 754->758 759 2bc0507-2bc0515 754->759 760 2bc063e-2bc0648 755->760 764 2bc08c7-2bc08f9 756->764 761 2bc07d2-2bc07d5 757->761 762 2bc0526-2bc0547 758->762 759->762 760->749 763 2bc064e-2bc065a 760->763 765 2bc0824-2bc0833 761->765 766 2bc07d7-2bc07e0 761->766 767 2bc054d-2bc0550 762->767 763->749 768 2bc0660-2bc066a 763->768 769 2bc08fb-2bc0901 764->769 770 2bc0902-2bc091d 764->770 776 2bc0839-2bc083c 765->776 771 2bc07e4-2bc0822 766->771 772 2bc07e2 766->772 773 2bc0556-2bc056b 767->773 774 2bc05e0-2bc05ef 767->774 775 2bc067a-2bc0689 768->775 769->770 771->761 772->765 777 2bc056d 773->777 778 2bc056f-2bc057a 773->778 774->748 779 2bc068f-2bc06b2 775->779 780 2bc0750-2bc077a 775->780 776->756 781 2bc083e-2bc0847 776->781 777->774 787 2bc057c-2bc0599 778->787 788 2bc059b-2bc05bb 778->788 782 2bc06ef-2bc06fc 779->782 783 2bc06b4-2bc06ed 779->783 780->760 784 2bc0849 781->784 785 2bc084b-2bc086c 781->785 789 2bc06fe-2bc0748 782->789 790 2bc074b 782->790 783->782 784->756 785->776 795 2bc05bd-2bc05db 787->795 788->795 789->790 790->775 795->767
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BC024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: a97384a6708762faa592521019cf2917f48b713c582d72c5f24114e11d221d69
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: D9526974A01229DFDB64DF58C984BACBBB1BF09304F1484E9E94DAB351DB30AA95CF14

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 796 41a0fd-41a106 797 41a149-41a14e 796->797 798 41a108-41a10a 796->798 800 41a1b6-41a225 GetModuleHandleW GetProcAddress VirtualProtect 797->800 801 41a14f-41a1b0 797->801 802 41a136-41a148 798->802 803 41a0df-41a0e4 798->803 801->800 802->797 803->796
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(02B3BC10), ref: 0041A1CE
                                                                                            • GetProcAddress.KERNEL32(00000000,00420740), ref: 0041A201
                                                                                            • VirtualProtect.KERNELBASE(02B3BA5C,02B3BD3C,00000040,?), ref: 0041A220
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477498011.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_OPgjjiInNK.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-3916222277
                                                                                            • Opcode ID: a39bc834b0b1f7718e83533ef4769e581a0cf0e7cd2d49fb7ec58536719bd093
                                                                                            • Instruction ID: 86dd5a41ececfacf906e206a0d5956c4e61b7a975677dbe62a27e9abde9d3234
                                                                                            • Opcode Fuzzy Hash: a39bc834b0b1f7718e83533ef4769e581a0cf0e7cd2d49fb7ec58536719bd093
                                                                                            • Instruction Fuzzy Hash: 9531D131649340DAD330CF28E94475A3BB0FB84348F80596ED0488B2A6DB79155ACB5E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 819 41a130-41a14e 822 41a1b6-41a225 GetModuleHandleW GetProcAddress VirtualProtect 819->822 823 41a14f-41a1b0 819->823 823->822
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(02B3BC10), ref: 0041A1CE
                                                                                            • GetProcAddress.KERNEL32(00000000,00420740), ref: 0041A201
                                                                                            • VirtualProtect.KERNELBASE(02B3BA5C,02B3BD3C,00000040,?), ref: 0041A220
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477498011.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_OPgjjiInNK.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-3916222277
                                                                                            • Opcode ID: f5454f1364909d5afd693462bc0cccd3f0f7704ea35b0a32995bc537a029ea49
                                                                                            • Instruction ID: f068d6293579deb03121dfff12433525e98e11f5071f74c33473d7f72ac488a1
                                                                                            • Opcode Fuzzy Hash: f5454f1364909d5afd693462bc0cccd3f0f7704ea35b0a32995bc537a029ea49
                                                                                            • Instruction Fuzzy Hash: 39117C60A58340DAD330CF68F90571A3BF1FB84748F80546CD1489B2B6DFB52656CB9E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 824 404000-404008 825 40400b-40402a CreateFileA 824->825 826 404057 825->826 827 40402c-404035 GetLastError 825->827 830 404059-40405c 826->830 828 404052 827->828 829 404037-40403a 827->829 832 404054-404056 828->832 829->828 831 40403c-40403f 829->831 830->832 831->830 833 404041-404050 Sleep 831->833 833->825 833->828
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 834 406987-4069b7 835 4069e0 834->835 836 4069b9-4069be 834->836 838 4069e4-4069fd WriteFile 835->838 836->835 837 4069c0-4069d0 836->837 841 4069d2 837->841 842 4069d5-4069de 837->842 839 406a4d-406a51 838->839 840 4069ff-406a02 838->840 844 406a53-406a56 839->844 845 406a59 839->845 840->839 843 406a04-406a08 840->843 841->842 842->838 846 406a0a-406a0d 843->846 847 406a3c-406a3e 843->847 844->845 848 406a5b-406a5f 845->848 849 406a10-406a2e WriteFile 846->849 847->848 850 406a40-406a4b 849->850 851 406a30-406a33 849->851 850->848 851->850 852 406a35-406a3a 851->852 852->847 852->849
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 854 406dc2-406dd5 855 406e33-406e35 854->855 856 406dd7-406df1 call 406cc9 call 40ef00 854->856 861 406df4-406df9 856->861 861->861 862 406dfb-406e00 861->862 863 406e02-406e22 GetVolumeInformationA 862->863 864 406e24 862->864 863->864 865 406e2e 863->865 864->865 865->855
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID: J$B,
                                                                                            • API String ID: 1823874839-440322077
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 866 4091eb-409208 867 409308 866->867 868 40920e-40921c call 40ed03 866->868 870 40930b-40930f 867->870 872 40921e-40922c call 40ed03 868->872 873 40923f-409249 868->873 872->873 880 40922e-409230 872->880 874 409250-409270 call 40ee08 873->874 875 40924b 873->875 881 409272-40927f 874->881 882 4092dd-4092e1 874->882 875->874 883 409233-409238 880->883 885 409281-409285 881->885 886 40929b-40929e 881->886 887 4092e3-4092e5 882->887 888 4092e7-4092e8 882->888 883->883 884 40923a-40923c 883->884 884->873 885->885 889 409287 885->889 891 4092a0 886->891 892 40928e-409293 886->892 887->888 890 4092ea-4092ef 887->890 888->882 889->886 895 4092f1-4092f6 Sleep 890->895 896 4092fc-409302 890->896 897 4092a8-4092ab 891->897 893 409295-409298 892->893 894 409289-40928c 892->894 893->897 900 40929a 893->900 894->892 894->900 895->896 896->867 896->868 898 4092a2-4092a5 897->898 899 4092ad-4092b0 897->899 901 4092b2 898->901 902 4092a7 898->902 899->901 903 4092bd 899->903 900->886 904 4092b5-4092b9 901->904 902->897 905 4092bf-4092db ShellExecuteA 903->905 904->904 906 4092bb 904->906 905->882 907 409310-409324 905->907 906->905 907->870
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons
                                                                                            • String ID:
                                                                                            • API String ID: 4207154920-0
                                                                                            • Opcode ID: 187c86c8f1f781262b8a3b75dd470914a26b3971c19be9e3166c0f3fac1d64c3
                                                                                            • Instruction ID: 3082a3e8c454676fba1296bd51f7fa4b59934e38c5c07495e43d4969eff46972
                                                                                            • Opcode Fuzzy Hash: 187c86c8f1f781262b8a3b75dd470914a26b3971c19be9e3166c0f3fac1d64c3
                                                                                            • Instruction Fuzzy Hash: 62F0C837800134D6CF107B9689085BAB3EC9B11319B55C57BEC46F71C0E2B8EE4196A8
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02BC0223,?,?), ref: 02BC0E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02BC0223,?,?), ref: 02BC0E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: 77c97d7024dbc5d55cac5be4f831ea749ad4cceaf4e4613560d8921a742c1e29
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 10D01231545129B7D7003A94DC09BCD7B1CDF09B67F108451FB0DD9080C770954046E5
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C7AE86
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2c7a000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 93f42be21b920d4202ca1d4984ffdc8fde22671aeebc77192f1f93385cb9debd
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: A3113C79A00208EFDB01DF98C985E99BBF5AF08350F058094F9489B361D371EA50EF80
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 02BC65F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02BC6610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02BC6631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02BC6652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 49160bde628fa6b11c5e4f70835f5331beb0afa238e76c7ce2bb470bb80b1025
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 5F1151B1600218BFDB219F65DC45F9B3FACEB457A9F204079FA08E7251DBB1DD008AA4
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: e9c4169f1cdbb9451e493c09451d5fc7c88c54de07c593ae9b5ad607450204a3
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: A3314BB6900609DFDB10DF99C880BADBBF5FF48324F24448AD941A7210D7B1EA45CFA4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478893692.0000000002C7A000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C7A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2c7a000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: d7c1b886fb849e4fb209d6422126b92cd40ee77e9cbc13b4d22e1c496fe6680f
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 39118E72380100AFD744DF55DD81FAA77EAEB89330B2980A5ED04CB316D679E802CB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: 036e032725fc328cbafa9cd25af73b3eb867bb778cbe934c1ad8269db9fb5d96
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 1501A776A10604CFDF21EF24C844BAA33E9EB85215F5548E9D906D7241E774A9418B90
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02BC9E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02BC9FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02BC9FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 02BCA004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02BCA054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02BCA09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02BCA0D6
                                                                                            • lstrcpy.KERNEL32 ref: 02BCA12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 02BCA13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02BC9F13
                                                                                              • Part of subcall function 02BC7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02BC7081
                                                                                              • Part of subcall function 02BC6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wvtbuegq,02BC7043), ref: 02BC6F4E
                                                                                              • Part of subcall function 02BC6F30: GetProcAddress.KERNEL32(00000000), ref: 02BC6F55
                                                                                              • Part of subcall function 02BC6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02BC6F7B
                                                                                              • Part of subcall function 02BC6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02BC6F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02BCA1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02BCA1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02BCA214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02BCA21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 02BCA265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02BCA29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02BCA2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 02BCA2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02BCA2F4
                                                                                            • wsprintfA.USER32 ref: 02BCA31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02BCA345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02BCA364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02BCA387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02BCA398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02BCA1D1
                                                                                              • Part of subcall function 02BC9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02BC999D
                                                                                              • Part of subcall function 02BC9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02BC99BD
                                                                                              • Part of subcall function 02BC9966: RegCloseKey.ADVAPI32(?), ref: 02BC99C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02BCA3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02BCA3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 02BCA41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 32a35c998f73710cfb4fab86677f2a456b88703959c57ab482a854af67c51cf2
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 65F13FB1D4025DAFDB11DFA09C48EEF7BBDEB08304F2484EAE605E2141E7759A848F64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02BC7D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02BC7D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02BC7D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02BC7DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02BC7DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02BC7DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BC7DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BC7DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02BC7E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02BC7E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02BC7E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02BC7E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 790973d270264d5c59141b4ebfcc07325f6e0a8f881c1b37cf4e2f606d407456
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: DFA15FB2900219AFDF11CFA0DD88FEEBBBDFB08344F1481A9E505E6150DB758A85DB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02BC7A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02BC7ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02BC7ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02BC7B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02BC7B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02BC7B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BC7B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BC7B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02BC7B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02BC7B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02BC7B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02BC7B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02BC7BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02BC7BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02BC7C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02BC7C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02BC7CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02BC7CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02BC7CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02BC7CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02BC7CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 90a89cc1a8f9c6741a390bc532511ab4c3e02f66131745b161c725494eef26e5
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 60813B7190021AABDB11CFA4DD84FEFBBBCEF08344F1480AAE515E6150DB759641DFA4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02BC865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02BC867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02BC86A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02BC86B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: c87ec12fc99196db1902a93687cb2493bfa04ab9d07821d6cb848ed0158046e3
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: F8C19471900149BEEB12ABA4DD84EEF7BBDEB04304F2440FEF605E6050E7B05A949F65
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02BC1601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02BC17D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: e86d03d98d5fb2dd0e4c27af624b788b5d14d8835809c3c7dfe19513b473dcbc
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 1EF1BFB11183419FD720DF68C888BABB7E5FB88304F10896DF699A7391D7B4D944CB62
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02BC76D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02BC7757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02BC778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02BC78B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02BC796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC79AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC7A56
                                                                                              • Part of subcall function 02BCF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,02BC772A,?), ref: 02BCF414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02BC79F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC7A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: c369d02168a9f5d90c326c3aa198383539cd32a5492afcdae76551030d1d3451
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: CCC15171900109ABEB119FA4DC44FEEBBBEEF49710F2440EAE514E6150EF719A84DF60
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02BC2CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02BC2D07
                                                                                            • htons.WS2_32(00000000), ref: 02BC2D42
                                                                                            • select.WS2_32 ref: 02BC2D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02BC2DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02BC2E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 084b0c6cb2ad10beedaf11e96b2165359e3f39981bf3f1c8b6a01a4129f0cda1
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 4861F2B150430AABC7209F64DC48B6BBBF8FB48755F20489DFD88A7150D7B4D880CBA6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 02BC95A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02BC95D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02BC95DC
                                                                                            • wsprintfA.USER32 ref: 02BC9635
                                                                                            • wsprintfA.USER32 ref: 02BC9673
                                                                                            • wsprintfA.USER32 ref: 02BC96F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02BC9758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02BC978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02BC97D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 60c0265823ddf43975fcd3bb3db96eb0943e8a4b7003cec99f40a8a0bbca96d9
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 50A16EB1900648EBFB21DFA0CC85FEA3BADEB04745F2040AAFA1596151E7B5D584CFA4
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02BC202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 02BC204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 02BC206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02BC2071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02BC2082
                                                                                            • GetTickCount.KERNEL32 ref: 02BC2230
                                                                                              • Part of subcall function 02BC1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02BC1E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 6f3ad868b6a23a749ac4b7f87039c4fc5b60ed0f0b134c254e2b3198fe0f3cab
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: C15106B0500344AFE330AF758C85F67BAECEF44704F10499DF99692242D7B9E984CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-3679488032
                                                                                            • Opcode ID: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction ID: bd7dfe77e026ff01e11c6618f048304d5953ff5d6b37f7005ea1b6d17bf081bd
                                                                                            • Opcode Fuzzy Hash: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction Fuzzy Hash: 263197B25401197ADF016B96CCC2DFFBB6CEF49348B14052BF904B1182EB789A6587E9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02BC3068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02BC3078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02BC3095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02BC30B6
                                                                                            • htons.WS2_32(00000035), ref: 02BC30EF
                                                                                            • inet_addr.WS2_32(?), ref: 02BC30FA
                                                                                            • gethostbyname.WS2_32(?), ref: 02BC310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02BC314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: dff986bf83c5c6731a25158858992b531d1e092a24cd41001df6ac14edce3579
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 3631C431A00206AFDB119BB89C48BAE77F8EF04364F64C1E9E518E3390DB74D5818B58
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000008), ref: 02BC67C3
                                                                                            • htonl.WS2_32(?), ref: 02BC67DF
                                                                                            • htonl.WS2_32(?), ref: 02BC67EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02BC68F1
                                                                                            • ExitProcess.KERNEL32 ref: 02BC69BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1430491713-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: b9671f8c80babcff5a368e8db737bec707e6927545e2c21552b35ea0d64178d0
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 74616F71A40208AFDB649FB4DC45FEA77E9FB48300F24806AFA6DD2161DBB59990CF14
                                                                                            APIs
                                                                                            • htons.WS2_32(02BCCC84), ref: 02BCF5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 02BCF5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 02BCF5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 1d90366830ca14b69558d770568dd427d8a50010ca4a8d70a7c8080ad26242db
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 87315C72900118ABDB10DFA5DC88DFE7BBDEF88310F2045AAF915D3150E7709A81CBA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02BC2FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02BC2FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02BC2FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02BC3000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02BC3007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02BC3032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 05c457b33cfd61a4e698008ad52c0e2e251212ceb717d2077177264de7fd26a3
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 05217472D01629BBCB219B95DC44AEEBBBCEF08B50F6084A5F905E7140D7B49A818BD4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wvtbuegq,02BC7043), ref: 02BC6F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02BC6F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02BC6F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02BC6F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\wvtbuegq
                                                                                            • API String ID: 1082366364-3574389405
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 6527b34e9606c6520d7ca8bf5a225b647ac656170b35630b77c45f2f689e75a8
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 7221F0217413407AF72257319C88FFB2E4DCB92724F2880EEF844E6591DBD984D687AD
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 02BC92E2
                                                                                            • wsprintfA.USER32 ref: 02BC9350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02BC9375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02BC9389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02BC9394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02BC939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: 59141d39aef02c51068a905a0bf6ddf95587529bbd8d6952f67e7f03602d864d
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 251175B1740114BBF7246771DC0DFEF3A6EDBC4B10F10C0A9BB05A5090EAB49A418B64
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02BC9A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02BC9A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02BC9A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02BC9A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02BC9AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02BC9AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 70e0f85a66acd7cd64264f2cd1b091da1f8dea1f3f51e02720f3e08e7da075b6
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 68213BB1A01219BBEB119BA1DC09EEF7BBCEF04750F5040A5FA29E1050E7758A44CFA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02BC1C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02BC1C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02BC1C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02BC1C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02BC1CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02BC1D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02BC1D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 8e8a11dcb766b885595a385a0bf37dd9ab062bcfbee1cdb366bb7b0ce9162f31
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 96315C32E10209BFCB119FA8DC888EEBAB9EB45315B3444BEF509F6111D7B54E80DB94
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02BC6CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02BC6D22
                                                                                            • GetLastError.KERNEL32 ref: 02BC6DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02BC6DB5
                                                                                            • GetLastError.KERNEL32 ref: 02BC6DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02BC6DE7
                                                                                            • GetLastError.KERNEL32 ref: 02BC6DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: b4637428e5228d679b9b952d794aa6e34b7935227c267b6f9d80a44359ae856e
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: FB31E376900249BFDB01DFA4DD44EDE7FBDEF88310F2480AAE251E3250D7709A558BA1
                                                                                            APIs
                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A2ED
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A305
                                                                                            • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A30D
                                                                                            • SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,0041C984), ref: 0041A354
                                                                                            • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A365
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477498011.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_OPgjjiInNK.jbxd
                                                                                            Similarity
                                                                                            • API ID: BuildCalendarCommExceptionFilterInfoNamePathPrivateProfileShortStringUnhandledWrite
                                                                                            • String ID: -
                                                                                            • API String ID: 1417380309-2547889144
                                                                                            • Opcode ID: 194fcf32e7f97bc96fd691d7a03e22e60329f69e963f5865272f8d44103360b1
                                                                                            • Instruction ID: eb2b044afba0a356212631dcb840a836c037afd69ed90e5d23667867df488ba6
                                                                                            • Opcode Fuzzy Hash: 194fcf32e7f97bc96fd691d7a03e22e60329f69e963f5865272f8d44103360b1
                                                                                            • Instruction Fuzzy Hash: 5F21E970685308ABD7209F64DC85BEE7BB4EB0C715F5000A9FB19AB2C1CB741AD58B5E
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02BC93C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02BC93CD
                                                                                            • CharToOemA.USER32(?,?), ref: 02BC93DB
                                                                                            • wsprintfA.USER32 ref: 02BC9410
                                                                                              • Part of subcall function 02BC92CB: GetTempPathA.KERNEL32(00000400,?), ref: 02BC92E2
                                                                                              • Part of subcall function 02BC92CB: wsprintfA.USER32 ref: 02BC9350
                                                                                              • Part of subcall function 02BC92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02BC9375
                                                                                              • Part of subcall function 02BC92CB: lstrlen.KERNEL32(?,?,00000000), ref: 02BC9389
                                                                                              • Part of subcall function 02BC92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02BC9394
                                                                                              • Part of subcall function 02BC92CB: CloseHandle.KERNEL32(00000000), ref: 02BC939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02BC9448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: f252f569d68b00b2976c4177e8ec9692105943912d6341bd763e55b46222194e
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 190152F69001187BE721A7619D89EEF377CDB95701F0040A6BB49E2080DAB497C58F75
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: 2d86d053f8373ed6f132d1a035a7a977aaa8a5b2df23c7aeb6d9a9a19d707045
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 9D71E572A4430CABDF219F94EC85FEE376AEB00719F3444EEF905A60D0DF6299848B55
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 02BCDF6C: GetCurrentThreadId.KERNEL32 ref: 02BCDFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 02BCE8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02BC6128), ref: 02BCE950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 02BCE989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: e802f594da1395aef0a10e24bb086c920383891660238987c139c8a33e6eda3c
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 6A31AF31A04706DBDF79CF24C884BA67BE8FB09725F2089AEE65587550D3B0E880CB91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: bb98935645451d528708193c263896fae775a91ec124f5edcaa214dacab83a37
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 922145B210411AFFDB109B71FC48EDF7FADDB896A5B2084AAF506D1090EB70DA40D674
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,0040E538,?,774D0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02BCC6B4
                                                                                            • InterlockedIncrement.KERNEL32(02BCC74B), ref: 02BCC715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02BCC747), ref: 02BCC728
                                                                                            • CloseHandle.KERNEL32(00000000,?,02BCC747,00413588,02BC8A77), ref: 02BCC733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 29d3f49ead9e56f80e42fc75e05233a8a10cf721140d33a49be7976d8b684c22
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 9E515AB1A01B418FD7249F29C6D562ABBE9FB58304B60697FE18BC7A90D774F840CB10
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,02BCE50A,00000000,00000000,00000000,00020106,00000000,02BCE50A,00000000,000000E4), ref: 02BCE319
                                                                                            • RegSetValueExA.ADVAPI32(02BCE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02BCE38E
                                                                                            • RegDeleteValueA.ADVAPI32(02BCE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02BCE3BF
                                                                                            • RegCloseKey.ADVAPI32(02BCE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,02BCE50A), ref: 02BCE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 1e0631e257d7006c6b0228f8b25605dd7cc7088e40ee3e00f67842039d951b56
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: B9214A71A0021DEBDF219FA4EC89EEE7F79EF48760F1480A5F904A6150E371DA54DBA0
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02BC71E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02BC7228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02BC7286
                                                                                            • wsprintfA.USER32 ref: 02BC729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 8fc1631744c41327e93ddb1480f8d65c5f5d67662703100aa048f95d2298979e
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: FA311C72900108BBDB01DFA4DC45BDA7BADEF04314F24C0AAF959DB204EB75D6488F94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02BCB51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02BCB529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02BCB548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 02BCB590
                                                                                            • wsprintfA.USER32 ref: 02BCB61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 6e973b099f69e34641b01110660d5c3c0616d64d667a464709cd51e9c407e46d
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 95510EB1D0021DAACF14DFD5D8899EEBBB9FF48304F10816AE505A6150E7B94AC9CF98
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 02BC6303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02BC632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 02BC63B1
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02BC6405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: fe24db25763e3197a47561f8990a4d1c8e91080f9bd8c696f61c2405429991a3
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 84412BB1A00219EBDB14CF58D884FA9B7B8FF84358F28C1ADE965D7290E771E941CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,774D0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                              • Part of subcall function 02BCDF6C: GetCurrentThreadId.KERNEL32 ref: 02BCDFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,02BCA6AC), ref: 02BCE7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,02BCA6AC), ref: 02BCE7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,02BCA6AC), ref: 02BCE819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: e076d50abc6aaf75c6c7cf491996ca9a41831addf48215cf6b77356e2dc49bec
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: 9E21F9B1A44301BAF2207B219C45FEB3E1DDB65B60F3000BDFA09B51D3EA55D5508AB5
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02BC76D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02BC796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: 6bb5ecef5c3b388955aa0d2fe5546360a81873a327ddc423948404cf63343b4c
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: 9311AF70A00109AFDB119F69DC45FAFFF7DEB45714F2401A9F525E6290EBB189408F60
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02BC999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 02BC99BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02BC99C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: 95024427e9b346885f2af92f994ae627b6e28b80b1b3864db3a8bc0d1774f897
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: 17F0F6B2780208BBF7106B54EC46FDB3A2DDB94B10F2000B5FA05B5081F6E59F9086B9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: e53af76dfc51d126468191483b7d9c0f5ecfb4065948da2c1d9c9f5059c903a7
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 87E012306085119FDB50DB2CF848AD577E5EF4A230F1585D9F854D71A0C774ECC19754
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02BC421F
                                                                                            • GetLastError.KERNEL32 ref: 02BC4229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02BC423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: e4b3e6bb165a0686d45c266748047031fa10d65ca745b78fef3833006a1a9832
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 0701C872921109AFDF01DF90ED85BEF7BBCEB08255F1084A5F941E6050D770DA548BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02BC41AB
                                                                                            • GetLastError.KERNEL32 ref: 02BC41B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02BC41C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC41D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 7af8731e5d3919b9aa58b1c83a2fa0f394b419e1c7fd0aef14370cda51438233
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 5901E97651110AABDF01DF90EE88BEE7B7CEB18255F1040A5F901E2150D7709B948BB5
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 02BCE066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 41fc2db4ea4025a2b16c1dd100740baf09aadb9e13875a7d22e47a5e7d8c059d
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 84F06D32200702DBCB30CF25D885A82B7E9FB09335B648AAEE558D3060D374E498CBA5
                                                                                            APIs
                                                                                            • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B03C,0041A771), ref: 0041A3BC
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B03C,0041A771), ref: 0041A3D7
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A3FA
                                                                                            • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A404
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477498011.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_OPgjjiInNK.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                            • String ID:
                                                                                            • API String ID: 2305449109-0
                                                                                            • Opcode ID: 4c0f42d26a76dfa3f20223abca6f33b6da74c46575f0e003faa6d2fec53e1458
                                                                                            • Instruction ID: 6db4692fb877ccccee5eb756e0d798b8d09dcb931a060774b89a74a442978187
                                                                                            • Opcode Fuzzy Hash: 4c0f42d26a76dfa3f20223abca6f33b6da74c46575f0e003faa6d2fec53e1458
                                                                                            • Instruction Fuzzy Hash: 61F089317C5300E7E6306754EC4AF8A3764E70875AF108463F7199A2D5C7B458608F5F
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,02BC44E2,00000000,00000000,00000000), ref: 02BCE470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 02BCE484
                                                                                              • Part of subcall function 02BCE2FC: RegCreateKeyExA.ADVAPI32(80000001,02BCE50A,00000000,00000000,00000000,00020106,00000000,02BCE50A,00000000,000000E4), ref: 02BCE319
                                                                                              • Part of subcall function 02BCE2FC: RegSetValueExA.ADVAPI32(02BCE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02BCE38E
                                                                                              • Part of subcall function 02BCE2FC: RegDeleteValueA.ADVAPI32(02BCE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02BCE3BF
                                                                                              • Part of subcall function 02BCE2FC: RegCloseKey.ADVAPI32(02BCE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,02BCE50A), ref: 02BCE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 5f5912e690878f322a53c1246ffcb33515d24ad8c207353ec1d0e423f92762e3
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 674198B2A00214FAEB206F558C45FEF3B6DDB04764F2480BDFD09A4192E7B5C650DAB5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02BC83C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02BC8477
                                                                                              • Part of subcall function 02BCEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02BC1DCF,?), ref: 02BCEEA8
                                                                                              • Part of subcall function 02BCEE95: HeapFree.KERNEL32(00000000), ref: 02BCEEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$CloseFreeOpenProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1016092768-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 8101dfc732868310ef0c960468f21f0893a134ce209280d3a0b5c89a88653917
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 1B4140B2900109BFEB11EBA49D80EFF776DEB04344F2844EEE505D7150FBB09A948B65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,02BCE859,00000000,00020119,02BCE859,PromptOnSecureDesktop), ref: 02BCE64D
                                                                                            • RegCloseKey.ADVAPI32(02BCE859,?,?,?,?,000000C8,000000E4), ref: 02BCE787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: d32c367bb2e6ac86abdac90849013bd1e3e498148496d2697d1d0e9addb0fdda
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: 4A41D6B2D0011DFFDF11AF94DC81EEEBB7AEB04704F2444BAEA10B6150E7719A559B60
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02BCAFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02BCB00D
                                                                                              • Part of subcall function 02BCAF6F: gethostname.WS2_32(?,00000080), ref: 02BCAF83
                                                                                              • Part of subcall function 02BCAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02BCAFE6
                                                                                              • Part of subcall function 02BC331C: gethostname.WS2_32(?,00000080), ref: 02BC333F
                                                                                              • Part of subcall function 02BC331C: gethostbyname.WS2_32(?), ref: 02BC3349
                                                                                              • Part of subcall function 02BCAA0A: inet_ntoa.WS2_32(00000000), ref: 02BCAA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: c4dee96d911235e326db3af7361306ab740120da6244d3609fef849b664fe2a5
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 8841627290024CABDB25EFA0DC45EEE3BAEFF08314F24446BF92492151EA75E6548F54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02BC9536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 02BC955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 9cb3ad38aaf600aafe8e427c7698a2b652e02e99f082e06f2abc3eb8a062ed51
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: AF4105B19087846FFB369B64D89C7B67BA8DB02314F3841EDD482971A3D7B48981C711
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02BCB9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 02BCBA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02BCBA94
                                                                                            • GetTickCount.KERNEL32 ref: 02BCBB79
                                                                                            • GetTickCount.KERNEL32 ref: 02BCBB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02BCBE15
                                                                                            • closesocket.WS2_32(00000000), ref: 02BCBEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 59a60fc92d66986715ec1531199f45c2b98798ff8160aed982d0878140c9cfe2
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 60318DB1500249DFDF25DFA4DC85AEEB7B9EB48704F30449AFA2492160DB71D685CF14
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 02BC70BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02BC70F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 16c1256d4038dca359df1e35400b3f8e16b4655c39f4e207fa26b56a9233a838
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 4411FA72900118EBDB11DFD4DC84ADEB7BDEB04716F2481AAE501E6294DB709B88DFA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1477452359.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1477452359.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 02BC2F88: GetModuleHandleA.KERNEL32(?), ref: 02BC2FA1
                                                                                              • Part of subcall function 02BC2F88: LoadLibraryA.KERNEL32(?), ref: 02BC2FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BC31DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02BC31E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1478738822.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bc0000_OPgjjiInNK.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 8320c4efe57ed08b8179a32f8c714825321af8a26bde3fed71c1026aeb7b329d
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: A0516D7190024AAFCF019F64D888AFAB7B5FF05305B6485E9EC96C7210E7329A59CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.5%
                                                                                            Dynamic/Decrypted Code Coverage:99.9%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1574
                                                                                            Total number of Limit Nodes:15
                                                                                            execution_graph 15350 2c23ad6 15351 2c23ae5 15350->15351 15354 2c24276 15351->15354 15357 2c24291 15354->15357 15355 2c2429a CreateToolhelp32Snapshot 15356 2c242b6 Module32First 15355->15356 15355->15357 15358 2c242c5 15356->15358 15359 2c23aee 15356->15359 15357->15355 15357->15356 15361 2c23f35 15358->15361 15362 2c23f60 15361->15362 15363 2c23f71 VirtualAlloc 15362->15363 15364 2c23fa9 15362->15364 15363->15364 15364->15364 15200 409961 RegisterServiceCtrlHandlerA 15201 40997d 15200->15201 15208 4099cb 15200->15208 15210 409892 15201->15210 15203 40999a 15204 409892 SetServiceStatus 15203->15204 15205 4099ba 15203->15205 15206 4099aa 15204->15206 15207 409892 SetServiceStatus 15205->15207 15205->15208 15206->15205 15213 4098f2 15206->15213 15207->15208 15211 4098c2 SetServiceStatus 15210->15211 15211->15203 15214 4098f6 15213->15214 15216 409904 Sleep 15214->15216 15218 409917 15214->15218 15221 404280 CreateEventA 15214->15221 15216->15214 15217 409915 15216->15217 15217->15218 15220 409947 15218->15220 15248 40977c 15218->15248 15220->15205 15222 4042a5 15221->15222 15223 40429d 15221->15223 15262 403ecd 15222->15262 15223->15214 15225 4042b0 15266 404000 15225->15266 15228 4043c1 CloseHandle 15228->15223 15229 4042ce 15272 403f18 WriteFile 15229->15272 15234 4043ba CloseHandle 15234->15228 15235 404318 15236 403f18 4 API calls 15235->15236 15237 404331 15236->15237 15238 403f18 4 API calls 15237->15238 15239 40434a 15238->15239 15280 40ebcc GetProcessHeap HeapAlloc 15239->15280 15242 403f18 4 API calls 15243 404389 15242->15243 15283 40ec2e 15243->15283 15246 403f8c 4 API calls 15247 40439f CloseHandle CloseHandle 15246->15247 15247->15223 15312 40ee2a 15248->15312 15251 4097c2 15253 4097d4 Wow64GetThreadContext 15251->15253 15252 4097bb 15252->15220 15254 409801 15253->15254 15255 4097f5 15253->15255 15314 40637c 15254->15314 15256 4097f6 TerminateProcess 15255->15256 15256->15252 15258 409816 15258->15256 15259 40981e WriteProcessMemory 15258->15259 15259->15255 15260 40983b Wow64SetThreadContext 15259->15260 15260->15255 15261 409858 ResumeThread 15260->15261 15261->15252 15263 403ee2 15262->15263 15264 403edc 15262->15264 15263->15225 15288 406dc2 15264->15288 15267 40400b CreateFileA 15266->15267 15268 40402c GetLastError 15267->15268 15269 404052 15267->15269 15268->15269 15270 404037 15268->15270 15269->15223 15269->15228 15269->15229 15270->15269 15271 404041 Sleep 15270->15271 15271->15267 15271->15269 15273 403f7c 15272->15273 15274 403f4e GetLastError 15272->15274 15276 403f8c ReadFile 15273->15276 15274->15273 15275 403f5b WaitForSingleObject GetOverlappedResult 15274->15275 15275->15273 15277 403ff0 15276->15277 15278 403fc2 GetLastError 15276->15278 15277->15234 15277->15235 15278->15277 15279 403fcf WaitForSingleObject GetOverlappedResult 15278->15279 15279->15277 15306 40eb74 15280->15306 15284 40ec37 15283->15284 15285 40438f 15283->15285 15309 40eba0 15284->15309 15285->15246 15289 406e24 15288->15289 15290 406dd7 15288->15290 15289->15263 15294 406cc9 15290->15294 15292 406ddc 15292->15289 15292->15292 15293 406e02 GetVolumeInformationA 15292->15293 15293->15289 15295 406cdc GetModuleHandleA GetProcAddress 15294->15295 15296 406dbe 15294->15296 15297 406d12 GetSystemDirectoryA 15295->15297 15300 406cfd 15295->15300 15296->15292 15298 406d27 GetWindowsDirectoryA 15297->15298 15299 406d1e 15297->15299 15301 406d42 15298->15301 15299->15298 15302 406d8b 15299->15302 15300->15297 15300->15302 15304 40ef1e lstrlenA 15301->15304 15302->15296 15305 40ef32 15304->15305 15305->15302 15307 40eb7b GetProcessHeap HeapSize 15306->15307 15308 404350 15306->15308 15307->15308 15308->15242 15310 40eba7 GetProcessHeap HeapSize 15309->15310 15311 40ebbf GetProcessHeap HeapFree 15309->15311 15310->15311 15311->15285 15313 409794 CreateProcessA 15312->15313 15313->15251 15313->15252 15315 406386 15314->15315 15316 40638a GetModuleHandleA VirtualAlloc 15314->15316 15315->15258 15317 4063b6 15316->15317 15318 4063f5 15316->15318 15319 4063be VirtualAllocEx 15317->15319 15318->15258 15319->15318 15320 4063d6 15319->15320 15321 4063df WriteProcessMemory 15320->15321 15321->15318 15365 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15482 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15365->15482 15367 409a95 15368 409aa3 GetModuleHandleA GetModuleFileNameA 15367->15368 15373 40a3c7 15367->15373 15380 409ac4 15368->15380 15369 40a41c CreateThread WSAStartup 15593 40e52e 15369->15593 16421 40405e CreateEventA 15369->16421 15371 409afd GetCommandLineA 15381 409b22 15371->15381 15372 40a406 DeleteFileA 15372->15373 15374 40a40d 15372->15374 15373->15369 15373->15372 15373->15374 15376 40a3ed GetLastError 15373->15376 15374->15369 15375 40a445 15612 40eaaf 15375->15612 15376->15374 15378 40a3f8 Sleep 15376->15378 15378->15372 15379 40a44d 15616 401d96 15379->15616 15380->15371 15385 409c0c 15381->15385 15392 409b47 15381->15392 15383 40a457 15664 4080c9 15383->15664 15483 4096aa 15385->15483 15396 409b96 lstrlenA 15392->15396 15402 409b58 15392->15402 15393 40a1d2 15403 40a1e3 GetCommandLineA 15393->15403 15394 409c39 15397 40a167 GetModuleHandleA GetModuleFileNameA 15394->15397 15401 409c4b 15394->15401 15396->15402 15399 409c05 ExitProcess 15397->15399 15400 40a189 15397->15400 15400->15399 15411 40a1b2 GetDriveTypeA 15400->15411 15401->15397 15405 404280 30 API calls 15401->15405 15402->15399 15406 409bd2 15402->15406 15429 40a205 15403->15429 15408 409c5b 15405->15408 15495 40675c 15406->15495 15408->15397 15414 40675c 21 API calls 15408->15414 15411->15399 15413 40a1c5 15411->15413 15585 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15413->15585 15416 409c79 15414->15416 15416->15397 15421 409ca0 GetTempPathA 15416->15421 15422 409e3e 15416->15422 15417 409bff 15417->15399 15419 40a491 15420 40a49f GetTickCount 15419->15420 15423 40a4be Sleep 15419->15423 15428 40a4b7 GetTickCount 15419->15428 15710 40c913 15419->15710 15420->15419 15420->15423 15421->15422 15425 409cba 15421->15425 15433 409e6b GetEnvironmentVariableA 15422->15433 15434 409e04 15422->15434 15423->15419 15533 4099d2 lstrcpyA 15425->15533 15427 40ec2e codecvt 4 API calls 15432 40a15d 15427->15432 15428->15423 15430 40a285 lstrlenA 15429->15430 15442 40a239 15429->15442 15430->15442 15432->15397 15432->15399 15433->15434 15435 409e7d 15433->15435 15434->15427 15436 4099d2 16 API calls 15435->15436 15438 409e9d 15436->15438 15437 406dc2 6 API calls 15439 409d5f 15437->15439 15438->15434 15441 409eb0 lstrcpyA lstrlenA 15438->15441 15445 406cc9 5 API calls 15439->15445 15444 409ef4 15441->15444 15491 406ec3 15442->15491 15443 40a3c2 15446 4098f2 41 API calls 15443->15446 15447 406dc2 6 API calls 15444->15447 15450 409f03 15444->15450 15449 409d72 lstrcpyA lstrcatA lstrcatA 15445->15449 15446->15373 15447->15450 15448 40a39d StartServiceCtrlDispatcherA 15448->15443 15454 409cf6 15449->15454 15451 409f32 RegOpenKeyExA 15450->15451 15453 409f48 RegSetValueExA RegCloseKey 15451->15453 15459 409f70 15451->15459 15452 40a35f 15452->15443 15452->15448 15453->15459 15540 409326 15454->15540 15457 409e0c DeleteFileA 15457->15422 15458 409dde GetFileAttributesExA 15458->15457 15460 409df7 15458->15460 15462 409f9d GetModuleHandleA GetModuleFileNameA 15459->15462 15460->15434 15577 4096ff 15460->15577 15464 409fc2 15462->15464 15465 40a093 15462->15465 15464->15465 15471 409ff1 GetDriveTypeA 15464->15471 15466 40a103 CreateProcessA 15465->15466 15467 40a0a4 wsprintfA 15465->15467 15468 40a13a 15466->15468 15469 40a12a DeleteFileA 15466->15469 15583 402544 15467->15583 15468->15434 15475 4096ff 3 API calls 15468->15475 15469->15468 15471->15465 15473 40a00d 15471->15473 15477 40a02d lstrcatA 15473->15477 15474 40ee2a 15476 40a0ec lstrcatA 15474->15476 15475->15434 15476->15466 15478 40a046 15477->15478 15479 40a052 lstrcatA 15478->15479 15480 40a064 lstrcatA 15478->15480 15479->15480 15480->15465 15481 40a081 lstrcatA 15480->15481 15481->15465 15482->15367 15484 4096b9 15483->15484 15813 4073ff 15484->15813 15486 4096e2 15487 4096e9 15486->15487 15488 4096fa 15486->15488 15833 40704c 15487->15833 15488->15393 15488->15394 15490 4096f7 15490->15488 15492 406ed5 15491->15492 15493 406ecc 15491->15493 15492->15452 15858 406e36 GetUserNameW 15493->15858 15496 406784 CreateFileA 15495->15496 15497 40677a SetFileAttributesA 15495->15497 15498 4067a4 CreateFileA 15496->15498 15499 4067b5 15496->15499 15497->15496 15498->15499 15500 4067c5 15499->15500 15501 4067ba SetFileAttributesA 15499->15501 15502 406977 15500->15502 15503 4067cf GetFileSize 15500->15503 15501->15500 15502->15399 15520 406a60 CreateFileA 15502->15520 15504 4067e5 15503->15504 15518 406922 15503->15518 15505 4067ed ReadFile 15504->15505 15504->15518 15507 406811 SetFilePointer 15505->15507 15505->15518 15506 40696e CloseHandle 15506->15502 15508 40682a ReadFile 15507->15508 15507->15518 15509 406848 SetFilePointer 15508->15509 15508->15518 15510 406867 15509->15510 15509->15518 15511 406878 ReadFile 15510->15511 15512 4068d0 15510->15512 15511->15510 15511->15512 15512->15506 15513 40ebcc 4 API calls 15512->15513 15514 4068f8 15513->15514 15515 406900 SetFilePointer 15514->15515 15514->15518 15516 40695a 15515->15516 15517 40690d ReadFile 15515->15517 15519 40ec2e codecvt 4 API calls 15516->15519 15517->15516 15517->15518 15518->15506 15519->15518 15521 406b8c GetLastError 15520->15521 15522 406a8f GetDiskFreeSpaceA 15520->15522 15531 406b86 15521->15531 15523 406ac5 15522->15523 15532 406ad7 15522->15532 15861 40eb0e 15523->15861 15527 406b56 CloseHandle 15530 406b65 GetLastError CloseHandle 15527->15530 15527->15531 15528 406b36 GetLastError CloseHandle 15529 406b7f DeleteFileA 15528->15529 15529->15531 15530->15529 15531->15417 15865 406987 15532->15865 15534 4099eb 15533->15534 15535 409a2f lstrcatA 15534->15535 15536 40ee2a 15535->15536 15537 409a4b lstrcatA 15536->15537 15538 406a60 13 API calls 15537->15538 15539 409a60 15538->15539 15539->15422 15539->15437 15539->15454 15875 401910 15540->15875 15543 40934a GetModuleHandleA GetModuleFileNameA 15545 40937f 15543->15545 15546 4093a4 15545->15546 15547 4093d9 15545->15547 15548 4093c3 wsprintfA 15546->15548 15549 409401 wsprintfA 15547->15549 15550 409415 15548->15550 15549->15550 15552 406cc9 5 API calls 15550->15552 15573 4094a0 15550->15573 15556 409439 15552->15556 15553 4094ac 15554 40962f 15553->15554 15555 4094e8 RegOpenKeyExA 15553->15555 15561 409646 15554->15561 15898 401820 15554->15898 15558 409502 15555->15558 15559 4094fb 15555->15559 15563 40ef1e lstrlenA 15556->15563 15562 40951f RegQueryValueExA 15558->15562 15559->15554 15564 40958a 15559->15564 15570 4095d6 15561->15570 15904 4091eb 15561->15904 15565 409530 15562->15565 15566 409539 15562->15566 15567 409462 15563->15567 15564->15561 15568 409593 15564->15568 15569 40956e RegCloseKey 15565->15569 15571 409556 RegQueryValueExA 15566->15571 15572 40947e wsprintfA 15567->15572 15568->15570 15885 40f0e4 15568->15885 15569->15559 15570->15457 15570->15458 15571->15565 15571->15569 15572->15573 15877 406edd 15573->15877 15575 4095bb 15575->15570 15892 4018e0 15575->15892 15578 402544 15577->15578 15579 40972d RegOpenKeyExA 15578->15579 15580 409740 15579->15580 15581 409765 15579->15581 15582 40974f RegDeleteValueA RegCloseKey 15580->15582 15581->15434 15582->15581 15584 402554 lstrcatA 15583->15584 15584->15474 15586 402544 15585->15586 15587 40919e wsprintfA 15586->15587 15588 4091bb 15587->15588 15943 409064 GetTempPathA 15588->15943 15591 4091d5 ShellExecuteA 15592 4091e7 15591->15592 15592->15417 15950 40dd05 GetTickCount 15593->15950 15595 40e538 15957 40dbcf 15595->15957 15597 40e544 15598 40e555 GetFileSize 15597->15598 15603 40e5b8 15597->15603 15599 40e5b1 CloseHandle 15598->15599 15600 40e566 15598->15600 15599->15603 15967 40db2e 15600->15967 15976 40e3ca RegOpenKeyExA 15603->15976 15604 40e576 ReadFile 15604->15599 15606 40e58d 15604->15606 15971 40e332 15606->15971 15608 40e5f2 15610 40e3ca 19 API calls 15608->15610 15611 40e629 15608->15611 15610->15611 15611->15375 15613 40eabe 15612->15613 15615 40eaba 15612->15615 15614 40dd05 6 API calls 15613->15614 15613->15615 15614->15615 15615->15379 15617 40ee2a 15616->15617 15618 401db4 GetVersionExA 15617->15618 15619 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15618->15619 15621 401e24 15619->15621 15622 401e16 GetCurrentProcess 15619->15622 16029 40e819 15621->16029 15622->15621 15624 401e3d 15625 40e819 11 API calls 15624->15625 15626 401e4e 15625->15626 15627 401e77 15626->15627 16036 40df70 15626->16036 16045 40ea84 15627->16045 15631 401e6c 15633 40df70 12 API calls 15631->15633 15632 40e819 11 API calls 15634 401e93 15632->15634 15633->15627 16049 40199c inet_addr LoadLibraryA 15634->16049 15637 40e819 11 API calls 15638 401eb9 15637->15638 15639 401ed8 15638->15639 15641 40f04e 4 API calls 15638->15641 15640 40e819 11 API calls 15639->15640 15642 401eee 15640->15642 15643 401ec9 15641->15643 15644 401f0a 15642->15644 16062 401b71 15642->16062 15645 40ea84 30 API calls 15643->15645 15647 40e819 11 API calls 15644->15647 15645->15639 15649 401f23 15647->15649 15648 401efd 15650 40ea84 30 API calls 15648->15650 15651 401f3f 15649->15651 16066 401bdf 15649->16066 15650->15644 15652 40e819 11 API calls 15651->15652 15654 401f5e 15652->15654 15656 401f77 15654->15656 15658 40ea84 30 API calls 15654->15658 16073 4030b5 15656->16073 15657 40ea84 30 API calls 15657->15651 15658->15656 15662 406ec3 2 API calls 15663 401f8e GetTickCount 15662->15663 15663->15383 15665 406ec3 2 API calls 15664->15665 15666 4080eb 15665->15666 15667 4080f9 15666->15667 15668 4080ef 15666->15668 15670 40704c 16 API calls 15667->15670 16121 407ee6 15668->16121 15672 408110 15670->15672 15671 4080f4 15673 40675c 21 API calls 15671->15673 15682 408269 CreateThread 15671->15682 15672->15671 15674 408156 RegOpenKeyExA 15672->15674 15675 408244 15673->15675 15674->15671 15676 40816d RegQueryValueExA 15674->15676 15680 40ec2e codecvt 4 API calls 15675->15680 15675->15682 15677 4081f7 15676->15677 15678 40818d 15676->15678 15679 40820d RegCloseKey 15677->15679 15681 40ec2e codecvt 4 API calls 15677->15681 15678->15677 15683 40ebcc 4 API calls 15678->15683 15679->15671 15680->15682 15688 4081dd 15681->15688 15689 405e6c 15682->15689 16450 40877e 15682->16450 15684 4081a0 15683->15684 15684->15679 15685 4081aa RegQueryValueExA 15684->15685 15685->15677 15686 4081c4 15685->15686 15687 40ebcc 4 API calls 15686->15687 15687->15688 15688->15679 16189 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15689->16189 15691 405e71 16190 40e654 15691->16190 15693 405ec1 15694 403132 15693->15694 15695 40df70 12 API calls 15694->15695 15696 40313b 15695->15696 15697 40c125 15696->15697 16201 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15697->16201 15699 40c12d 15700 40e654 13 API calls 15699->15700 15701 40c2bd 15700->15701 15702 40e654 13 API calls 15701->15702 15703 40c2c9 15702->15703 15704 40e654 13 API calls 15703->15704 15705 40a47a 15704->15705 15706 408db1 15705->15706 15707 408dbc 15706->15707 15708 40e654 13 API calls 15707->15708 15709 408dec Sleep 15708->15709 15709->15419 15711 40c92f 15710->15711 15712 40c93c 15711->15712 16202 40c517 15711->16202 15714 40ca2b 15712->15714 15715 40e819 11 API calls 15712->15715 15714->15419 15716 40c96a 15715->15716 15717 40e819 11 API calls 15716->15717 15718 40c97d 15717->15718 15719 40e819 11 API calls 15718->15719 15720 40c990 15719->15720 15721 40c9aa 15720->15721 15722 40ebcc 4 API calls 15720->15722 15721->15714 16219 402684 15721->16219 15722->15721 15727 40ca26 16226 40c8aa 15727->16226 15730 40ca44 15731 40ca4b closesocket 15730->15731 15732 40ca83 15730->15732 15731->15727 15733 40ea84 30 API calls 15732->15733 15734 40caac 15733->15734 15735 40f04e 4 API calls 15734->15735 15736 40cab2 15735->15736 15737 40ea84 30 API calls 15736->15737 15738 40caca 15737->15738 15739 40ea84 30 API calls 15738->15739 15740 40cad9 15739->15740 16234 40c65c 15740->16234 15743 40cb60 closesocket 15743->15714 15745 40dad2 closesocket 15746 40e318 23 API calls 15745->15746 15746->15714 15747 40df4c 20 API calls 15806 40cb70 15747->15806 15752 40e654 13 API calls 15752->15806 15758 40d815 wsprintfA 15758->15806 15759 40cc1c GetTempPathA 15759->15806 15760 40ea84 30 API calls 15760->15806 15761 40d569 closesocket Sleep 16281 40e318 15761->16281 15762 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15762->15806 15763 40c517 23 API calls 15763->15806 15765 40e8a1 30 API calls 15765->15806 15766 40d582 ExitProcess 15767 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15767->15806 15768 40cfe3 GetSystemDirectoryA 15768->15806 15769 40675c 21 API calls 15769->15806 15770 40d027 GetSystemDirectoryA 15770->15806 15771 40cfad GetEnvironmentVariableA 15771->15806 15772 40d105 lstrcatA 15772->15806 15773 40ef1e lstrlenA 15773->15806 15774 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15774->15806 15775 40cc9f CreateFileA 15778 40ccc6 WriteFile 15775->15778 15775->15806 15776 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15776->15806 15777 40d15b CreateFileA 15779 40d182 WriteFile CloseHandle 15777->15779 15777->15806 15780 40cdcc CloseHandle 15778->15780 15781 40cced CloseHandle 15778->15781 15779->15806 15780->15806 15786 40cd2f 15781->15786 15782 40d149 SetFileAttributesA 15782->15777 15783 40cd16 wsprintfA 15783->15786 15784 40d36e GetEnvironmentVariableA 15784->15806 15785 40d1bf SetFileAttributesA 15785->15806 15786->15783 16263 407fcf 15786->16263 15787 407ead 6 API calls 15787->15806 15788 40d22d GetEnvironmentVariableA 15788->15806 15790 40d3af lstrcatA 15793 40d3f2 CreateFileA 15790->15793 15790->15806 15792 407fcf 64 API calls 15792->15806 15796 40d415 WriteFile CloseHandle 15793->15796 15793->15806 15794 40cd81 WaitForSingleObject CloseHandle CloseHandle 15797 40f04e 4 API calls 15794->15797 15795 40cda5 15798 407ee6 64 API calls 15795->15798 15796->15806 15797->15795 15800 40cdbd DeleteFileA 15798->15800 15799 40d26e lstrcatA 15803 40d2b1 CreateFileA 15799->15803 15799->15806 15800->15806 15801 40d4b1 CreateProcessA 15804 40d4e8 CloseHandle CloseHandle 15801->15804 15801->15806 15802 40d3e0 SetFileAttributesA 15802->15793 15803->15806 15807 40d2d8 WriteFile CloseHandle 15803->15807 15804->15806 15805 40d452 SetFileAttributesA 15805->15806 15806->15745 15806->15747 15806->15752 15806->15758 15806->15759 15806->15760 15806->15761 15806->15762 15806->15763 15806->15765 15806->15767 15806->15768 15806->15769 15806->15770 15806->15771 15806->15772 15806->15773 15806->15774 15806->15775 15806->15776 15806->15777 15806->15782 15806->15784 15806->15785 15806->15787 15806->15788 15806->15790 15806->15792 15806->15793 15806->15799 15806->15801 15806->15802 15806->15803 15806->15805 15808 407ee6 64 API calls 15806->15808 15809 40d29f SetFileAttributesA 15806->15809 15812 40d31d SetFileAttributesA 15806->15812 16242 40c75d 15806->16242 16254 407e2f 15806->16254 16276 407ead 15806->16276 16286 4031d0 15806->16286 16303 403c09 15806->16303 16313 403a00 15806->16313 16317 40e7b4 15806->16317 16320 40c06c 15806->16320 16326 406f5f GetUserNameA 15806->16326 16337 40e854 15806->16337 16347 407dd6 15806->16347 15807->15806 15808->15806 15809->15803 15812->15806 15814 40741b 15813->15814 15815 406dc2 6 API calls 15814->15815 15816 40743f 15815->15816 15817 407469 RegOpenKeyExA 15816->15817 15818 4077f9 15817->15818 15828 407487 ___ascii_stricmp 15817->15828 15818->15486 15819 407703 RegEnumKeyA 15820 407714 RegCloseKey 15819->15820 15819->15828 15820->15818 15821 4074d2 RegOpenKeyExA 15821->15828 15822 40772c 15824 407742 RegCloseKey 15822->15824 15825 40774b 15822->15825 15823 407521 RegQueryValueExA 15823->15828 15824->15825 15826 4077ec RegCloseKey 15825->15826 15826->15818 15827 4076e4 RegCloseKey 15827->15828 15828->15819 15828->15821 15828->15822 15828->15823 15828->15827 15830 40f1a5 lstrlenA 15828->15830 15831 40777e GetFileAttributesExA 15828->15831 15832 407769 15828->15832 15829 4077e3 RegCloseKey 15829->15826 15830->15828 15831->15832 15832->15829 15834 407073 15833->15834 15835 4070b9 RegOpenKeyExA 15834->15835 15836 4070d0 15835->15836 15850 4071b8 15835->15850 15837 406dc2 6 API calls 15836->15837 15840 4070d5 15837->15840 15838 40719b RegEnumValueA 15839 4071af RegCloseKey 15838->15839 15838->15840 15839->15850 15840->15838 15842 4071d0 15840->15842 15856 40f1a5 lstrlenA 15840->15856 15843 407205 RegCloseKey 15842->15843 15844 407227 15842->15844 15843->15850 15845 4072b8 ___ascii_stricmp 15844->15845 15846 40728e RegCloseKey 15844->15846 15847 4072cd RegCloseKey 15845->15847 15848 4072dd 15845->15848 15846->15850 15847->15850 15849 407311 RegCloseKey 15848->15849 15852 407335 15848->15852 15849->15850 15850->15490 15851 4073d5 RegCloseKey 15853 4073e4 15851->15853 15852->15851 15854 40737e GetFileAttributesExA 15852->15854 15855 407397 15852->15855 15854->15855 15855->15851 15857 40f1c3 15856->15857 15857->15840 15859 406e97 15858->15859 15860 406e5f LookupAccountNameW 15858->15860 15859->15492 15860->15859 15862 40eb17 15861->15862 15863 40eb21 15861->15863 15871 40eae4 15862->15871 15863->15532 15867 4069b9 WriteFile 15865->15867 15868 406a3c 15867->15868 15869 4069ff 15867->15869 15868->15527 15868->15528 15869->15868 15870 406a10 WriteFile 15869->15870 15870->15868 15870->15869 15872 40eb02 GetProcAddress 15871->15872 15873 40eaed LoadLibraryA 15871->15873 15872->15863 15873->15872 15874 40eb01 15873->15874 15874->15863 15876 401924 GetVersionExA 15875->15876 15876->15543 15878 406f55 15877->15878 15879 406eef AllocateAndInitializeSid 15877->15879 15878->15553 15880 406f44 15879->15880 15881 406f1c CheckTokenMembership 15879->15881 15880->15878 15884 406e36 2 API calls 15880->15884 15882 406f3b FreeSid 15881->15882 15883 406f2e 15881->15883 15882->15880 15883->15882 15884->15878 15886 40f0f1 15885->15886 15887 40f0ed 15885->15887 15888 40f119 15886->15888 15889 40f0fa lstrlenA SysAllocStringByteLen 15886->15889 15887->15575 15891 40f11c MultiByteToWideChar 15888->15891 15890 40f117 15889->15890 15889->15891 15890->15575 15891->15890 15893 401820 17 API calls 15892->15893 15894 4018f2 15893->15894 15895 4018f9 15894->15895 15909 401280 15894->15909 15895->15570 15897 401908 15897->15570 15922 401000 15898->15922 15900 401839 15901 401851 GetCurrentProcess 15900->15901 15902 40183d 15900->15902 15903 401864 15901->15903 15902->15561 15903->15561 15905 40920e 15904->15905 15908 409308 15904->15908 15906 4092f1 Sleep 15905->15906 15907 4092bf ShellExecuteA 15905->15907 15905->15908 15906->15905 15907->15905 15907->15908 15908->15570 15912 4012e1 ShellExecuteExW 15909->15912 15911 4016f9 GetLastError 15913 401699 15911->15913 15912->15911 15916 4013a8 15912->15916 15913->15897 15914 401570 lstrlenW 15914->15916 15915 4015be GetStartupInfoW 15915->15916 15916->15913 15916->15914 15916->15915 15916->15916 15917 4015ff CreateProcessWithLogonW 15916->15917 15921 401668 CloseHandle 15916->15921 15918 4016bf GetLastError 15917->15918 15919 40163f WaitForSingleObject 15917->15919 15918->15913 15919->15916 15920 401659 CloseHandle 15919->15920 15920->15916 15921->15916 15923 40100d LoadLibraryA 15922->15923 15925 401023 15922->15925 15924 401021 15923->15924 15923->15925 15924->15900 15926 4010b5 GetProcAddress 15925->15926 15942 4010ae 15925->15942 15927 4010d1 GetProcAddress 15926->15927 15928 40127b 15926->15928 15927->15928 15929 4010f0 GetProcAddress 15927->15929 15928->15900 15929->15928 15930 401110 GetProcAddress 15929->15930 15930->15928 15931 401130 GetProcAddress 15930->15931 15931->15928 15932 40114f GetProcAddress 15931->15932 15932->15928 15933 40116f GetProcAddress 15932->15933 15933->15928 15934 40118f GetProcAddress 15933->15934 15934->15928 15935 4011ae GetProcAddress 15934->15935 15935->15928 15936 4011ce GetProcAddress 15935->15936 15936->15928 15937 4011ee GetProcAddress 15936->15937 15937->15928 15938 401209 GetProcAddress 15937->15938 15938->15928 15939 401225 GetProcAddress 15938->15939 15939->15928 15940 401241 GetProcAddress 15939->15940 15940->15928 15941 40125c GetProcAddress 15940->15941 15941->15928 15942->15900 15944 40908d 15943->15944 15945 4090e2 wsprintfA 15944->15945 15946 40ee2a 15945->15946 15947 4090fd CreateFileA 15946->15947 15948 40911a lstrlenA WriteFile CloseHandle 15947->15948 15949 40913f 15947->15949 15948->15949 15949->15591 15949->15592 15951 40dd41 InterlockedExchange 15950->15951 15952 40dd20 GetCurrentThreadId 15951->15952 15953 40dd4a 15951->15953 15954 40dd53 GetCurrentThreadId 15952->15954 15955 40dd2e GetTickCount 15952->15955 15953->15954 15954->15595 15955->15953 15956 40dd39 Sleep 15955->15956 15956->15951 15958 40dbf0 15957->15958 15990 40db67 GetEnvironmentVariableA 15958->15990 15960 40dc19 15961 40dcda 15960->15961 15962 40db67 3 API calls 15960->15962 15961->15597 15963 40dc5c 15962->15963 15963->15961 15964 40db67 3 API calls 15963->15964 15965 40dc9b 15964->15965 15965->15961 15966 40db67 3 API calls 15965->15966 15966->15961 15968 40db55 15967->15968 15969 40db3a 15967->15969 15968->15599 15968->15604 15994 40ebed 15969->15994 16003 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15971->16003 15973 40e3be 15973->15599 15974 40e342 15974->15973 16006 40de24 15974->16006 15977 40e528 15976->15977 15978 40e3f4 15976->15978 15977->15608 15979 40e434 RegQueryValueExA 15978->15979 15980 40e458 15979->15980 15981 40e51d RegCloseKey 15979->15981 15982 40e46e RegQueryValueExA 15980->15982 15981->15977 15982->15980 15983 40e488 15982->15983 15983->15981 15984 40db2e 8 API calls 15983->15984 15985 40e499 15984->15985 15985->15981 15986 40e4b9 RegQueryValueExA 15985->15986 15987 40e4e8 15985->15987 15986->15985 15986->15987 15987->15981 15988 40e332 14 API calls 15987->15988 15989 40e513 15988->15989 15989->15981 15991 40db89 lstrcpyA CreateFileA 15990->15991 15992 40dbca 15990->15992 15991->15960 15992->15960 15995 40ec01 15994->15995 15996 40ebf6 15994->15996 15998 40eba0 codecvt 2 API calls 15995->15998 15997 40ebcc 4 API calls 15996->15997 15999 40ebfe 15997->15999 16000 40ec0a GetProcessHeap HeapReAlloc 15998->16000 15999->15968 16001 40eb74 2 API calls 16000->16001 16002 40ec28 16001->16002 16002->15968 16017 40eb41 16003->16017 16007 40de3a 16006->16007 16012 40de4e 16007->16012 16021 40dd84 16007->16021 16010 40de9e 16011 40ebed 8 API calls 16010->16011 16010->16012 16015 40def6 16011->16015 16012->15974 16013 40de76 16025 40ddcf 16013->16025 16015->16012 16016 40ddcf lstrcmpA 16015->16016 16016->16012 16018 40eb54 16017->16018 16019 40eb4a 16017->16019 16018->15974 16020 40eae4 2 API calls 16019->16020 16020->16018 16022 40ddc5 16021->16022 16023 40dd96 16021->16023 16022->16010 16022->16013 16023->16022 16024 40ddad lstrcmpiA 16023->16024 16024->16022 16024->16023 16026 40dddd 16025->16026 16028 40de20 16025->16028 16027 40ddfa lstrcmpA 16026->16027 16026->16028 16027->16026 16028->16012 16030 40dd05 6 API calls 16029->16030 16031 40e821 16030->16031 16032 40dd84 lstrcmpiA 16031->16032 16033 40e82c 16032->16033 16034 40e844 16033->16034 16077 402480 16033->16077 16034->15624 16037 40dd05 6 API calls 16036->16037 16038 40df7c 16037->16038 16039 40dd84 lstrcmpiA 16038->16039 16043 40df89 16039->16043 16040 40dfc4 16040->15631 16041 40ddcf lstrcmpA 16041->16043 16042 40ec2e codecvt 4 API calls 16042->16043 16043->16040 16043->16041 16043->16042 16044 40dd84 lstrcmpiA 16043->16044 16044->16043 16046 40ea98 16045->16046 16086 40e8a1 16046->16086 16048 401e84 16048->15632 16050 4019d5 GetProcAddress GetProcAddress GetProcAddress 16049->16050 16051 4019ce 16049->16051 16052 401ab3 FreeLibrary 16050->16052 16053 401a04 16050->16053 16051->15637 16052->16051 16053->16052 16054 401a14 GetProcessHeap 16053->16054 16054->16051 16056 401a2e HeapAlloc 16054->16056 16056->16051 16057 401a42 16056->16057 16058 401a52 HeapReAlloc 16057->16058 16060 401a62 16057->16060 16058->16060 16059 401aa1 FreeLibrary 16059->16051 16060->16059 16061 401a96 HeapFree 16060->16061 16061->16059 16114 401ac3 LoadLibraryA 16062->16114 16065 401bcf 16065->15648 16067 401ac3 12 API calls 16066->16067 16068 401c09 16067->16068 16069 401c0d GetComputerNameA 16068->16069 16072 401c41 16068->16072 16070 401c45 GetVolumeInformationA 16069->16070 16071 401c1f 16069->16071 16070->16072 16071->16070 16071->16071 16071->16072 16072->15657 16074 40ee2a 16073->16074 16075 4030d0 gethostname gethostbyname 16074->16075 16076 401f82 16075->16076 16076->15662 16076->15663 16080 402419 lstrlenA 16077->16080 16079 402491 16079->16034 16081 402474 16080->16081 16082 40243d lstrlenA 16080->16082 16081->16079 16083 402464 lstrlenA 16082->16083 16084 40244e lstrcmpiA 16082->16084 16083->16081 16083->16082 16084->16083 16085 40245c 16084->16085 16085->16081 16085->16083 16087 40dd05 6 API calls 16086->16087 16088 40e8b4 16087->16088 16089 40dd84 lstrcmpiA 16088->16089 16090 40e8c0 16089->16090 16091 40e90a 16090->16091 16092 40e8c8 lstrcpynA 16090->16092 16094 402419 4 API calls 16091->16094 16100 40ea27 16091->16100 16093 40e8f5 16092->16093 16107 40df4c 16093->16107 16095 40e926 lstrlenA lstrlenA 16094->16095 16097 40e96a 16095->16097 16098 40e94c lstrlenA 16095->16098 16097->16100 16102 40ebcc 4 API calls 16097->16102 16098->16097 16099 40e901 16101 40dd84 lstrcmpiA 16099->16101 16100->16048 16101->16091 16103 40e98f 16102->16103 16103->16100 16104 40df4c 20 API calls 16103->16104 16105 40ea1e 16104->16105 16106 40ec2e codecvt 4 API calls 16105->16106 16106->16100 16108 40dd05 6 API calls 16107->16108 16109 40df51 16108->16109 16110 40f04e 4 API calls 16109->16110 16111 40df58 16110->16111 16112 40de24 10 API calls 16111->16112 16113 40df63 16112->16113 16113->16099 16115 401ae2 GetProcAddress 16114->16115 16116 401b68 GetComputerNameA GetVolumeInformationA 16114->16116 16115->16116 16117 401af5 16115->16117 16116->16065 16118 401b29 16117->16118 16119 40ebed 8 API calls 16117->16119 16118->16116 16120 40ec2e codecvt 4 API calls 16118->16120 16119->16117 16120->16116 16122 406ec3 2 API calls 16121->16122 16123 407ef4 16122->16123 16124 4073ff 17 API calls 16123->16124 16133 407fc9 16123->16133 16125 407f16 16124->16125 16125->16133 16134 407809 GetUserNameA 16125->16134 16127 407f63 16128 40ef1e lstrlenA 16127->16128 16127->16133 16129 407fa6 16128->16129 16130 40ef1e lstrlenA 16129->16130 16131 407fb7 16130->16131 16158 407a95 RegOpenKeyExA 16131->16158 16133->15671 16135 40783d LookupAccountNameA 16134->16135 16136 407a8d 16134->16136 16135->16136 16137 407874 GetLengthSid GetFileSecurityA 16135->16137 16136->16127 16137->16136 16138 4078a8 GetSecurityDescriptorOwner 16137->16138 16139 4078c5 EqualSid 16138->16139 16140 40791d GetSecurityDescriptorDacl 16138->16140 16139->16140 16141 4078dc LocalAlloc 16139->16141 16140->16136 16148 407941 16140->16148 16141->16140 16142 4078ef InitializeSecurityDescriptor 16141->16142 16144 407916 LocalFree 16142->16144 16145 4078fb SetSecurityDescriptorOwner 16142->16145 16143 40795b GetAce 16143->16148 16144->16140 16145->16144 16146 40790b SetFileSecurityA 16145->16146 16146->16144 16147 407980 EqualSid 16147->16148 16148->16136 16148->16143 16148->16147 16149 407a3d 16148->16149 16150 4079be EqualSid 16148->16150 16151 40799d DeleteAce 16148->16151 16149->16136 16152 407a43 LocalAlloc 16149->16152 16150->16148 16151->16148 16152->16136 16153 407a56 InitializeSecurityDescriptor 16152->16153 16154 407a62 SetSecurityDescriptorDacl 16153->16154 16155 407a86 LocalFree 16153->16155 16154->16155 16156 407a73 SetFileSecurityA 16154->16156 16155->16136 16156->16155 16157 407a83 16156->16157 16157->16155 16159 407ac4 16158->16159 16160 407acb GetUserNameA 16158->16160 16159->16133 16161 407da7 RegCloseKey 16160->16161 16162 407aed LookupAccountNameA 16160->16162 16161->16159 16162->16161 16163 407b24 RegGetKeySecurity 16162->16163 16163->16161 16164 407b49 GetSecurityDescriptorOwner 16163->16164 16165 407b63 EqualSid 16164->16165 16166 407bb8 GetSecurityDescriptorDacl 16164->16166 16165->16166 16167 407b74 LocalAlloc 16165->16167 16168 407da6 16166->16168 16175 407bdc 16166->16175 16167->16166 16169 407b8a InitializeSecurityDescriptor 16167->16169 16168->16161 16171 407bb1 LocalFree 16169->16171 16172 407b96 SetSecurityDescriptorOwner 16169->16172 16170 407bf8 GetAce 16170->16175 16171->16166 16172->16171 16173 407ba6 RegSetKeySecurity 16172->16173 16173->16171 16174 407c1d EqualSid 16174->16175 16175->16168 16175->16170 16175->16174 16176 407cd9 16175->16176 16177 407c5f EqualSid 16175->16177 16178 407c3a DeleteAce 16175->16178 16176->16168 16179 407d5a LocalAlloc 16176->16179 16180 407cf2 RegOpenKeyExA 16176->16180 16177->16175 16178->16175 16179->16168 16181 407d70 InitializeSecurityDescriptor 16179->16181 16180->16179 16186 407d0f 16180->16186 16182 407d7c SetSecurityDescriptorDacl 16181->16182 16183 407d9f LocalFree 16181->16183 16182->16183 16184 407d8c RegSetKeySecurity 16182->16184 16183->16168 16184->16183 16185 407d9c 16184->16185 16185->16183 16187 407d43 RegSetValueExA 16186->16187 16187->16179 16188 407d54 16187->16188 16188->16179 16189->15691 16191 40dd05 6 API calls 16190->16191 16194 40e65f 16191->16194 16192 40e6a5 16193 40ebcc 4 API calls 16192->16193 16197 40e6f5 16192->16197 16196 40e6b0 16193->16196 16194->16192 16195 40e68c lstrcmpA 16194->16195 16195->16194 16196->16197 16199 40e6b7 16196->16199 16200 40e6e0 lstrcpynA 16196->16200 16198 40e71d lstrcmpA 16197->16198 16197->16199 16198->16197 16199->15693 16200->16197 16201->15699 16203 40c525 16202->16203 16207 40c532 16202->16207 16205 40ec2e codecvt 4 API calls 16203->16205 16203->16207 16204 40c548 16208 40e7ff lstrcmpiA 16204->16208 16214 40c54f 16204->16214 16205->16207 16207->16204 16354 40e7ff 16207->16354 16209 40c615 16208->16209 16210 40ebcc 4 API calls 16209->16210 16209->16214 16210->16214 16211 40c5d1 16213 40ebcc 4 API calls 16211->16213 16213->16214 16214->15712 16215 40e819 11 API calls 16216 40c5b7 16215->16216 16217 40f04e 4 API calls 16216->16217 16218 40c5bf 16217->16218 16218->16204 16218->16211 16220 402692 inet_addr 16219->16220 16221 40268e 16219->16221 16220->16221 16222 40269e gethostbyname 16220->16222 16223 40f428 16221->16223 16222->16221 16357 40f315 16223->16357 16228 40c8d2 16226->16228 16227 40c907 16227->15714 16228->16227 16229 40c517 23 API calls 16228->16229 16229->16227 16230 40f43e 16231 40f473 recv 16230->16231 16232 40f458 16231->16232 16233 40f47c 16231->16233 16232->16231 16232->16233 16233->15730 16235 40c670 16234->16235 16236 40c67d 16234->16236 16237 40ebcc 4 API calls 16235->16237 16238 40ebcc 4 API calls 16236->16238 16239 40c699 16236->16239 16237->16236 16238->16239 16240 40c6f3 16239->16240 16241 40c73c send 16239->16241 16240->15743 16240->15806 16241->16240 16243 40c770 16242->16243 16244 40c77d 16242->16244 16245 40ebcc 4 API calls 16243->16245 16246 40c799 16244->16246 16247 40ebcc 4 API calls 16244->16247 16245->16244 16248 40c7b5 16246->16248 16249 40ebcc 4 API calls 16246->16249 16247->16246 16250 40f43e recv 16248->16250 16249->16248 16251 40c7cb 16250->16251 16252 40f43e recv 16251->16252 16253 40c7d3 16251->16253 16252->16253 16253->15806 16370 407db7 16254->16370 16257 40f04e 4 API calls 16260 407e4c 16257->16260 16258 407e96 16258->15806 16259 40f04e 4 API calls 16259->16258 16261 40f04e 4 API calls 16260->16261 16262 407e70 16260->16262 16261->16262 16262->16258 16262->16259 16264 406ec3 2 API calls 16263->16264 16265 407fdd 16264->16265 16266 4073ff 17 API calls 16265->16266 16275 4080c2 CreateProcessA 16265->16275 16267 407fff 16266->16267 16267->16267 16268 407809 21 API calls 16267->16268 16267->16275 16269 40804d 16268->16269 16270 40ef1e lstrlenA 16269->16270 16269->16275 16271 40809e 16270->16271 16272 40ef1e lstrlenA 16271->16272 16273 4080af 16272->16273 16274 407a95 24 API calls 16273->16274 16274->16275 16275->15794 16275->15795 16277 407db7 2 API calls 16276->16277 16278 407eb8 16277->16278 16279 40f04e 4 API calls 16278->16279 16280 407ece DeleteFileA 16279->16280 16280->15806 16282 40dd05 6 API calls 16281->16282 16283 40e31d 16282->16283 16374 40e177 16283->16374 16285 40e326 16285->15766 16287 4031f3 16286->16287 16288 4031ec 16286->16288 16289 40ebcc 4 API calls 16287->16289 16288->15806 16302 4031fc 16289->16302 16290 403459 16293 40f04e 4 API calls 16290->16293 16291 40349d 16292 40ec2e codecvt 4 API calls 16291->16292 16292->16288 16294 40345f 16293->16294 16295 4030fa 4 API calls 16294->16295 16295->16288 16296 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 16296->16302 16297 40344d 16298 40ec2e codecvt 4 API calls 16297->16298 16299 40344b 16298->16299 16299->16290 16299->16291 16301 403141 lstrcmpiA 16301->16302 16302->16288 16302->16296 16302->16297 16302->16299 16302->16301 16400 4030fa GetTickCount 16302->16400 16304 4030fa 4 API calls 16303->16304 16305 403c1a 16304->16305 16310 403ce6 16305->16310 16405 403a72 16305->16405 16308 403a72 9 API calls 16311 403c5e 16308->16311 16309 403a72 9 API calls 16309->16311 16310->15806 16311->16309 16311->16310 16312 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16311->16312 16312->16311 16314 403a10 16313->16314 16315 4030fa 4 API calls 16314->16315 16316 403a1a 16315->16316 16316->15806 16318 40dd05 6 API calls 16317->16318 16319 40e7be 16318->16319 16319->15806 16321 40c105 16320->16321 16322 40c07e wsprintfA 16320->16322 16321->15806 16414 40bfce GetTickCount wsprintfA 16322->16414 16324 40c0ef 16415 40bfce GetTickCount wsprintfA 16324->16415 16327 407047 16326->16327 16328 406f88 LookupAccountNameA 16326->16328 16327->15806 16330 407025 16328->16330 16331 406fcb 16328->16331 16332 406edd 5 API calls 16330->16332 16334 406fdb ConvertSidToStringSidA 16331->16334 16333 40702a wsprintfA 16332->16333 16333->16327 16334->16330 16335 406ff1 16334->16335 16336 407013 LocalFree 16335->16336 16336->16330 16338 40dd05 6 API calls 16337->16338 16339 40e85c 16338->16339 16340 40dd84 lstrcmpiA 16339->16340 16341 40e867 16340->16341 16342 40e885 lstrcpyA 16341->16342 16416 4024a5 16341->16416 16419 40dd69 16342->16419 16348 407db7 2 API calls 16347->16348 16349 407de1 16348->16349 16350 40f04e 4 API calls 16349->16350 16353 407e16 16349->16353 16351 407df2 16350->16351 16352 40f04e 4 API calls 16351->16352 16351->16353 16352->16353 16353->15806 16355 40dd84 lstrcmpiA 16354->16355 16356 40c58e 16355->16356 16356->16204 16356->16211 16356->16215 16358 40ca1d 16357->16358 16359 40f33b 16357->16359 16358->15727 16358->16230 16360 40f347 htons socket 16359->16360 16361 40f382 ioctlsocket 16360->16361 16362 40f374 closesocket 16360->16362 16363 40f3aa connect select 16361->16363 16364 40f39d 16361->16364 16362->16358 16363->16358 16366 40f3f2 __WSAFDIsSet 16363->16366 16365 40f39f closesocket 16364->16365 16365->16358 16366->16365 16367 40f403 ioctlsocket 16366->16367 16369 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16367->16369 16369->16358 16371 407dc8 InterlockedExchange 16370->16371 16372 407dc0 Sleep 16371->16372 16373 407dd4 16371->16373 16372->16371 16373->16257 16373->16262 16375 40e184 16374->16375 16376 40e2e4 16375->16376 16377 40e223 16375->16377 16390 40dfe2 16375->16390 16376->16285 16377->16376 16379 40dfe2 8 API calls 16377->16379 16384 40e23c 16379->16384 16380 40e1be 16380->16377 16381 40dbcf 3 API calls 16380->16381 16383 40e1d6 16381->16383 16382 40e21a CloseHandle 16382->16377 16383->16377 16383->16382 16385 40e1f9 WriteFile 16383->16385 16384->16376 16394 40e095 RegCreateKeyExA 16384->16394 16385->16382 16387 40e213 16385->16387 16387->16382 16388 40e2a3 16388->16376 16389 40e095 4 API calls 16388->16389 16389->16376 16391 40dffc 16390->16391 16393 40e024 16390->16393 16392 40db2e 8 API calls 16391->16392 16391->16393 16392->16393 16393->16380 16395 40e172 16394->16395 16398 40e0c0 16394->16398 16395->16388 16396 40e13d 16397 40e14e RegDeleteValueA RegCloseKey 16396->16397 16397->16395 16398->16396 16399 40e115 RegSetValueExA 16398->16399 16399->16396 16399->16398 16401 403122 InterlockedExchange 16400->16401 16402 40312e 16401->16402 16403 40310f GetTickCount 16401->16403 16402->16302 16403->16402 16404 40311a Sleep 16403->16404 16404->16401 16406 40f04e 4 API calls 16405->16406 16413 403a83 16406->16413 16407 403be6 16410 40ec2e codecvt 4 API calls 16407->16410 16408 403ac1 16408->16308 16408->16310 16409 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16411 403bc0 16409->16411 16410->16408 16411->16407 16411->16409 16412 403b66 lstrlenA 16412->16408 16412->16413 16413->16408 16413->16411 16413->16412 16414->16324 16415->16321 16417 402419 4 API calls 16416->16417 16418 4024b6 16417->16418 16418->16342 16420 40dd79 lstrlenA 16419->16420 16420->15806 16422 404084 16421->16422 16423 40407d 16421->16423 16424 403ecd 6 API calls 16422->16424 16425 40408f 16424->16425 16426 404000 3 API calls 16425->16426 16428 404095 16426->16428 16427 404130 16429 403ecd 6 API calls 16427->16429 16428->16427 16433 403f18 4 API calls 16428->16433 16430 404159 CreateNamedPipeA 16429->16430 16431 404167 Sleep 16430->16431 16432 404188 ConnectNamedPipe 16430->16432 16431->16427 16434 404176 CloseHandle 16431->16434 16436 404195 GetLastError 16432->16436 16445 4041ab 16432->16445 16435 4040da 16433->16435 16434->16432 16437 403f8c 4 API calls 16435->16437 16438 40425e DisconnectNamedPipe 16436->16438 16436->16445 16439 4040ec 16437->16439 16438->16432 16440 404127 CloseHandle 16439->16440 16441 404101 16439->16441 16440->16427 16442 403f18 4 API calls 16441->16442 16443 40411c ExitProcess 16442->16443 16444 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16444->16445 16445->16432 16445->16438 16445->16444 16446 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16445->16446 16447 40426a CloseHandle CloseHandle 16445->16447 16446->16445 16448 40e318 23 API calls 16447->16448 16449 40427b 16448->16449 16449->16449 16451 408791 16450->16451 16452 40879f 16450->16452 16453 40f04e 4 API calls 16451->16453 16454 4087bc 16452->16454 16455 40f04e 4 API calls 16452->16455 16453->16452 16456 40e819 11 API calls 16454->16456 16455->16454 16457 4087d7 16456->16457 16463 408803 16457->16463 16473 4026b2 gethostbyaddr 16457->16473 16460 4087eb 16462 40e8a1 30 API calls 16460->16462 16460->16463 16462->16463 16478 408cee 16463->16478 16486 40c4d6 16463->16486 16489 40c4e2 16463->16489 16492 402011 16463->16492 16466 40e819 11 API calls 16467 40881f 16466->16467 16467->16466 16468 4088a0 Sleep 16467->16468 16470 4026b2 2 API calls 16467->16470 16471 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16467->16471 16472 40e8a1 30 API calls 16467->16472 16527 408328 16467->16527 16468->16463 16470->16467 16471->16467 16472->16467 16474 4026fb 16473->16474 16475 4026cd 16473->16475 16474->16460 16476 4026e1 inet_ntoa 16475->16476 16477 4026de 16475->16477 16476->16477 16477->16460 16479 408d02 GetTickCount 16478->16479 16480 408dae 16478->16480 16479->16480 16483 408d19 16479->16483 16480->16463 16481 408da1 GetTickCount 16481->16480 16483->16481 16485 408d89 16483->16485 16579 40a677 16483->16579 16582 40a688 16483->16582 16485->16481 16590 40c2dc 16486->16590 16490 40c2dc 124 API calls 16489->16490 16491 40c4ec 16490->16491 16491->16463 16493 402020 16492->16493 16494 40202e 16492->16494 16495 40f04e 4 API calls 16493->16495 16496 40204b 16494->16496 16498 40f04e 4 API calls 16494->16498 16495->16494 16497 40206e GetTickCount 16496->16497 16499 40f04e 4 API calls 16496->16499 16500 4020db GetTickCount 16497->16500 16510 402090 16497->16510 16498->16496 16502 402068 16499->16502 16501 402132 GetTickCount GetTickCount 16500->16501 16512 4020e7 16500->16512 16505 40f04e 4 API calls 16501->16505 16502->16497 16503 4020d4 GetTickCount 16503->16500 16504 40212b GetTickCount 16504->16501 16506 402159 16505->16506 16508 4021b4 16506->16508 16511 40e854 13 API calls 16506->16511 16507 402684 2 API calls 16507->16510 16513 40f04e 4 API calls 16508->16513 16510->16503 16510->16507 16517 4020ce 16510->16517 16853 401978 16510->16853 16514 40218e 16511->16514 16512->16504 16519 401978 15 API calls 16512->16519 16520 402125 16512->16520 16858 402ef8 16512->16858 16516 4021d1 16513->16516 16518 40e819 11 API calls 16514->16518 16521 4021f2 16516->16521 16523 40ea84 30 API calls 16516->16523 16517->16503 16522 40219c 16518->16522 16519->16512 16520->16504 16521->16467 16522->16508 16866 401c5f 16522->16866 16524 4021ec 16523->16524 16525 40f04e 4 API calls 16524->16525 16525->16521 16528 407dd6 6 API calls 16527->16528 16529 40833c 16528->16529 16530 406ec3 2 API calls 16529->16530 16534 408340 16529->16534 16531 40834f 16530->16531 16532 40835c 16531->16532 16536 40846b 16531->16536 16533 4073ff 17 API calls 16532->16533 16542 408373 16533->16542 16534->16467 16535 40675c 21 API calls 16552 4085df 16535->16552 16539 4084a7 RegOpenKeyExA 16536->16539 16565 408450 16536->16565 16537 408626 GetTempPathA 16538 408638 16537->16538 16941 406ba7 IsBadCodePtr 16538->16941 16543 4084c0 RegQueryValueExA 16539->16543 16544 40852f 16539->16544 16541 4086ad 16545 408762 16541->16545 16548 407e2f 6 API calls 16541->16548 16542->16534 16560 4083ea RegOpenKeyExA 16542->16560 16542->16565 16546 408521 RegCloseKey 16543->16546 16547 4084dd 16543->16547 16549 408564 RegOpenKeyExA 16544->16549 16556 4085a5 16544->16556 16545->16534 16551 40ec2e codecvt 4 API calls 16545->16551 16546->16544 16547->16546 16554 40ebcc 4 API calls 16547->16554 16557 4086bb 16548->16557 16553 408573 16549->16553 16549->16556 16550 40875b DeleteFileA 16550->16545 16551->16534 16552->16537 16552->16538 16552->16545 16553->16553 16558 408585 RegSetValueExA RegCloseKey 16553->16558 16555 4084f0 16554->16555 16555->16546 16559 4084f8 RegQueryValueExA 16555->16559 16562 40ec2e codecvt 4 API calls 16556->16562 16556->16565 16557->16550 16566 4086e0 lstrcpyA lstrlenA 16557->16566 16558->16556 16559->16546 16561 408515 16559->16561 16563 4083fd RegQueryValueExA 16560->16563 16560->16565 16564 40ec2e codecvt 4 API calls 16561->16564 16562->16565 16567 40842d RegSetValueExA 16563->16567 16568 40841e 16563->16568 16570 40851d 16564->16570 16565->16535 16565->16552 16571 407fcf 64 API calls 16566->16571 16569 408447 RegCloseKey 16567->16569 16568->16567 16568->16569 16569->16565 16570->16546 16572 408719 CreateProcessA 16571->16572 16573 40873d CloseHandle CloseHandle 16572->16573 16574 40874f 16572->16574 16573->16545 16575 407ee6 64 API calls 16574->16575 16576 408754 16575->16576 16577 407ead 6 API calls 16576->16577 16578 40875a 16577->16578 16578->16550 16585 40a63d 16579->16585 16581 40a685 16581->16483 16583 40a63d GetTickCount 16582->16583 16584 40a696 16583->16584 16584->16483 16586 40a645 16585->16586 16587 40a64d 16585->16587 16586->16581 16588 40a66e 16587->16588 16589 40a65e GetTickCount 16587->16589 16588->16581 16589->16588 16606 40a4c7 GetTickCount 16590->16606 16593 40c300 GetTickCount 16595 40c337 16593->16595 16594 40c326 16594->16595 16596 40c32b GetTickCount 16594->16596 16600 40c363 GetTickCount 16595->16600 16605 40c45e 16595->16605 16596->16595 16597 40c4d2 16597->16463 16598 40c4ab InterlockedIncrement CreateThread 16598->16597 16599 40c4cb CloseHandle 16598->16599 16611 40b535 16598->16611 16599->16597 16601 40c373 16600->16601 16600->16605 16602 40c378 GetTickCount 16601->16602 16603 40c37f 16601->16603 16602->16603 16604 40c43b GetTickCount 16603->16604 16604->16605 16605->16597 16605->16598 16607 40a4f7 InterlockedExchange 16606->16607 16608 40a500 16607->16608 16609 40a4e4 GetTickCount 16607->16609 16608->16593 16608->16594 16608->16605 16609->16608 16610 40a4ef Sleep 16609->16610 16610->16607 16612 40b566 16611->16612 16613 40ebcc 4 API calls 16612->16613 16614 40b587 16613->16614 16615 40ebcc 4 API calls 16614->16615 16663 40b590 16615->16663 16616 40bdcd InterlockedDecrement 16617 40bde2 16616->16617 16619 40ec2e codecvt 4 API calls 16617->16619 16620 40bdea 16619->16620 16621 40ec2e codecvt 4 API calls 16620->16621 16623 40bdf2 16621->16623 16622 40bdb7 Sleep 16622->16663 16625 40be05 16623->16625 16626 40ec2e codecvt 4 API calls 16623->16626 16624 40bdcc 16624->16616 16626->16625 16627 40ebed 8 API calls 16627->16663 16630 40b6b6 lstrlenA 16630->16663 16631 4030b5 2 API calls 16631->16663 16632 40e819 11 API calls 16632->16663 16633 40b6ed lstrcpyA 16685 405ce1 16633->16685 16636 40b731 lstrlenA 16636->16663 16637 40b71f lstrcmpA 16637->16636 16637->16663 16638 40b772 GetTickCount 16638->16663 16639 40bd49 InterlockedIncrement 16748 40a628 16639->16748 16642 40bc5b InterlockedIncrement 16642->16663 16643 40b7ce InterlockedIncrement 16695 40acd7 16643->16695 16646 40b912 GetTickCount 16646->16663 16647 40b826 InterlockedIncrement 16647->16638 16648 40b932 GetTickCount 16650 40bc6d InterlockedIncrement 16648->16650 16648->16663 16649 40bcdc closesocket 16649->16663 16650->16663 16651 4038f0 6 API calls 16651->16663 16653 40bba6 InterlockedIncrement 16653->16663 16656 40bc4c closesocket 16656->16663 16657 40a7c1 22 API calls 16657->16663 16659 405ce1 22 API calls 16659->16663 16660 40ba71 wsprintfA 16713 40a7c1 16660->16713 16661 405ded 12 API calls 16661->16663 16663->16616 16663->16622 16663->16624 16663->16627 16663->16630 16663->16631 16663->16632 16663->16633 16663->16636 16663->16637 16663->16638 16663->16639 16663->16642 16663->16643 16663->16646 16663->16647 16663->16648 16663->16649 16663->16651 16663->16653 16663->16656 16663->16657 16663->16659 16663->16660 16663->16661 16664 40ab81 lstrcpynA InterlockedIncrement 16663->16664 16665 40ef1e lstrlenA 16663->16665 16666 40a688 GetTickCount 16663->16666 16667 403e10 16663->16667 16670 403e4f 16663->16670 16673 40384f 16663->16673 16693 40a7a3 inet_ntoa 16663->16693 16700 40abee 16663->16700 16712 401feb GetTickCount 16663->16712 16733 403cfb 16663->16733 16736 40ab81 16663->16736 16664->16663 16665->16663 16666->16663 16668 4030fa 4 API calls 16667->16668 16669 403e1d 16668->16669 16669->16663 16671 4030fa 4 API calls 16670->16671 16672 403e5c 16671->16672 16672->16663 16674 4030fa 4 API calls 16673->16674 16676 403863 16674->16676 16675 4038b2 16675->16663 16676->16675 16677 4038b9 16676->16677 16678 403889 16676->16678 16757 4035f9 16677->16757 16751 403718 16678->16751 16683 4035f9 6 API calls 16683->16675 16684 403718 6 API calls 16684->16675 16686 405cf4 16685->16686 16687 405cec 16685->16687 16689 404bd1 4 API calls 16686->16689 16763 404bd1 GetTickCount 16687->16763 16690 405d02 16689->16690 16768 405472 16690->16768 16694 40a7b9 16693->16694 16694->16663 16696 40f315 14 API calls 16695->16696 16697 40aceb 16696->16697 16698 40acff 16697->16698 16699 40f315 14 API calls 16697->16699 16698->16663 16699->16698 16701 40abfb 16700->16701 16705 40ac65 16701->16705 16831 402f22 16701->16831 16703 40f315 14 API calls 16703->16705 16704 40ac8a 16704->16663 16705->16703 16705->16704 16706 40ac6f 16705->16706 16707 40ab81 2 API calls 16706->16707 16709 40ac81 16707->16709 16708 402684 2 API calls 16711 40ac23 16708->16711 16839 4038f0 16709->16839 16711->16705 16711->16708 16712->16663 16714 40a87d lstrlenA send 16713->16714 16715 40a7df 16713->16715 16716 40a899 16714->16716 16717 40a8bf 16714->16717 16715->16714 16721 40a7fa wsprintfA 16715->16721 16724 40a80a 16715->16724 16725 40a8f2 16715->16725 16719 40a8a5 wsprintfA 16716->16719 16732 40a89e 16716->16732 16720 40a8c4 send 16717->16720 16717->16725 16718 40a978 recv 16718->16725 16726 40a982 16718->16726 16719->16732 16722 40a8d8 wsprintfA 16720->16722 16720->16725 16721->16724 16722->16732 16723 40a9b0 wsprintfA 16723->16732 16724->16714 16725->16718 16725->16723 16725->16726 16727 4030b5 2 API calls 16726->16727 16726->16732 16728 40ab05 16727->16728 16729 40e819 11 API calls 16728->16729 16730 40ab17 16729->16730 16731 40a7a3 inet_ntoa 16730->16731 16731->16732 16732->16663 16734 4030fa 4 API calls 16733->16734 16735 403d0b 16734->16735 16735->16663 16737 40abe9 GetTickCount 16736->16737 16739 40ab8c 16736->16739 16741 40a51d 16737->16741 16738 40aba8 lstrcpynA 16738->16739 16739->16737 16739->16738 16740 40abe1 InterlockedIncrement 16739->16740 16740->16739 16742 40a4c7 4 API calls 16741->16742 16743 40a52c 16742->16743 16744 40a542 GetTickCount 16743->16744 16745 40a539 GetTickCount 16743->16745 16744->16745 16747 40a56c 16745->16747 16747->16663 16749 40a4c7 4 API calls 16748->16749 16750 40a633 16749->16750 16750->16663 16752 40f04e 4 API calls 16751->16752 16754 40372a 16752->16754 16753 403847 16753->16675 16753->16684 16754->16753 16755 4037b3 GetCurrentThreadId 16754->16755 16755->16754 16756 4037c8 GetCurrentThreadId 16755->16756 16756->16754 16758 40f04e 4 API calls 16757->16758 16761 40360c 16758->16761 16759 4036f1 16759->16675 16759->16683 16760 4036da GetCurrentThreadId 16760->16759 16762 4036e5 GetCurrentThreadId 16760->16762 16761->16759 16761->16760 16762->16759 16764 404bff InterlockedExchange 16763->16764 16765 404c08 16764->16765 16766 404bec GetTickCount 16764->16766 16765->16686 16766->16765 16767 404bf7 Sleep 16766->16767 16767->16764 16787 404763 16768->16787 16770 405b58 16797 404699 16770->16797 16773 404763 lstrlenA 16774 405b6e 16773->16774 16818 404f9f 16774->16818 16776 405b79 16776->16663 16778 405549 lstrlenA 16780 40548a 16778->16780 16780->16770 16781 40558d lstrcpynA 16780->16781 16782 404ae6 8 API calls 16780->16782 16783 405a9f lstrcpyA 16780->16783 16784 405472 13 API calls 16780->16784 16785 405935 lstrcpynA 16780->16785 16786 4058e7 lstrcpyA 16780->16786 16791 404ae6 16780->16791 16795 40ef7c lstrlenA lstrlenA lstrlenA 16780->16795 16781->16780 16782->16780 16783->16780 16784->16780 16785->16780 16786->16780 16789 40477a 16787->16789 16788 404859 16788->16780 16789->16788 16790 40480d lstrlenA 16789->16790 16790->16789 16792 404af3 16791->16792 16794 404b03 16791->16794 16793 40ebed 8 API calls 16792->16793 16793->16794 16794->16778 16796 40efb4 16795->16796 16796->16780 16823 4045b3 16797->16823 16800 4045b3 7 API calls 16801 4046c6 16800->16801 16802 4045b3 7 API calls 16801->16802 16803 4046d8 16802->16803 16804 4045b3 7 API calls 16803->16804 16805 4046ea 16804->16805 16806 4045b3 7 API calls 16805->16806 16807 4046ff 16806->16807 16808 4045b3 7 API calls 16807->16808 16809 404711 16808->16809 16810 4045b3 7 API calls 16809->16810 16811 404723 16810->16811 16812 40ef7c 3 API calls 16811->16812 16813 404735 16812->16813 16814 40ef7c 3 API calls 16813->16814 16815 40474a 16814->16815 16816 40ef7c 3 API calls 16815->16816 16817 40475c 16816->16817 16817->16773 16819 404fac 16818->16819 16822 404fb0 16818->16822 16819->16776 16820 404ffd 16820->16776 16821 404fd5 IsBadCodePtr 16821->16822 16822->16820 16822->16821 16824 4045c1 16823->16824 16825 4045c8 16823->16825 16826 40ebcc 4 API calls 16824->16826 16827 40ebcc 4 API calls 16825->16827 16829 4045e1 16825->16829 16826->16825 16827->16829 16828 404691 16828->16800 16829->16828 16830 40ef7c 3 API calls 16829->16830 16830->16829 16846 402d21 GetModuleHandleA 16831->16846 16834 402fcf GetProcessHeap HeapFree 16838 402f44 16834->16838 16835 402f4f 16837 402f6b GetProcessHeap HeapFree 16835->16837 16836 402f85 16836->16834 16836->16836 16837->16838 16838->16711 16840 403900 16839->16840 16841 403980 16839->16841 16842 4030fa 4 API calls 16840->16842 16841->16704 16845 40390a 16842->16845 16843 40391b GetCurrentThreadId 16843->16845 16844 403939 GetCurrentThreadId 16844->16845 16845->16841 16845->16843 16845->16844 16847 402d46 LoadLibraryA 16846->16847 16848 402d5b GetProcAddress 16846->16848 16847->16848 16850 402d54 16847->16850 16848->16850 16852 402d6b 16848->16852 16849 402d97 GetProcessHeap HeapAlloc 16849->16850 16849->16852 16850->16835 16850->16836 16850->16838 16851 402db5 lstrcpynA 16851->16852 16852->16849 16852->16850 16852->16851 16854 40f428 14 API calls 16853->16854 16855 40198a 16854->16855 16856 401990 closesocket 16855->16856 16857 401998 16855->16857 16856->16857 16857->16510 16859 402d21 6 API calls 16858->16859 16860 402f01 16859->16860 16863 402f0f 16860->16863 16874 402df2 GetModuleHandleA 16860->16874 16862 402684 2 API calls 16864 402f1d 16862->16864 16863->16862 16865 402f1f 16863->16865 16864->16512 16865->16512 16870 401c80 16866->16870 16867 401d1c 16867->16867 16871 401d47 wsprintfA 16867->16871 16868 401cc2 wsprintfA 16869 402684 2 API calls 16868->16869 16869->16870 16870->16867 16870->16868 16873 401d79 16870->16873 16872 402684 2 API calls 16871->16872 16872->16873 16873->16508 16875 402e10 LoadLibraryA 16874->16875 16876 402e0b 16874->16876 16877 402e17 16875->16877 16876->16875 16876->16877 16878 402ef1 16877->16878 16879 402e28 GetProcAddress 16877->16879 16878->16863 16879->16878 16880 402e3e GetProcessHeap HeapAlloc 16879->16880 16882 402e62 16880->16882 16881 402ede GetProcessHeap HeapFree 16881->16878 16882->16878 16882->16881 16883 402e7f htons inet_addr 16882->16883 16884 402ea5 gethostbyname 16882->16884 16887 402ceb 16882->16887 16883->16882 16883->16884 16884->16882 16885 402eb0 16884->16885 16885->16882 16888 402cf2 16887->16888 16890 402d1c 16888->16890 16891 402d0e Sleep 16888->16891 16892 402a62 GetProcessHeap HeapAlloc 16888->16892 16890->16882 16891->16888 16891->16890 16893 402a92 16892->16893 16894 402a99 socket 16892->16894 16893->16888 16895 402cd3 GetProcessHeap HeapFree 16894->16895 16896 402ab4 16894->16896 16895->16893 16896->16895 16901 402abd 16896->16901 16897 402adb htons 16913 4026ff 16897->16913 16899 402b04 select 16899->16901 16911 402ac3 16899->16911 16900 402ca4 16902 402cb3 GetProcessHeap HeapFree closesocket 16900->16902 16901->16897 16901->16899 16903 402b3f recv 16901->16903 16904 402b66 htons 16901->16904 16905 402b87 htons 16901->16905 16901->16911 16920 402923 16901->16920 16902->16893 16903->16901 16903->16911 16904->16900 16904->16901 16905->16900 16905->16901 16908 402bf3 GetProcessHeap HeapAlloc 16908->16911 16909 402c17 htons 16929 402871 16909->16929 16911->16900 16911->16901 16911->16902 16911->16908 16911->16909 16912 402c4d GetProcessHeap HeapFree 16911->16912 16933 402904 16911->16933 16912->16911 16914 40271d 16913->16914 16915 402717 16913->16915 16917 40272b GetTickCount htons 16914->16917 16916 40ebcc 4 API calls 16915->16916 16916->16914 16918 4027cc htons htons sendto 16917->16918 16919 40278a 16917->16919 16918->16901 16919->16918 16921 402944 16920->16921 16922 40293d 16920->16922 16937 402816 htons 16921->16937 16922->16911 16924 402871 htons 16925 402950 16924->16925 16925->16922 16925->16924 16926 4029bd htons htons htons 16925->16926 16926->16922 16927 4029f6 GetProcessHeap HeapAlloc 16926->16927 16927->16922 16928 402a10 16927->16928 16928->16922 16928->16925 16930 4028e3 16929->16930 16932 402889 16929->16932 16930->16911 16931 4028c3 htons 16931->16930 16931->16932 16932->16930 16932->16931 16934 402921 16933->16934 16935 402908 16933->16935 16934->16911 16936 402909 GetProcessHeap HeapFree 16935->16936 16936->16934 16936->16936 16938 40286b 16937->16938 16939 402836 16937->16939 16938->16925 16939->16938 16940 40285c htons 16939->16940 16940->16938 16940->16939 16942 406bc0 16941->16942 16943 406bbc 16941->16943 16944 406bd4 16942->16944 16945 40ebcc 4 API calls 16942->16945 16943->16541 16944->16541 16946 406be4 16945->16946 16946->16944 16947 406c07 CreateFileA 16946->16947 16948 406bfc 16946->16948 16950 406c34 WriteFile 16947->16950 16951 406c2a 16947->16951 16949 40ec2e codecvt 4 API calls 16948->16949 16949->16944 16953 406c49 CloseHandle DeleteFileA 16950->16953 16954 406c5a CloseHandle 16950->16954 16952 40ec2e codecvt 4 API calls 16951->16952 16952->16944 16953->16951 16955 40ec2e codecvt 4 API calls 16954->16955 16955->16944 15322 3340005 15327 334092b GetPEB 15322->15327 15324 3340030 15329 334003c 15324->15329 15328 3340972 15327->15328 15328->15324 15330 3340049 15329->15330 15344 3340e0f SetErrorMode SetErrorMode 15330->15344 15335 3340265 15336 33402ce VirtualProtect 15335->15336 15338 334030b 15336->15338 15337 3340439 VirtualFree 15342 33405f4 LoadLibraryA 15337->15342 15343 33404be 15337->15343 15338->15337 15339 33404e3 LoadLibraryA 15339->15343 15341 33408c7 15342->15341 15343->15339 15343->15342 15345 3340223 15344->15345 15346 3340d90 15345->15346 15347 3340dad 15346->15347 15348 3340dbb GetPEB 15347->15348 15349 3340238 VirtualAlloc 15347->15349 15348->15349 15349->15335 15139 41a830 15142 41a410 15139->15142 15141 41a835 15143 41a438 15142->15143 15144 41a4c8 6 API calls 15143->15144 15152 41a5d8 15143->15152 15145 41a52f 6 API calls 15144->15145 15146 41a5a5 GetSystemDefaultLCID 15145->15146 15149 41a5b4 RtlEnterCriticalSection 15146->15149 15150 41a5bf 15146->15150 15147 41a622 GetSystemTimes 15151 41a646 15147->15151 15147->15152 15148 41a612 GetUserObjectInformationW 15148->15147 15149->15150 15150->15152 15153 41a5c8 LoadLibraryW 15150->15153 15154 41a644 15151->15154 15155 41a64f FoldStringA 15151->15155 15152->15147 15152->15148 15152->15154 15153->15152 15156 41a717 LocalAlloc 15154->15156 15157 41a676 8 API calls 15154->15157 15155->15154 15159 41a734 15156->15159 15160 41a75c LoadLibraryW 15156->15160 15167 41a6e1 15157->15167 15159->15160 15169 41a130 15160->15169 15162 41a76c 15172 41a3a0 15162->15172 15164 41a789 GlobalSize 15165 41a771 15164->15165 15165->15164 15166 41a7b3 InterlockedExchange 15165->15166 15168 41a7c9 15165->15168 15166->15165 15167->15156 15168->15141 15170 41a136 GetModuleHandleW GetProcAddress VirtualProtect 15169->15170 15170->15162 15173 41a3c2 15172->15173 15174 41a3b6 QueryDosDeviceW 15172->15174 15183 41a280 15173->15183 15174->15173 15177 41a3d5 FreeEnvironmentStringsW 15178 41a3dd 15177->15178 15186 41a2c0 15178->15186 15181 41a3f4 RtlAllocateHeap GetNumaProcessorNode 15182 41a40a 15181->15182 15182->15165 15184 41a297 GetStartupInfoA LoadLibraryW 15183->15184 15185 41a2a9 15183->15185 15184->15185 15185->15177 15185->15178 15187 41a2f5 15186->15187 15188 41a2e4 BuildCommDCBW 15186->15188 15189 41a2fd WritePrivateProfileStringA UnhandledExceptionFilter 15187->15189 15192 41a313 15187->15192 15188->15192 15189->15192 15190 41a370 15190->15181 15190->15182 15192->15190 15193 41a349 SetCalendarInfoA GetShortPathNameA 15192->15193 15194 41a2b0 15192->15194 15193->15192 15197 41a230 15194->15197 15198 41a25b 15197->15198 15199 41a24c VirtualLock 15197->15199 15198->15192 15199->15198 19655 2c23531 19656 2c2359c 19655->19656 19657 2c24276 3 API calls 19656->19657 19658 2c23aee 19657->19658
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\OPgjjiInNK.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\OPgjjiInNK.exe$C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$D$P$\$pomunxzj
                                                                                            • API String ID: 2089075347-3416617256
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 41a410-41a435 265 41a438-41a43e 264->265 266 41a440-41a44a 265->266 267 41a44f-41a459 265->267 266->267 268 41a45b-41a476 267->268 269 41a47c-41a483 267->269 268->269 269->265 270 41a485-41a48d 269->270 272 41a490-41a496 270->272 273 41a4a4-41a4ae 272->273 274 41a498-41a49e 272->274 275 41a4b0 273->275 276 41a4b2-41a4b9 273->276 274->273 275->276 276->272 277 41a4bb-41a4c2 276->277 278 41a4c8-41a5b2 InterlockedIncrement SetConsoleTitleW GlobalSize FindAtomA SearchPathW SetConsoleMode GetDefaultCommConfigA CopyFileExW GetEnvironmentStrings WriteConsoleOutputW GetNumaHighestNodeNumber DebugActiveProcess GetSystemDefaultLCID 277->278 279 41a5fa-41a606 277->279 286 41a5b4-41a5b9 RtlEnterCriticalSection 278->286 287 41a5bf-41a5c6 278->287 280 41a608-41a610 279->280 284 41a622-41a639 GetSystemTimes 280->284 285 41a612-41a61c GetUserObjectInformationW 280->285 288 41a646-41a64d 284->288 289 41a63b-41a642 284->289 285->284 286->287 290 41a5d8-41a5f7 287->290 291 41a5c8-41a5d2 LoadLibraryW 287->291 293 41a668-41a670 288->293 294 41a64f-41a662 FoldStringA 288->294 289->280 292 41a644 289->292 290->279 291->290 292->293 295 41a717-41a732 LocalAlloc 293->295 296 41a676-41a711 GetConsoleAliasesLengthW CallNamedPipeW GetComputerNameA CopyFileA GetFileAttributesW GetConsoleAliasExesLengthW OpenWaitableTimerA GetBinaryType 293->296 294->293 299 41a734-41a73f 295->299 300 41a75c-41a767 LoadLibraryW call 41a130 295->300 296->295 302 41a740-41a750 299->302 304 41a76c-41a77f call 41a3a0 300->304 306 41a752 302->306 307 41a757-41a75a 302->307 313 41a780-41a787 304->313 306->307 307->300 307->302 314 41a789-41a799 GlobalSize 313->314 315 41a79d-41a7a3 313->315 314->315 317 41a7a5 call 41a120 315->317 318 41a7aa-41a7b1 315->318 317->318 321 41a7c0-41a7c7 318->321 322 41a7b3-41a7ba InterlockedExchange 318->322 321->313 323 41a7c9-41a7d9 321->323 322->321 325 41a7e0-41a7f0 323->325 326 41a7f2-41a7f4 325->326 327 41a7fb-41a7fc 325->327 326->327 327->325 329 41a7fe-41a802 327->329 330 41a804-41a809 329->330 332 41a813-41a819 330->332 333 41a80b-41a811 330->333 332->330 334 41a81b-41a82f 332->334 333->332 333->334
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0041A4CD
                                                                                            • SetConsoleTitleW.KERNEL32(00000000), ref: 0041A4D5
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A4DD
                                                                                            • FindAtomA.KERNEL32(00000000), ref: 0041A4E5
                                                                                            • SearchPathW.KERNEL32(0041C9EC,0041C9D4,0041C990,00000000,?,?), ref: 0041A509
                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A513
                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 0041A53B
                                                                                            • CopyFileExW.KERNEL32(0041CABC,0041CA28,00000000,00000000,00000000,00000000), ref: 0041A553
                                                                                            • GetEnvironmentStrings.KERNEL32 ref: 0041A559
                                                                                            • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A578
                                                                                            • GetNumaHighestNodeNumber.KERNEL32(?), ref: 0041A583
                                                                                            • DebugActiveProcess.KERNEL32(00000000), ref: 0041A58B
                                                                                            • GetSystemDefaultLCID.KERNEL32 ref: 0041A5A5
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0041A5B9
                                                                                            • LoadLibraryW.KERNEL32(00000000), ref: 0041A5D2
                                                                                            • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A61C
                                                                                            • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A631
                                                                                            • FoldStringA.KERNEL32(00000000,0041CB20,00000000,?,00000000), ref: 0041A662
                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A685
                                                                                            • CallNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A692
                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0041A6A5
                                                                                            • CopyFileA.KERNEL32(0041CBB0,0041CB74,00000000), ref: 0041A6B6
                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041A6BD
                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A6C3
                                                                                            • OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041A6CC
                                                                                            • GetBinaryType.KERNEL32(00000000,00000000), ref: 0041A6D4
                                                                                            • LocalAlloc.KERNEL32(00000000,02B3BD3C), ref: 0041A71A
                                                                                            • LoadLibraryW.KERNELBASE(0041CBD4), ref: 0041A761
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0041A78B
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A7BA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532049885.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_qxavuooi.jbxd
                                                                                            Similarity
                                                                                            • API ID: Console$File$CopyDefaultGlobalInterlockedLengthLibraryLoadSizeSystem$ActiveAliasAliasesAllocAtomAttributesBinaryCallCommComputerConfigCriticalDebugEnterEnvironmentExchangeExesFindFoldHighestIncrementInformationLocalModeNameNamedNodeNumaNumberObjectOpenOutputPathPipeProcessSearchSectionStringStringsTimerTimesTitleTypeUserWaitableWrite
                                                                                            • String ID: G8@$k`$}$
                                                                                            • API String ID: 2021998368-2454866677
                                                                                            • Opcode ID: c20b0f9132504e20e45857b70263f7ed5fda3a721a27f081dae6514de2f19790
                                                                                            • Instruction ID: 1cb56033e5bb0cfc049956454b03617a232e848171a59f9ca16378ab9defabf1
                                                                                            • Opcode Fuzzy Hash: c20b0f9132504e20e45857b70263f7ed5fda3a721a27f081dae6514de2f19790
                                                                                            • Instruction Fuzzy Hash: 97A13871985310ABD320AB61DC49FDF3BA8EB4C715F00843AF259A61D1CB789941CBEE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 571 40637c-406384 572 406386-406389 571->572 573 40638a-4063b4 GetModuleHandleA VirtualAlloc 571->573 574 4063f5-4063f7 573->574 575 4063b6-4063d4 call 40ee08 VirtualAllocEx 573->575 577 40640b-40640f 574->577 575->574 579 4063d6-4063f3 call 4062b7 WriteProcessMemory 575->579 579->574 582 4063f9-40640a 579->582 582->577
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 336 4073ff-407419 337 40741b 336->337 338 40741d-407422 336->338 337->338 339 407424 338->339 340 407426-40742b 338->340 339->340 341 407430-407435 340->341 342 40742d 340->342 343 407437 341->343 344 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 341->344 342->341 343->344 349 407487-40749d call 40ee2a 344->349 350 4077f9-4077fe call 40ee2a 344->350 356 407703-40770e RegEnumKeyA 349->356 355 407801 350->355 359 407804-407808 355->359 357 4074a2-4074b1 call 406cad 356->357 358 407714-40771d RegCloseKey 356->358 362 4074b7-4074cc call 40f1a5 357->362 363 4076ed-407700 357->363 358->355 362->363 366 4074d2-4074f8 RegOpenKeyExA 362->366 363->356 367 407727-40772a 366->367 368 4074fe-407530 call 402544 RegQueryValueExA 366->368 369 407755-407764 call 40ee2a 367->369 370 40772c-407740 call 40ef00 367->370 368->367 376 407536-40753c 368->376 381 4076df-4076e2 369->381 378 407742-407745 RegCloseKey 370->378 379 40774b-40774e 370->379 380 40753f-407544 376->380 378->379 383 4077ec-4077f7 RegCloseKey 379->383 380->380 382 407546-40754b 380->382 381->363 384 4076e4-4076e7 RegCloseKey 381->384 382->369 385 407551-40756b call 40ee95 382->385 383->359 384->363 385->369 388 407571-407593 call 402544 call 40ee95 385->388 393 407753 388->393 394 407599-4075a0 388->394 393->369 395 4075a2-4075c6 call 40ef00 call 40ed03 394->395 396 4075c8-4075d7 call 40ed03 394->396 402 4075d8-4075da 395->402 396->402 404 4075dc 402->404 405 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 402->405 404->405 414 407626-40762b 405->414 414->414 415 40762d-407634 414->415 416 407637-40763c 415->416 416->416 417 40763e-407642 416->417 418 407644-407656 call 40ed77 417->418 419 40765c-407673 call 40ed23 417->419 418->419 424 407769-40777c call 40ef00 418->424 425 407680 419->425 426 407675-40767e 419->426 432 4077e3-4077e6 RegCloseKey 424->432 427 407683-40768e call 406cad 425->427 426->427 433 407722-407725 427->433 434 407694-4076bf call 40f1a5 call 406c96 427->434 432->383 435 4076dd 433->435 440 4076c1-4076c7 434->440 441 4076d8 434->441 435->381 440->441 442 4076c9-4076d2 440->442 441->435 442->441 443 40777e-407797 GetFileAttributesExA 442->443 444 407799 443->444 445 40779a-40779f 443->445 444->445 446 4077a1 445->446 447 4077a3-4077a8 445->447 446->447 448 4077c4-4077c8 447->448 449 4077aa-4077c0 call 40ee08 447->449 451 4077d7-4077dc 448->451 452 4077ca-4077d6 call 40ef00 448->452 449->448 455 4077e0-4077e2 451->455 456 4077de 451->456 452->451 455->432 456->455
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 458 334003c-3340047 459 334004c-3340263 call 3340a3f call 3340e0f call 3340d90 VirtualAlloc 458->459 460 3340049 458->460 475 3340265-3340289 call 3340a69 459->475 476 334028b-3340292 459->476 460->459 480 33402ce-33403c2 VirtualProtect call 3340cce call 3340ce7 475->480 477 33402a1-33402b0 476->477 479 33402b2-33402cc 477->479 477->480 479->477 487 33403d1-33403e0 480->487 488 33403e2-3340437 call 3340ce7 487->488 489 3340439-33404b8 VirtualFree 487->489 488->487 491 33405f4-33405fe 489->491 492 33404be-33404cd 489->492 493 3340604-334060d 491->493 494 334077f-3340789 491->494 496 33404d3-33404dd 492->496 493->494 498 3340613-3340637 493->498 500 33407a6-33407b0 494->500 501 334078b-33407a3 494->501 496->491 497 33404e3-3340505 LoadLibraryA 496->497 502 3340517-3340520 497->502 503 3340507-3340515 497->503 506 334063e-3340648 498->506 504 33407b6-33407cb 500->504 505 334086e-33408be LoadLibraryA 500->505 501->500 507 3340526-3340547 502->507 503->507 508 33407d2-33407d5 504->508 514 33408c7-33408f9 505->514 506->494 509 334064e-334065a 506->509 512 334054d-3340550 507->512 510 3340824-3340833 508->510 511 33407d7-33407e0 508->511 509->494 513 3340660-334066a 509->513 522 3340839-334083c 510->522 517 33407e4-3340822 511->517 518 33407e2 511->518 519 3340556-334056b 512->519 520 33405e0-33405ef 512->520 521 334067a-3340689 513->521 515 3340902-334091d 514->515 516 33408fb-3340901 514->516 516->515 517->508 518->510 523 334056d 519->523 524 334056f-334057a 519->524 520->496 525 3340750-334077a 521->525 526 334068f-33406b2 521->526 522->505 527 334083e-3340847 522->527 523->520 529 334057c-3340599 524->529 530 334059b-33405bb 524->530 525->506 531 33406b4-33406ed 526->531 532 33406ef-33406fc 526->532 533 3340849 527->533 534 334084b-334086c 527->534 541 33405bd-33405db 529->541 530->541 531->532 535 33406fe-3340748 532->535 536 334074b 532->536 533->505 534->522 535->536 536->521 541->512
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0334024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: a005e4b8292b910ce3c374a810ec4b037a6c46c990a37e87b18df34cc6019ab9
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: A3526974A01229DFDB64CF68C984BACBBB5BF09304F1480D9E94DAB351DB30AA85DF15

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 542 40977c-4097b9 call 40ee2a CreateProcessA 545 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 542->545 546 4097bb-4097bd 542->546 550 409801-40981c call 40637c 545->550 551 4097f5 545->551 547 409864-409866 546->547 552 4097f6-4097ff TerminateProcess 550->552 555 40981e-409839 WriteProcessMemory 550->555 551->552 552->546 555->551 556 40983b-409856 Wow64SetThreadContext 555->556 556->551 557 409858-409863 ResumeThread 556->557 557->547
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 558 41a0fd-41a106 559 41a149-41a14e 558->559 560 41a108-41a10a 558->560 562 41a1b6-41a225 GetModuleHandleW GetProcAddress VirtualProtect 559->562 563 41a14f-41a1b0 559->563 564 41a136-41a148 560->564 565 41a0df-41a0e4 560->565 563->562 564->559 565->558
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(02B3BC10), ref: 0041A1CE
                                                                                            • GetProcAddress.KERNEL32(00000000,00420740), ref: 0041A201
                                                                                            • VirtualProtect.KERNELBASE(02B3BA5C,02B3BD3C,00000040,?), ref: 0041A220
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532049885.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_qxavuooi.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-3916222277
                                                                                            • Opcode ID: a39bc834b0b1f7718e83533ef4769e581a0cf0e7cd2d49fb7ec58536719bd093
                                                                                            • Instruction ID: 86dd5a41ececfacf906e206a0d5956c4e61b7a975677dbe62a27e9abde9d3234
                                                                                            • Opcode Fuzzy Hash: a39bc834b0b1f7718e83533ef4769e581a0cf0e7cd2d49fb7ec58536719bd093
                                                                                            • Instruction Fuzzy Hash: 9531D131649340DAD330CF28E94475A3BB0FB84348F80596ED0488B2A6DB79155ACB5E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 566 41a130-41a14e 569 41a1b6-41a225 GetModuleHandleW GetProcAddress VirtualProtect 566->569 570 41a14f-41a1b0 566->570 570->569
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(02B3BC10), ref: 0041A1CE
                                                                                            • GetProcAddress.KERNEL32(00000000,00420740), ref: 0041A201
                                                                                            • VirtualProtect.KERNELBASE(02B3BA5C,02B3BD3C,00000040,?), ref: 0041A220
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532049885.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_qxavuooi.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2099061454-3916222277
                                                                                            • Opcode ID: f5454f1364909d5afd693462bc0cccd3f0f7704ea35b0a32995bc537a029ea49
                                                                                            • Instruction ID: f068d6293579deb03121dfff12433525e98e11f5071f74c33473d7f72ac488a1
                                                                                            • Opcode Fuzzy Hash: f5454f1364909d5afd693462bc0cccd3f0f7704ea35b0a32995bc537a029ea49
                                                                                            • Instruction Fuzzy Hash: 39117C60A58340DAD330CF68F90571A3BF1FB84748F80546CD1489B2B6DFB52656CB9E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 583 404000-404008 584 40400b-40402a CreateFileA 583->584 585 404057 584->585 586 40402c-404035 GetLastError 584->586 587 404059-40405c 585->587 588 404052 586->588 589 404037-40403a 586->589 590 404054-404056 587->590 588->590 589->588 591 40403c-40403f 589->591 591->587 592 404041-404050 Sleep 591->592 592->584 592->588
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 594 406dc2-406dd5 595 406e33-406e35 594->595 596 406dd7-406df1 call 406cc9 call 40ef00 594->596 601 406df4-406df9 596->601 601->601 602 406dfb-406e00 601->602 603 406e02-406e22 GetVolumeInformationA 602->603 604 406e24 602->604 603->604 605 406e2e 603->605 604->605 605->595
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,J$B,,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID: J$B,
                                                                                            • API String ID: 1823874839-440322077
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 606 406e36-406e5d GetUserNameW 607 406ebe-406ec2 606->607 608 406e5f-406e95 LookupAccountNameW 606->608 608->607 609 406e97-406e9b 608->609 610 406ebb-406ebd 609->610 611 406e9d-406ea3 609->611 610->607 611->610 612 406ea5-406eaa 611->612 613 406eb7-406eb9 612->613 614 406eac-406eb0 612->614 613->607 614->610 615 406eb2-406eb5 614->615 615->610 615->613
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 616 2c24276-2c2428f 617 2c24291-2c24293 616->617 618 2c24295 617->618 619 2c2429a-2c242a6 CreateToolhelp32Snapshot 617->619 618->619 620 2c242b6-2c242c3 Module32First 619->620 621 2c242a8-2c242ae 619->621 622 2c242c5-2c242c6 call 2c23f35 620->622 623 2c242cc-2c242d4 620->623 621->620 627 2c242b0-2c242b4 621->627 628 2c242cb 622->628 627->617 627->620 628->623
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C2429E
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02C242BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533258866.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C23000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2c23000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 77dc3ce430d48e0471a37015a159d82dd6edb162769fc202a4fd9e7d6201953e
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 84F096311007216FD7347BF6EC8CB6E76E8BF89625F100568E646D14C0DF70E9494A61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 629 402816-402834 htons 630 402836-402839 629->630 631 40286b-402870 629->631 630->631 632 40283b-402844 630->632 633 402846-402849 632->633 634 40284b-40284e 632->634 635 402859 633->635 636 402850-402854 634->636 637 402856 634->637 638 40285c-402869 htons 635->638 636->638 637->635 638->630 638->631
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons
                                                                                            • String ID:
                                                                                            • API String ID: 4207154920-0
                                                                                            • Opcode ID: 187c86c8f1f781262b8a3b75dd470914a26b3971c19be9e3166c0f3fac1d64c3
                                                                                            • Instruction ID: 3082a3e8c454676fba1296bd51f7fa4b59934e38c5c07495e43d4969eff46972
                                                                                            • Opcode Fuzzy Hash: 187c86c8f1f781262b8a3b75dd470914a26b3971c19be9e3166c0f3fac1d64c3
                                                                                            • Instruction Fuzzy Hash: 62F0C837800134D6CF107B9689085BAB3EC9B11319B55C57BEC46F71C0E2B8EE4196A8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 639 3340e0f-3340e24 SetErrorMode * 2 640 3340e26 639->640 641 3340e2b-3340e2c 639->641 640->641
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,03340223,?,?), ref: 03340E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,03340223,?,?), ref: 03340E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: f2026793b3d1128916aeb3ea09ed4e43fb677b7757d87884c3e4870fdc5a5a31
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: C3D0123124512877D7002B94DC09BCDBB5CDF05B62F048011FB0DD9080C770954046E5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 642 409892-4098c0 643 4098c2-4098c5 642->643 644 4098d9 642->644 643->644 645 4098c7-4098d7 643->645 646 4098e0-4098f1 SetServiceStatus 644->646 645->646
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C23F86
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533258866.0000000002C23000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C23000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2c23000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 1f89f5fd5d4b73ac22476bb693303f65f95ce1642d6ff7c53c7ed2b3505ae47a
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 2B113979A00208EFDB01DF98C985E98BBF5EF08750F0580A5F9489B361D775EA94EF80
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 033465F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03346610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 03346631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 03346652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: b93ddfe0141cd2f6f312f3cd334fd9b802a2f5a8532556e8df5723f19237c4a3
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 2F1173B1A00218BFDB219F65EC46F9B3FECEB057A5F144064F908EB250DBB5ED0086A4
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 03349E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 03349FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 03349FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0334A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0334A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0334A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0334A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0334A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0334A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 03349F13
                                                                                              • Part of subcall function 03347029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,J$B,,00000000,00000000,00000000,00000000), ref: 03347081
                                                                                              • Part of subcall function 03346F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wvtbuegq,03347043), ref: 03346F4E
                                                                                              • Part of subcall function 03346F30: GetProcAddress.KERNEL32(00000000), ref: 03346F55
                                                                                              • Part of subcall function 03346F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 03346F7B
                                                                                              • Part of subcall function 03346F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 03346F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0334A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0334A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0334A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0334A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0334A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0334A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0334A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0334A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0334A2F4
                                                                                            • wsprintfA.USER32 ref: 0334A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0334A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0334A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0334A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0334A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0334A1D1
                                                                                              • Part of subcall function 03349966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0334999D
                                                                                              • Part of subcall function 03349966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 033499BD
                                                                                              • Part of subcall function 03349966: RegCloseKey.ADVAPI32(?), ref: 033499C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0334A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0334A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0334A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 7961b9d27a34980b2372ced94420ec1f64895a6cde584724f3b482cfae6289d4
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: D4F142B1D40359AFDF21DBA09C88FEFBBFCAB08300F0444A5E605E6151E775AA848F65
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$D
                                                                                            • API String ID: 2976863881-4243593276
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 03347D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 03347D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 03347D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 03347DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 03347DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 03347DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 03347DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 03347DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 03347E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 03347E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 03347E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 03347E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$D
                                                                                            • API String ID: 2976863881-4243593276
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 5749d21098ada51bb2288519d0e6eb57e7435f5f4361be7e8919db063ad7cc08
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 58A14B71900219AFDB11CFA4DD88FEEBBBDFB08340F08816AE615E6150D775AA85CB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 03347A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 03347ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 03347ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 03347B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 03347B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 03347B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 03347B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 03347B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 03347B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 03347B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 03347B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 03347B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 03347BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 03347BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 03347C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 03347C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 03347CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 03347CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 03347CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 03347CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 03347CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: fd366d343b3227da76edc6afbd909740a29bf719f4b779a81b9571c044f2486a
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 69812B71D00219AFDB21CFA4DD84FEEBBF8AF08344F04816AE515E6150D775AA45CBA4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$localcfg
                                                                                            • API String ID: 237177642-1071712786
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0334865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0334867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 033486A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 033486B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
                                                                                            • API String ID: 237177642-3298676554
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: c2106c53d5ff40c9efe6d931911a3d5551cf830a2e6b2be0b6cacb247e1dbf34
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 73C18071D00208BEEB11EBA4DDC4EEF7BFDEB05300F1840A5F604EA050E776AA949B65
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 03341601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 033417D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: da33de5098f282c2f293a237e081dc2c10f2984775eb824e546ff7b9b9a9b409
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 28F17EB59087419FD720CF64C8C8BABBBE8FB88305F04892DF59697290D774E984CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 033476D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 03347757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0334778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 033478B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0334794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0334796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0334797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 033479AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 03347A56
                                                                                              • Part of subcall function 0334F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0334772A,?), ref: 0334F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 033479F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 03347A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: b183c80ac073a67d54eeeb5ac15764c269233ba9391bda488d148fb1288e1062
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 43C19471900209AFDB21DFA4DC85FEEBBFDEF45310F1840A5E554EA150EB75EA848B60
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(774D0F10,?,774D0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 03342CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 03342D07
                                                                                            • htons.WS2_32(00000000), ref: 03342D42
                                                                                            • select.WS2_32 ref: 03342D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 03342DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 03342E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 44b66747bf12e23c7f907de1ad2feb64e727219ef29d49d18fa55c17f718e65b
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: DD61E171904305ABC320DF65DC88B6BBBECEF88341F094C59F984E7160D7B4E8808BA6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,774D0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,774D0F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,774D0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 0334202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0334204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0334206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03342071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 03342082
                                                                                            • GetTickCount.KERNEL32 ref: 03342230
                                                                                              • Part of subcall function 03341E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 03341E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 10c21542ab0c98413414a7c9063aebe145889540b8feb8033b2b641fa4b1c0df
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: DD51BEB4900348AFE330EF658CC5F67BAECFB44604F04492DF99696142EBB9B9848765
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-3679488032
                                                                                            • Opcode ID: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction ID: bd7dfe77e026ff01e11c6618f048304d5953ff5d6b37f7005ea1b6d17bf081bd
                                                                                            • Opcode Fuzzy Hash: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction Fuzzy Hash: 263197B25401197ADF016B96CCC2DFFBB6CEF49348B14052BF904B1182EB789A6587E9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 03343068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 03343078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 03343095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 033430B6
                                                                                            • htons.WS2_32(00000035), ref: 033430EF
                                                                                            • inet_addr.WS2_32(?), ref: 033430FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0334310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0334314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: b0787191098ada7f59b40c664a148af61154ce188f05d500aee23ed01c381364
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 3131B835A00206ABDB11EBB49C88AAEB7F8EF04770F184265F519E7290DB74E5518B54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 033495A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 033495D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 033495DC
                                                                                            • wsprintfA.USER32 ref: 03349635
                                                                                            • wsprintfA.USER32 ref: 03349673
                                                                                            • wsprintfA.USER32 ref: 033496F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 03349758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0334978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 033497D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: c04d19fef71832f638c81ccccd793639ffbd960fa9be3338fc7bd8452cb7dbbb
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: C2A179B2940208AFEB21DFA4CC85FDB3BECEB04741F144066FA15E6151E7B5E584CBA5
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000008), ref: 033467C3
                                                                                            • htonl.WS2_32(?), ref: 033467DF
                                                                                            • htonl.WS2_32(?), ref: 033467EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 033468F1
                                                                                            • ExitProcess.KERNEL32 ref: 033469BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1430491713-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 307fe97c35a6c52868a76ac76c8a8cf6573817c29f813c8f0542d40e6fa96e62
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 3C616F71940208AFDB60DFB4DC45FEA77E9FB09300F148066F96DD2161DAB5A9908F54
                                                                                            APIs
                                                                                            • htons.WS2_32(0334CC84), ref: 0334F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0334F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0334F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: b359e3b431ef1688fd852365f73d2d81c810a5acd3b6bd5c7f8d594fa29f230a
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 07317A76900218ABDB10DFA5DC88DEE7BFCEF88310F1445A6F905E3150E774AA818BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 03342FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 03342FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 03342FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 03343000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 03343007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 03343032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 7534516f22c3d20216c503faa476e4a30a82bfd97abe3bc44423960115de20a8
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 27219075900629BBCB21DB95DC88AAFFBFCEF08B10F044561F942E7140D7B4AA8187E4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 03349A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 03349A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 03349A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 03349A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 03349AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 03349AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 87a2d509561e5931b180eb0b086fa40e17224bbaa7faeb34260a8d1be1d1e84e
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 99216BB1E01219BBDB11DBA1DC49FEFBBBCEF04750F044061BA09E5050E7759A44CBA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 03341C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 03341C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 03341C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 03341C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 03341CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 03341D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 03341D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 14b4321d50598c70289e83fa34e8f40d85289ba57ccb4095d291cd0726cd9a2d
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: D6315A72E00209BFCB11DFA4DDC98FEBAF9EB46701B2844BAE501A2110D7B55EC0CB94
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 03346CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 03346D22
                                                                                            • GetLastError.KERNEL32 ref: 03346DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 03346DB5
                                                                                            • GetLastError.KERNEL32 ref: 03346DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 03346DE7
                                                                                            • GetLastError.KERNEL32 ref: 03346DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: e94e06da2962c489d9dd4a161e9482518aff0e98707c29740cd4e1bccf488434
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: AF310376D00249BFCB01DFA4DD85ADEBFF9FB4A200F188166E211F7220D770A6858B61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wvtbuegq,03347043), ref: 03346F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03346F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 03346F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 03346F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\wvtbuegq
                                                                                            • API String ID: 1082366364-3963973831
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 954405bb533ec9369c4eadebc1df7a8581e7bf3179efdd3f2c45bb211bb0660a
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: E821CF21B413407AF722D7319CC9FBB2EDC8B42620F1C40A5F444EA491DBDDE4D682AD
                                                                                            APIs
                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A2ED
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A305
                                                                                            • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A30D
                                                                                            • SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,0041C984), ref: 0041A354
                                                                                            • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A365
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532049885.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_qxavuooi.jbxd
                                                                                            Similarity
                                                                                            • API ID: BuildCalendarCommExceptionFilterInfoNamePathPrivateProfileShortStringUnhandledWrite
                                                                                            • String ID: -
                                                                                            • API String ID: 1417380309-2547889144
                                                                                            • Opcode ID: 194fcf32e7f97bc96fd691d7a03e22e60329f69e963f5865272f8d44103360b1
                                                                                            • Instruction ID: eb2b044afba0a356212631dcb840a836c037afd69ed90e5d23667867df488ba6
                                                                                            • Opcode Fuzzy Hash: 194fcf32e7f97bc96fd691d7a03e22e60329f69e963f5865272f8d44103360b1
                                                                                            • Instruction Fuzzy Hash: 5F21E970685308ABD7209F64DC85BEE7BB4EB0C715F5000A9FB19AB2C1CB741AD58B5E
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: bd21e1241aacb223392d8b5fad1a3e85a0dbebdfbb4af794188a30abf44ef481
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: AF715A72AC4308AAEF21DB58DCC5FEE77EDAB01705F2C4066F904A60D0DA62B9C48755
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 0334DF6C: GetCurrentThreadId.KERNEL32 ref: 0334DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0334E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,03346128), ref: 0334E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0334E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 19bd2e6d1e00baab772bf740e47a3f9a0e785e92e921dd1bb015a243a0a522da
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: CE316D31A00715ABDF71CF24CCC4BA67BE8FB05721F18896AE5958B591D378F880CB91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 8d28e21e9091765eaab61059015e5aa0af75a5b96c563d1add783977be069461
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: DB218E76504215BFDB10DF70FD89EDF7FEDEB4A260B108421F502D10A1EB70AA809A74
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 033492E2
                                                                                            • wsprintfA.USER32 ref: 03349350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03349375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 03349389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 03349394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0334939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: c1ba7e7a35f12496d2b6ad7392f327ae998c31f817c552c24d479ae50f56b877
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 6A1196B5B402147BE720A731EC4DFEF3AADDBC9B11F01C165BB09E9090EBB55A418664
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,0040E538,?,774D0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0334C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0334C74B), ref: 0334C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0334C747), ref: 0334C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0334C747,00413588,03348A77), ref: 0334C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: eee61ed1a7c89adceb56ee5452bbef061ca7ac4272f1f2ac1a97ad40a6e41c50
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 7B512CB5A01B419FD724DF69C9C452AFBE9FB48200B54693EE18BC7AA0D774F844CB10
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
                                                                                            • API String ID: 124786226-2632200365
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 033471E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 03347228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 03347286
                                                                                            • wsprintfA.USER32 ref: 0334729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: acc3ba543b745fb630eec2c79dbb228773254d7bf31533b1165e5283f5c5916d
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 9A311A76900208BBDB01DFA8DC85ADA7BECEF04354F148166F959DB201EB75E6488B94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0334B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0334B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0334B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0334B590
                                                                                            • wsprintfA.USER32 ref: 0334B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: e0a166f8cfafe5e506832efe85c166dde4e5f9da2e61e5f1164b92b3df283c62
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 4D5110B1D0021CAACF14DFD5D8885EEFBB9BF48304F14816AE505A6150E7B89AC9CF98
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 03346303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0334632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 033463B1
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 03346405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 86940326c2f5f0823d1a50a03b177166515a9fcdbad24ca447c2bd5961a50349
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: D34149B1A00209ABDB14CF99DCC5AA9B7F8FF05354F188169E815D72A0E771F984CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,774D0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 033493C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 033493CD
                                                                                            • CharToOemA.USER32(?,?), ref: 033493DB
                                                                                            • wsprintfA.USER32 ref: 03349410
                                                                                              • Part of subcall function 033492CB: GetTempPathA.KERNEL32(00000400,?), ref: 033492E2
                                                                                              • Part of subcall function 033492CB: wsprintfA.USER32 ref: 03349350
                                                                                              • Part of subcall function 033492CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03349375
                                                                                              • Part of subcall function 033492CB: lstrlen.KERNEL32(?,?,00000000), ref: 03349389
                                                                                              • Part of subcall function 033492CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 03349394
                                                                                              • Part of subcall function 033492CB: CloseHandle.KERNEL32(00000000), ref: 0334939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 03349448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 49b3dff06ca277be3f960dd36916a32fc4f993586882ea339a2e2914a9968dda
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: D90180F69001187BD720A7619D89FDF3ABCDB85701F0000A1BB09E2080DAB496C48F75
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 02d1400d73d638729d7122f92453131dedfaeea6c8b39fb884c22a4196b83a58
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: DCE0EC306045119FDB50DB28FC88ADA77E9AF4A231F0989D5F454E71A0C774EC819654
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0334E50A,00000000,00000000,00000000,00020106,00000000,0334E50A,00000000,000000E4), ref: 0334E319
                                                                                            • RegSetValueExA.ADVAPI32(0334E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0334E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0334E50A,?,?,?,?,?,000000C8,004122F8), ref: 0334E3BF
                                                                                            • RegCloseKey.ADVAPI32(0334E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0334E50A), ref: 0334E3C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: af89b986b67b2a443f9d016f89ad346eac604987307c10ea79f93764602edf67
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 5E212C71A0021DABDF21DFA5EC89EEE7FB9EF08750F048061F904A6160E6719A54D7A0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 033441AB
                                                                                            • GetLastError.KERNEL32 ref: 033441B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 033441C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 033441D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 667fb16f50857705a94fbf2c1cdb251ce9888d4820a688d881fe7db97514d7fa
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 3701C87691110AAFDF01DF92ED84BEF7BACEB18255F1080A1F901E2050D774EA648BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0334421F
                                                                                            • GetLastError.KERNEL32 ref: 03344229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0334423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0334424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: ae0fe35cacd9febf572a18481806698ef8a211e3a17988d5bffec45aabbd2f34
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: C301C872511109AFDF01DF91ED84BEF7BACEB08256F108461F901E2060D770EA548BB6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0334E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 9283193893767e8ef21a49774f46a842845c501bdb07ab6a5d2d87ebc1ad36f3
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 43F06D722007029BCB20CF66DCC4A82B7E9FB09321B488A6BE168C3060D378B498CB51
                                                                                            APIs
                                                                                            • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B03C,0041A771), ref: 0041A3BC
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B03C,0041A771), ref: 0041A3D7
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A3FA
                                                                                            • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A404
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532049885.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_qxavuooi.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                            • String ID:
                                                                                            • API String ID: 2305449109-0
                                                                                            • Opcode ID: 4c0f42d26a76dfa3f20223abca6f33b6da74c46575f0e003faa6d2fec53e1458
                                                                                            • Instruction ID: 6db4692fb877ccccee5eb756e0d798b8d09dcb931a060774b89a74a442978187
                                                                                            • Opcode Fuzzy Hash: 4c0f42d26a76dfa3f20223abca6f33b6da74c46575f0e003faa6d2fec53e1458
                                                                                            • Instruction Fuzzy Hash: 61F089317C5300E7E6306754EC4AF8A3764E70875AF108463F7199A2D5C7B458608F5F
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 033483C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 03348477
                                                                                              • Part of subcall function 0334EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,03341DCF,?), ref: 0334EEA8
                                                                                              • Part of subcall function 0334EE95: HeapFree.KERNEL32(00000000), ref: 0334EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$CloseFreeOpenProcess
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
                                                                                            • API String ID: 1016092768-2632200365
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: c8497e109012049b0616ca24b004119a7bd3b53c3524a8563b17e0738e4e61bd
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 854156B5D01209BFDB10EBA4ADC0DFF77FCEB04344F1844A6E504EA150F6756A948B55
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0334AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0334B00D
                                                                                              • Part of subcall function 0334AF6F: gethostname.WS2_32(?,00000080), ref: 0334AF83
                                                                                              • Part of subcall function 0334AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0334AFE6
                                                                                              • Part of subcall function 0334331C: gethostname.WS2_32(?,00000080), ref: 0334333F
                                                                                              • Part of subcall function 0334331C: gethostbyname.WS2_32(?), ref: 03343349
                                                                                              • Part of subcall function 0334AA0A: inet_ntoa.WS2_32(00000000), ref: 0334AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 6c782341d57cd650140f13555584cb148c2e8a8f5ffa591fc74b7e56b671a71e
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 654141B690430CABDF25EFA0DC85EEE3BACFF08304F144426F92896151EB75E6548B54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 03349536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0334955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: c022cd937f20e5257efa59f840a2b3e9585ba3c25ae9686f9932fad6b354c269
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 8C41F371C083846EEB36DB68ECCDBB77BE89B02314F2D41E5D4869B1A2D7B469818711
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0334B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0334BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0334BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0334BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0334BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0334BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0334BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 03c5dfb62182497be15b06501960cd4367ba37d5221832d684a31ca8d4dee4ed
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: E3318D71804248DFDF29DFA4EC84AE9B7F8EB88700F244066FA6486160DB31E685CF10
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 033470BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 033470F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 080bc48874fc96f93a38eb15f7652bb3d55a15fc03296246427ef500616bef1a
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: E111BA72900118EBDB51DBE4DD84ADEB7FDAB08711F1441A6E511F6190D770AB889BA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1532017321.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 03342F88: GetModuleHandleA.KERNEL32(?), ref: 03342FA1
                                                                                              • Part of subcall function 03342F88: LoadLibraryA.KERNEL32(?), ref: 03342FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 033431DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 033431E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1533427526.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_3340000_qxavuooi.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 842105194088d5b941b6b6f4d4d4f691cc07bd3ef9868383d28f9730e5f38864
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 37518E79900246AFDF01DF64DC849EAB7B9FF05315F1845A9EC96C7210E732AA29CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:14.6%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1804
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 8050 40f483 WSAStartup 8051 40f304 8054 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8051->8054 8053 40f312 8054->8053 8055 405b84 IsBadWritePtr 8056 405b99 8055->8056 8057 405b9d 8055->8057 8058 404bd1 4 API calls 8057->8058 8059 405bcc 8058->8059 8060 405472 18 API calls 8059->8060 8061 405be5 8060->8061 8062 405c05 IsBadWritePtr 8063 405c24 IsBadWritePtr 8062->8063 8070 405ca6 8062->8070 8064 405c32 8063->8064 8063->8070 8065 405c82 8064->8065 8066 404bd1 4 API calls 8064->8066 8067 404bd1 4 API calls 8065->8067 8066->8065 8068 405c90 8067->8068 8069 405472 18 API calls 8068->8069 8069->8070 7842 40e749 7843 40dd05 6 API calls 7842->7843 7844 40e751 7843->7844 7845 40e781 lstrcmpA 7844->7845 7846 40e799 7844->7846 7845->7844 7847 40444a 7848 404458 7847->7848 7849 40446a 7848->7849 7851 401940 7848->7851 7852 40ec2e codecvt 4 API calls 7851->7852 7853 401949 7852->7853 7853->7849 7854 405e4d 7859 405048 7854->7859 7860 404bd1 4 API calls 7859->7860 7863 405056 7860->7863 7861 40508b 7862 40ec2e codecvt 4 API calls 7862->7861 7863->7861 7863->7862 8084 405e0d 8087 4050dc 8084->8087 8086 405e20 8088 404bd1 4 API calls 8087->8088 8089 4050f2 8088->8089 8090 404ae6 8 API calls 8089->8090 8096 4050ff 8090->8096 8091 405130 8093 404ae6 8 API calls 8091->8093 8092 404ae6 8 API calls 8094 405110 lstrcmpA 8092->8094 8095 405138 8093->8095 8094->8091 8094->8096 8098 40516e 8095->8098 8099 404ae6 8 API calls 8095->8099 8129 40513e 8095->8129 8096->8091 8096->8092 8097 404ae6 8 API calls 8096->8097 8097->8096 8101 404ae6 8 API calls 8098->8101 8098->8129 8100 40515e 8099->8100 8100->8098 8103 404ae6 8 API calls 8100->8103 8102 4051b6 8101->8102 8130 404a3d 8102->8130 8103->8098 8106 404ae6 8 API calls 8107 4051c7 8106->8107 8108 404ae6 8 API calls 8107->8108 8109 4051d7 8108->8109 8110 404ae6 8 API calls 8109->8110 8111 4051e7 8110->8111 8112 404ae6 8 API calls 8111->8112 8111->8129 8113 405219 8112->8113 8114 404ae6 8 API calls 8113->8114 8115 405227 8114->8115 8116 404ae6 8 API calls 8115->8116 8117 40524f lstrcpyA 8116->8117 8118 404ae6 8 API calls 8117->8118 8121 405263 8118->8121 8119 404ae6 8 API calls 8120 405315 8119->8120 8122 404ae6 8 API calls 8120->8122 8121->8119 8123 405323 8122->8123 8124 404ae6 8 API calls 8123->8124 8126 405331 8124->8126 8125 404ae6 8 API calls 8125->8126 8126->8125 8127 404ae6 8 API calls 8126->8127 8126->8129 8128 405351 lstrcmpA 8127->8128 8128->8126 8128->8129 8129->8086 8131 404a53 8130->8131 8132 404a4a 8130->8132 8134 404a78 8131->8134 8135 40ebed 8 API calls 8131->8135 8133 40ebed 8 API calls 8132->8133 8133->8131 8136 404aa3 8134->8136 8137 404a8e 8134->8137 8135->8134 8138 404a9b 8136->8138 8139 40ebed 8 API calls 8136->8139 8137->8138 8140 40ec2e codecvt 4 API calls 8137->8140 8138->8106 8139->8138 8140->8138 8141 404c0d 8142 404ae6 8 API calls 8141->8142 8143 404c17 8142->8143 7864 408c51 7865 408c86 7864->7865 7866 408c5d 7864->7866 7867 408c8b lstrcmpA 7865->7867 7877 408c7b 7865->7877 7869 408c7d 7866->7869 7870 408c6e 7866->7870 7868 408c9e 7867->7868 7867->7877 7871 408cad 7868->7871 7874 40ec2e codecvt 4 API calls 7868->7874 7886 408bb3 7869->7886 7878 408be7 7870->7878 7876 40ebcc 4 API calls 7871->7876 7871->7877 7874->7871 7876->7877 7879 408bf2 7878->7879 7880 408c2a 7878->7880 7881 408bb3 6 API calls 7879->7881 7880->7877 7882 408bf8 7881->7882 7890 406410 7882->7890 7884 408c01 7884->7880 7905 406246 7884->7905 7887 408bbc 7886->7887 7888 408be4 7886->7888 7887->7888 7889 406246 6 API calls 7887->7889 7889->7888 7891 406421 7890->7891 7892 40641e 7890->7892 7893 40643a 7891->7893 7894 40643e VirtualAlloc 7891->7894 7892->7884 7893->7884 7895 406472 7894->7895 7896 40645b VirtualAlloc 7894->7896 7898 40ebcc 4 API calls 7895->7898 7896->7895 7897 4064fb 7896->7897 7897->7884 7899 406479 7898->7899 7899->7897 7915 406069 7899->7915 7902 4064da 7902->7897 7903 406246 6 API calls 7902->7903 7903->7897 7906 4062b3 7905->7906 7908 406252 7905->7908 7906->7880 7907 406297 7910 4062a0 VirtualFree 7907->7910 7911 4062ad 7907->7911 7908->7907 7909 40628f 7908->7909 7912 406281 FreeLibrary 7908->7912 7913 40ec2e codecvt 4 API calls 7909->7913 7910->7911 7914 40ec2e codecvt 4 API calls 7911->7914 7912->7908 7913->7907 7914->7906 7916 406090 IsBadReadPtr 7915->7916 7918 406089 7915->7918 7916->7918 7921 4060aa 7916->7921 7917 4060c0 LoadLibraryA 7917->7918 7917->7921 7918->7902 7925 405f3f 7918->7925 7919 40ebcc 4 API calls 7919->7921 7920 40ebed 8 API calls 7920->7921 7921->7917 7921->7918 7921->7919 7921->7920 7922 406191 IsBadReadPtr 7921->7922 7923 406141 GetProcAddress 7921->7923 7924 406155 GetProcAddress 7921->7924 7922->7918 7922->7921 7923->7921 7924->7921 7926 405fe6 7925->7926 7928 405f61 7925->7928 7926->7902 7927 405fbf VirtualProtect 7927->7926 7927->7928 7928->7926 7928->7927 8144 406511 wsprintfA IsBadReadPtr 8145 40656a htonl htonl wsprintfA wsprintfA 8144->8145 8146 40674e 8144->8146 8147 4065f3 8145->8147 8148 40e318 23 API calls 8146->8148 8150 40668a GetCurrentProcess StackWalk64 8147->8150 8151 4066a0 wsprintfA 8147->8151 8153 406652 wsprintfA 8147->8153 8149 406753 ExitProcess 8148->8149 8150->8147 8150->8151 8152 4066ba 8151->8152 8154 406712 wsprintfA 8152->8154 8155 4066da wsprintfA 8152->8155 8156 4066ed wsprintfA 8152->8156 8153->8147 8157 40e8a1 30 API calls 8154->8157 8155->8156 8156->8152 8158 406739 8157->8158 8159 40e318 23 API calls 8158->8159 8160 406741 8159->8160 7929 4043d2 7930 4043e0 7929->7930 7931 4043ef 7930->7931 7932 401940 4 API calls 7930->7932 7932->7931 8161 404e92 GetTickCount 8162 404ec0 InterlockedExchange 8161->8162 8163 404ec9 8162->8163 8164 404ead GetTickCount 8162->8164 8164->8163 8165 404eb8 Sleep 8164->8165 8165->8162 7933 405453 7938 40543a 7933->7938 7939 405048 8 API calls 7938->7939 7940 40544b 7939->7940 7941 404ed3 7946 404c9a 7941->7946 7947 404cd8 7946->7947 7949 404ca9 7946->7949 7948 40ec2e codecvt 4 API calls 7948->7947 7949->7948 8166 405d93 IsBadWritePtr 8167 405da8 8166->8167 8169 405ddc 8166->8169 8167->8169 8170 405389 8167->8170 8171 404bd1 4 API calls 8170->8171 8172 4053a5 8171->8172 8173 404ae6 8 API calls 8172->8173 8176 4053ad 8173->8176 8174 404ae6 8 API calls 8174->8176 8175 405407 8175->8169 8176->8174 8176->8175 8177 408314 8178 40675c 21 API calls 8177->8178 8179 408324 8178->8179 8180 405099 8181 404bd1 4 API calls 8180->8181 8182 4050a2 8181->8182 7950 40195b 7951 401971 7950->7951 7952 40196b 7950->7952 7953 40ec2e codecvt 4 API calls 7952->7953 7953->7951 7954 404960 7955 40496d 7954->7955 7957 40497d 7954->7957 7956 40ebed 8 API calls 7955->7956 7956->7957 7958 404861 IsBadWritePtr 7959 404876 7958->7959 7960 409961 RegisterServiceCtrlHandlerA 7961 40997d 7960->7961 7968 4099cb 7960->7968 7970 409892 7961->7970 7963 40999a 7964 4099ba 7963->7964 7965 409892 SetServiceStatus 7963->7965 7967 409892 SetServiceStatus 7964->7967 7964->7968 7966 4099aa 7965->7966 7966->7964 7969 4098f2 41 API calls 7966->7969 7967->7968 7969->7964 7971 4098c2 SetServiceStatus 7970->7971 7971->7963 8183 405e21 8184 405e36 8183->8184 8185 405e29 8183->8185 8186 4050dc 17 API calls 8185->8186 8186->8184 8187 4035a5 8188 4030fa 4 API calls 8187->8188 8190 4035b3 8188->8190 8189 4035ea 8190->8189 8194 40355d 8190->8194 8192 4035da 8192->8189 8193 40355d 4 API calls 8192->8193 8193->8189 8195 40f04e 4 API calls 8194->8195 8196 40356a 8195->8196 8196->8192 8197 405029 8202 404a02 8197->8202 8203 404a12 8202->8203 8204 404a18 8202->8204 8205 40ec2e codecvt 4 API calls 8203->8205 8206 40ec2e codecvt 4 API calls 8204->8206 8207 404a26 8204->8207 8205->8204 8206->8207 8208 40ec2e codecvt 4 API calls 8207->8208 8209 404a34 8207->8209 8208->8209 6133 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6249 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6133->6249 6135 409a95 6136 409aa3 GetModuleHandleA GetModuleFileNameA 6135->6136 6141 40a3cc 6135->6141 6150 409ac4 6136->6150 6137 40a41c CreateThread WSAStartup 6250 40e52e 6137->6250 7325 40405e CreateEventA 6137->7325 6139 409afd GetCommandLineA 6148 409b22 6139->6148 6140 40a406 DeleteFileA 6140->6141 6142 40a40d 6140->6142 6141->6137 6141->6140 6141->6142 6145 40a3ed GetLastError 6141->6145 6142->6137 6143 40a445 6269 40eaaf 6143->6269 6145->6142 6147 40a3f8 Sleep 6145->6147 6146 40a44d 6273 401d96 6146->6273 6147->6140 6153 409c0c 6148->6153 6159 409b47 6148->6159 6150->6139 6151 40a457 6321 4080c9 6151->6321 6513 4096aa 6153->6513 6164 409b96 lstrlenA 6159->6164 6169 409b58 6159->6169 6160 40a1d2 6170 40a1e3 GetCommandLineA 6160->6170 6161 409c39 6165 40a167 GetModuleHandleA GetModuleFileNameA 6161->6165 6519 404280 CreateEventA 6161->6519 6164->6169 6167 409c05 ExitProcess 6165->6167 6168 40a189 6165->6168 6168->6167 6177 40a1b2 GetDriveTypeA 6168->6177 6169->6167 6472 40675c 6169->6472 6195 40a205 6170->6195 6177->6167 6179 40a1c5 6177->6179 6620 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 6179->6620 6180 40675c 21 API calls 6182 409c79 6180->6182 6182->6165 6189 409ca0 GetTempPathA 6182->6189 6190 409e3e 6182->6190 6183 409bff 6183->6167 6185 40a491 6186 40a49f GetTickCount 6185->6186 6187 40a4be Sleep 6185->6187 6194 40a4b7 GetTickCount 6185->6194 6368 40c913 6185->6368 6186->6185 6186->6187 6187->6185 6189->6190 6191 409cba 6189->6191 6198 409e6b GetEnvironmentVariableA 6190->6198 6200 409e04 6190->6200 6545 4099d2 lstrcpyA 6191->6545 6194->6187 6199 40a285 lstrlenA 6195->6199 6207 40a239 6195->6207 6198->6200 6201 409e7d 6198->6201 6199->6207 6615 40ec2e 6200->6615 6202 4099d2 16 API calls 6201->6202 6204 409e9d 6202->6204 6204->6200 6209 409eb0 lstrcpyA lstrlenA 6204->6209 6205 409d5f 6559 406cc9 6205->6559 6628 406ec3 6207->6628 6208 40a3c2 6632 4098f2 6208->6632 6210 409ef4 6209->6210 6213 406dc2 6 API calls 6210->6213 6217 409f03 6210->6217 6213->6217 6214 40a39d StartServiceCtrlDispatcherA 6214->6208 6215 409d72 lstrcpyA lstrcatA lstrcatA 6218 409cf6 6215->6218 6216 40a3c7 6216->6141 6219 409f32 RegOpenKeyExA 6217->6219 6568 409326 6218->6568 6221 409f48 RegSetValueExA RegCloseKey 6219->6221 6224 409f70 6219->6224 6220 40a35f 6220->6208 6220->6214 6221->6224 6229 409f9d GetModuleHandleA GetModuleFileNameA 6224->6229 6225 409e0c DeleteFileA 6225->6190 6226 409dde GetFileAttributesExA 6226->6225 6228 409df7 6226->6228 6228->6200 6605 4096ff 6228->6605 6231 409fc2 6229->6231 6232 40a093 6229->6232 6231->6232 6238 409ff1 GetDriveTypeA 6231->6238 6233 40a103 CreateProcessA 6232->6233 6234 40a0a4 wsprintfA 6232->6234 6235 40a13a 6233->6235 6236 40a12a DeleteFileA 6233->6236 6611 402544 6234->6611 6235->6200 6242 4096ff 3 API calls 6235->6242 6236->6235 6238->6232 6240 40a00d 6238->6240 6244 40a02d lstrcatA 6240->6244 6242->6200 6245 40a046 6244->6245 6246 40a052 lstrcatA 6245->6246 6247 40a064 lstrcatA 6245->6247 6246->6247 6247->6232 6248 40a081 lstrcatA 6247->6248 6248->6232 6249->6135 6639 40dd05 GetTickCount 6250->6639 6252 40e538 6647 40dbcf 6252->6647 6254 40e544 6255 40e555 GetFileSize 6254->6255 6259 40e5b8 6254->6259 6256 40e5b1 CloseHandle 6255->6256 6257 40e566 6255->6257 6256->6259 6671 40db2e 6257->6671 6657 40e3ca RegOpenKeyExA 6259->6657 6261 40e576 ReadFile 6261->6256 6263 40e58d 6261->6263 6675 40e332 6263->6675 6266 40e5f2 6267 40e3ca 19 API calls 6266->6267 6268 40e629 6266->6268 6267->6268 6268->6143 6270 40eabe 6269->6270 6272 40eaba 6269->6272 6271 40dd05 6 API calls 6270->6271 6270->6272 6271->6272 6272->6146 6274 40ee2a 6273->6274 6275 401db4 GetVersionExA 6274->6275 6276 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6275->6276 6278 401e24 6276->6278 6279 401e16 GetCurrentProcess 6276->6279 6733 40e819 6278->6733 6279->6278 6281 401e3d 6282 40e819 11 API calls 6281->6282 6283 401e4e 6282->6283 6284 401e77 6283->6284 6774 40df70 6283->6774 6740 40ea84 6284->6740 6287 401e6c 6289 40df70 12 API calls 6287->6289 6289->6284 6290 40e819 11 API calls 6291 401e93 6290->6291 6744 40199c inet_addr LoadLibraryA 6291->6744 6294 40e819 11 API calls 6295 401eb9 6294->6295 6296 401ed8 6295->6296 6297 40f04e 4 API calls 6295->6297 6298 40e819 11 API calls 6296->6298 6299 401ec9 6297->6299 6300 401eee 6298->6300 6301 40ea84 30 API calls 6299->6301 6307 401f0a 6300->6307 6758 401b71 6300->6758 6301->6296 6303 40e819 11 API calls 6306 401f23 6303->6306 6304 401efd 6305 40ea84 30 API calls 6304->6305 6305->6307 6316 401f3f 6306->6316 6762 401bdf 6306->6762 6307->6303 6309 40e819 11 API calls 6311 401f5e 6309->6311 6312 401f77 6311->6312 6314 40ea84 30 API calls 6311->6314 6770 4030b5 6312->6770 6313 40ea84 30 API calls 6313->6316 6314->6312 6316->6309 6318 406ec3 2 API calls 6320 401f8e GetTickCount 6318->6320 6320->6151 6322 406ec3 2 API calls 6321->6322 6323 4080eb 6322->6323 6324 4080f9 6323->6324 6325 4080ef 6323->6325 6841 40704c 6324->6841 6828 407ee6 6325->6828 6328 408269 CreateThread 6347 405e6c 6328->6347 7303 40877e 6328->7303 6329 408110 6330 4080f4 6329->6330 6332 408156 RegOpenKeyExA 6329->6332 6330->6328 6331 40675c 21 API calls 6330->6331 6337 408244 6331->6337 6333 408216 6332->6333 6334 40816d RegQueryValueExA 6332->6334 6333->6330 6335 4081f7 6334->6335 6336 40818d 6334->6336 6338 40820d RegCloseKey 6335->6338 6340 40ec2e codecvt 4 API calls 6335->6340 6336->6335 6341 40ebcc 4 API calls 6336->6341 6337->6328 6339 40ec2e codecvt 4 API calls 6337->6339 6338->6333 6339->6328 6346 4081dd 6340->6346 6342 4081a0 6341->6342 6342->6338 6343 4081aa RegQueryValueExA 6342->6343 6343->6335 6344 4081c4 6343->6344 6344->6344 6345 40ebcc 4 API calls 6344->6345 6345->6346 6346->6338 6943 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6347->6943 6349 405e71 6944 40e654 6349->6944 6351 405ec1 6352 403132 6351->6352 6353 40df70 12 API calls 6352->6353 6354 40313b 6353->6354 6355 40c125 6354->6355 6955 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6355->6955 6357 40c12d 6358 40e654 13 API calls 6357->6358 6359 40c2bd 6358->6359 6360 40e654 13 API calls 6359->6360 6361 40c2c9 6360->6361 6362 40e654 13 API calls 6361->6362 6363 40a47a 6362->6363 6364 408db1 6363->6364 6365 408dbc 6364->6365 6366 40e654 13 API calls 6365->6366 6367 408dec Sleep 6366->6367 6367->6185 6369 40c92f 6368->6369 6371 40c93c 6369->6371 6967 40c517 6369->6967 6372 40ca2b 6371->6372 6373 40e819 11 API calls 6371->6373 6372->6185 6374 40c96a 6373->6374 6375 40e819 11 API calls 6374->6375 6376 40c97d 6375->6376 6377 40e819 11 API calls 6376->6377 6378 40c990 6377->6378 6379 40c9aa 6378->6379 6380 40ebcc 4 API calls 6378->6380 6379->6372 6956 402684 6379->6956 6380->6379 6385 40ca26 6984 40c8aa 6385->6984 6388 40ca44 6389 40ca4b closesocket 6388->6389 6390 40ca83 6388->6390 6389->6385 6391 40ea84 30 API calls 6390->6391 6392 40caac 6391->6392 6393 40f04e 4 API calls 6392->6393 6394 40cab2 6393->6394 6395 40ea84 30 API calls 6394->6395 6396 40caca 6395->6396 6397 40ea84 30 API calls 6396->6397 6398 40cad9 6397->6398 6988 40c65c 6398->6988 6401 40cb60 closesocket 6401->6372 6403 40dad2 closesocket 6404 40e318 23 API calls 6403->6404 6405 40dae0 6404->6405 6405->6372 6406 40df4c 20 API calls 6467 40cb70 6406->6467 6411 40e654 13 API calls 6411->6467 6417 40cc1c GetTempPathA 6417->6467 6418 40ea84 30 API calls 6418->6467 6419 40d569 closesocket Sleep 7035 40e318 6419->7035 6420 40d815 wsprintfA 6420->6467 6421 40c517 23 API calls 6421->6467 6423 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6423->6467 6424 40e8a1 30 API calls 6424->6467 6425 40d582 ExitProcess 6426 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6426->6467 6427 40cfe3 GetSystemDirectoryA 6427->6467 6428 40675c 21 API calls 6428->6467 6429 40d027 GetSystemDirectoryA 6429->6467 6430 40cfad GetEnvironmentVariableA 6430->6467 6431 40d105 lstrcatA 6431->6467 6432 40ef1e lstrlenA 6432->6467 6433 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6433->6467 6434 40cc9f CreateFileA 6437 40ccc6 WriteFile 6434->6437 6434->6467 6435 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6435->6467 6436 40d15b CreateFileA 6438 40d182 WriteFile CloseHandle 6436->6438 6436->6467 6439 40cdcc CloseHandle 6437->6439 6440 40cced CloseHandle 6437->6440 6438->6467 6439->6467 6445 40cd2f 6440->6445 6441 40d149 SetFileAttributesA 6441->6436 6442 40cd16 wsprintfA 6442->6445 6443 40d36e GetEnvironmentVariableA 6443->6467 6444 40d1bf SetFileAttributesA 6444->6467 6445->6442 7017 407fcf 6445->7017 6446 407ead 6 API calls 6446->6467 6447 40d22d GetEnvironmentVariableA 6447->6467 6449 40d3af lstrcatA 6452 40d3f2 CreateFileA 6449->6452 6449->6467 6451 407fcf 64 API calls 6451->6467 6455 40d415 WriteFile CloseHandle 6452->6455 6452->6467 6453 40cd81 WaitForSingleObject CloseHandle CloseHandle 6456 40f04e 4 API calls 6453->6456 6454 40cda5 6457 407ee6 64 API calls 6454->6457 6455->6467 6456->6454 6458 40cdbd DeleteFileA 6457->6458 6458->6467 6459 40d4b1 CreateProcessA 6462 40d4e8 CloseHandle CloseHandle 6459->6462 6459->6467 6460 40d3e0 SetFileAttributesA 6460->6452 6461 40d26e lstrcatA 6463 40d2b1 CreateFileA 6461->6463 6461->6467 6462->6467 6464 40d2d8 WriteFile CloseHandle 6463->6464 6463->6467 6464->6467 6465 407ee6 64 API calls 6465->6467 6466 40d452 SetFileAttributesA 6466->6467 6467->6403 6467->6406 6467->6411 6467->6417 6467->6418 6467->6419 6467->6420 6467->6421 6467->6423 6467->6424 6467->6426 6467->6427 6467->6428 6467->6429 6467->6430 6467->6431 6467->6432 6467->6433 6467->6434 6467->6435 6467->6436 6467->6441 6467->6443 6467->6444 6467->6446 6467->6447 6467->6449 6467->6451 6467->6452 6467->6459 6467->6460 6467->6461 6467->6463 6467->6465 6467->6466 6468 40d29f SetFileAttributesA 6467->6468 6471 40d31d SetFileAttributesA 6467->6471 6996 40c75d 6467->6996 7008 407e2f 6467->7008 7030 407ead 6467->7030 7040 4031d0 6467->7040 7057 403c09 6467->7057 7067 403a00 6467->7067 7071 40e7b4 6467->7071 7074 40c06c 6467->7074 7080 406f5f GetUserNameA 6467->7080 7091 40e854 6467->7091 7101 407dd6 6467->7101 6468->6463 6471->6467 6473 406784 CreateFileA 6472->6473 6474 40677a SetFileAttributesA 6472->6474 6475 4067a4 CreateFileA 6473->6475 6476 4067b5 6473->6476 6474->6473 6475->6476 6477 4067c5 6476->6477 6478 4067ba SetFileAttributesA 6476->6478 6479 406977 6477->6479 6480 4067cf GetFileSize 6477->6480 6478->6477 6479->6167 6500 406a60 CreateFileA 6479->6500 6481 4067e5 6480->6481 6499 406965 6480->6499 6482 4067ed ReadFile 6481->6482 6481->6499 6484 406811 SetFilePointer 6482->6484 6482->6499 6483 40696e CloseHandle 6483->6479 6485 40682a ReadFile 6484->6485 6484->6499 6486 406848 SetFilePointer 6485->6486 6485->6499 6487 406867 6486->6487 6486->6499 6488 4068d5 6487->6488 6489 406878 ReadFile 6487->6489 6488->6483 6491 40ebcc 4 API calls 6488->6491 6490 4068d0 6489->6490 6493 406891 6489->6493 6490->6488 6492 4068f8 6491->6492 6494 406900 SetFilePointer 6492->6494 6492->6499 6493->6489 6493->6490 6495 40695a 6494->6495 6496 40690d ReadFile 6494->6496 6498 40ec2e codecvt 4 API calls 6495->6498 6496->6495 6497 406922 6496->6497 6497->6483 6498->6499 6499->6483 6501 406b8c GetLastError 6500->6501 6502 406a8f GetDiskFreeSpaceA 6500->6502 6504 406b86 6501->6504 6503 406ac5 6502->6503 6512 406ad7 6502->6512 7186 40eb0e 6503->7186 6504->6183 6508 406b56 CloseHandle 6508->6504 6511 406b65 GetLastError CloseHandle 6508->6511 6509 406b36 GetLastError CloseHandle 6510 406b7f DeleteFileA 6509->6510 6510->6504 6511->6510 7190 406987 6512->7190 6514 4096b9 6513->6514 6515 4073ff 17 API calls 6514->6515 6516 4096e2 6515->6516 6517 40704c 16 API calls 6516->6517 6518 4096f7 6516->6518 6517->6518 6518->6160 6518->6161 6520 4042a5 6519->6520 6521 40429d 6519->6521 7196 403ecd 6520->7196 6521->6165 6521->6180 6523 4042b0 7200 404000 6523->7200 6525 4043c1 CloseHandle 6525->6521 6526 4042b6 6526->6521 6526->6525 7206 403f18 WriteFile 6526->7206 6531 4043ba CloseHandle 6531->6525 6532 404318 6533 403f18 4 API calls 6532->6533 6534 404331 6533->6534 6535 403f18 4 API calls 6534->6535 6536 40434a 6535->6536 6537 40ebcc 4 API calls 6536->6537 6538 404350 6537->6538 6539 403f18 4 API calls 6538->6539 6540 404389 6539->6540 6541 40ec2e codecvt 4 API calls 6540->6541 6542 40438f 6541->6542 6543 403f8c 4 API calls 6542->6543 6544 40439f CloseHandle CloseHandle 6543->6544 6544->6521 6546 4099eb 6545->6546 6547 409a2f lstrcatA 6546->6547 6548 40ee2a 6547->6548 6549 409a4b lstrcatA 6548->6549 6550 406a60 13 API calls 6549->6550 6551 409a60 6550->6551 6551->6190 6551->6218 6552 406dc2 6551->6552 6553 406e33 6552->6553 6554 406dd7 6552->6554 6553->6205 6555 406cc9 5 API calls 6554->6555 6556 406ddc 6555->6556 6557 406e02 GetVolumeInformationA 6556->6557 6558 406e24 6556->6558 6557->6558 6558->6553 6560 406cdc GetModuleHandleA GetProcAddress 6559->6560 6565 406d8b 6559->6565 6561 406d12 GetSystemDirectoryA 6560->6561 6562 406cfd 6560->6562 6563 406d27 GetWindowsDirectoryA 6561->6563 6564 406d1e 6561->6564 6562->6561 6562->6565 6566 406d42 6563->6566 6564->6563 6564->6565 6565->6215 6567 40ef1e lstrlenA 6566->6567 6567->6565 7214 401910 6568->7214 6571 40934a GetModuleHandleA GetModuleFileNameA 6573 40937f 6571->6573 6574 4093a4 6573->6574 6575 4093d9 6573->6575 6576 4093c3 wsprintfA 6574->6576 6577 409401 wsprintfA 6575->6577 6579 409415 6576->6579 6577->6579 6578 4094a0 6580 406edd 5 API calls 6578->6580 6579->6578 6582 406cc9 5 API calls 6579->6582 6581 4094ac 6580->6581 6583 40962f 6581->6583 6584 4094e8 RegOpenKeyExA 6581->6584 6588 409439 6582->6588 6589 409646 6583->6589 7229 401820 6583->7229 6586 409502 6584->6586 6587 4094fb 6584->6587 6592 40951f RegQueryValueExA 6586->6592 6587->6583 6591 40958a 6587->6591 6593 40ef1e lstrlenA 6588->6593 6598 4095d6 6589->6598 7235 4091eb 6589->7235 6591->6589 6594 409593 6591->6594 6595 409530 6592->6595 6596 409539 6592->6596 6597 409462 6593->6597 6594->6598 7216 40f0e4 6594->7216 6599 40956e RegCloseKey 6595->6599 6600 409556 RegQueryValueExA 6596->6600 6601 40947e wsprintfA 6597->6601 6598->6225 6598->6226 6599->6587 6600->6595 6600->6599 6601->6578 6603 4095bb 6603->6598 7223 4018e0 6603->7223 6606 402544 6605->6606 6607 40972d RegOpenKeyExA 6606->6607 6608 409740 6607->6608 6609 409765 6607->6609 6610 40974f RegDeleteValueA RegCloseKey 6608->6610 6609->6200 6610->6609 6612 402554 lstrcatA 6611->6612 6613 40ee2a 6612->6613 6614 40a0ec lstrcatA 6613->6614 6614->6233 6616 40ec37 6615->6616 6617 40a15d 6615->6617 6618 40eba0 codecvt 2 API calls 6616->6618 6617->6165 6617->6167 6619 40ec3d GetProcessHeap RtlFreeHeap 6618->6619 6619->6617 6621 402544 6620->6621 6622 40919e wsprintfA 6621->6622 6623 4091bb 6622->6623 7274 409064 GetTempPathA 6623->7274 6626 4091d5 ShellExecuteA 6627 4091e7 6626->6627 6627->6183 6629 406ed5 6628->6629 6630 406ecc 6628->6630 6629->6220 6631 406e36 2 API calls 6630->6631 6631->6629 6634 4098f6 6632->6634 6633 404280 30 API calls 6633->6634 6634->6633 6635 409904 Sleep 6634->6635 6636 409915 6634->6636 6635->6634 6635->6636 6638 409947 6636->6638 7281 40977c 6636->7281 6638->6216 6640 40dd41 InterlockedExchange 6639->6640 6641 40dd20 GetCurrentThreadId 6640->6641 6642 40dd4a 6640->6642 6643 40dd53 GetCurrentThreadId 6641->6643 6644 40dd2e GetTickCount 6641->6644 6642->6643 6643->6252 6645 40dd39 Sleep 6644->6645 6646 40dd4c 6644->6646 6645->6640 6646->6643 6648 40dbf0 6647->6648 6680 40db67 GetEnvironmentVariableA 6648->6680 6650 40dc19 6651 40dcda 6650->6651 6652 40db67 3 API calls 6650->6652 6651->6254 6653 40dc5c 6652->6653 6653->6651 6654 40db67 3 API calls 6653->6654 6655 40dc9b 6654->6655 6655->6651 6656 40db67 3 API calls 6655->6656 6656->6651 6658 40e528 6657->6658 6659 40e3f4 6657->6659 6658->6266 6660 40e434 RegQueryValueExA 6659->6660 6661 40e51d RegCloseKey 6660->6661 6662 40e458 6660->6662 6661->6658 6663 40e46e RegQueryValueExA 6662->6663 6663->6662 6664 40e488 6663->6664 6664->6661 6665 40db2e 8 API calls 6664->6665 6666 40e499 6665->6666 6666->6661 6667 40e4b9 RegQueryValueExA 6666->6667 6668 40e4e8 6666->6668 6667->6666 6667->6668 6668->6661 6669 40e332 14 API calls 6668->6669 6670 40e513 6669->6670 6670->6661 6672 40db55 6671->6672 6673 40db3a 6671->6673 6672->6256 6672->6261 6684 40ebed 6673->6684 6702 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6675->6702 6677 40e3be 6677->6256 6679 40e342 6679->6677 6705 40de24 6679->6705 6681 40db89 lstrcpyA CreateFileA 6680->6681 6682 40dbca 6680->6682 6681->6650 6682->6650 6685 40ec01 6684->6685 6686 40ebf6 6684->6686 6696 40eba0 6685->6696 6693 40ebcc GetProcessHeap RtlAllocateHeap 6686->6693 6694 40eb74 2 API calls 6693->6694 6695 40ebe8 6694->6695 6695->6672 6697 40eba7 GetProcessHeap HeapSize 6696->6697 6698 40ebbf GetProcessHeap HeapReAlloc 6696->6698 6697->6698 6699 40eb74 6698->6699 6700 40eb7b GetProcessHeap HeapSize 6699->6700 6701 40eb93 6699->6701 6700->6701 6701->6672 6716 40eb41 6702->6716 6704 40f0b7 6704->6679 6706 40de3a 6705->6706 6712 40de4e 6706->6712 6725 40dd84 6706->6725 6709 40ebed 8 API calls 6714 40def6 6709->6714 6710 40de9e 6710->6709 6710->6712 6711 40de76 6729 40ddcf 6711->6729 6712->6679 6714->6712 6715 40ddcf lstrcmpA 6714->6715 6715->6712 6717 40eb61 6716->6717 6718 40eb4a 6716->6718 6717->6704 6721 40eae4 6718->6721 6720 40eb54 6720->6704 6720->6717 6722 40eb02 GetProcAddress 6721->6722 6723 40eaed LoadLibraryA 6721->6723 6722->6720 6723->6722 6724 40eb01 6723->6724 6724->6720 6726 40ddc5 6725->6726 6727 40dd96 6725->6727 6726->6710 6726->6711 6727->6726 6728 40ddad lstrcmpiA 6727->6728 6728->6726 6728->6727 6730 40dddd 6729->6730 6732 40de20 6729->6732 6731 40ddfa lstrcmpA 6730->6731 6730->6732 6731->6730 6732->6712 6734 40dd05 6 API calls 6733->6734 6735 40e821 6734->6735 6736 40dd84 lstrcmpiA 6735->6736 6737 40e82c 6736->6737 6738 40e844 6737->6738 6783 402480 6737->6783 6738->6281 6741 40ea98 6740->6741 6792 40e8a1 6741->6792 6743 401e84 6743->6290 6745 4019d5 GetProcAddress GetProcAddress GetProcAddress 6744->6745 6746 4019ce 6744->6746 6747 401ab3 FreeLibrary 6745->6747 6748 401a04 6745->6748 6746->6294 6747->6746 6748->6747 6749 401a14 GetBestInterface GetProcessHeap 6748->6749 6749->6746 6750 401a2e HeapAlloc 6749->6750 6750->6746 6751 401a42 GetAdaptersInfo 6750->6751 6752 401a62 6751->6752 6753 401a52 HeapReAlloc 6751->6753 6754 401aa1 FreeLibrary 6752->6754 6755 401a69 GetAdaptersInfo 6752->6755 6753->6752 6754->6746 6755->6754 6756 401a75 HeapFree 6755->6756 6756->6754 6820 401ac3 LoadLibraryA 6758->6820 6761 401bcf 6761->6304 6763 401ac3 13 API calls 6762->6763 6764 401c09 6763->6764 6765 401c5a 6764->6765 6766 401c0d GetComputerNameA 6764->6766 6765->6313 6767 401c45 GetVolumeInformationA 6766->6767 6768 401c1f 6766->6768 6767->6765 6768->6767 6769 401c41 6768->6769 6769->6765 6771 40ee2a 6770->6771 6772 4030d0 gethostname gethostbyname 6771->6772 6773 401f82 6772->6773 6773->6318 6773->6320 6775 40dd05 6 API calls 6774->6775 6776 40df7c 6775->6776 6777 40dd84 lstrcmpiA 6776->6777 6780 40df89 6777->6780 6778 40dfc4 6778->6287 6779 40ddcf lstrcmpA 6779->6780 6780->6778 6780->6779 6781 40ec2e codecvt 4 API calls 6780->6781 6782 40dd84 lstrcmpiA 6780->6782 6781->6780 6782->6780 6786 402419 lstrlenA 6783->6786 6785 402491 6785->6738 6787 402474 6786->6787 6788 40243d lstrlenA 6786->6788 6787->6785 6789 402464 lstrlenA 6788->6789 6790 40244e lstrcmpiA 6788->6790 6789->6787 6789->6788 6790->6789 6791 40245c 6790->6791 6791->6787 6791->6789 6793 40dd05 6 API calls 6792->6793 6794 40e8b4 6793->6794 6795 40dd84 lstrcmpiA 6794->6795 6796 40e8c0 6795->6796 6797 40e90a 6796->6797 6798 40e8c8 lstrcpynA 6796->6798 6799 402419 4 API calls 6797->6799 6808 40ea27 6797->6808 6800 40e8f5 6798->6800 6801 40e926 lstrlenA lstrlenA 6799->6801 6813 40df4c 6800->6813 6802 40e96a 6801->6802 6803 40e94c lstrlenA 6801->6803 6807 40ebcc 4 API calls 6802->6807 6802->6808 6803->6802 6805 40e901 6806 40dd84 lstrcmpiA 6805->6806 6806->6797 6809 40e98f 6807->6809 6808->6743 6809->6808 6810 40df4c 20 API calls 6809->6810 6811 40ea1e 6810->6811 6812 40ec2e codecvt 4 API calls 6811->6812 6812->6808 6814 40dd05 6 API calls 6813->6814 6815 40df51 6814->6815 6816 40f04e 4 API calls 6815->6816 6817 40df58 6816->6817 6818 40de24 10 API calls 6817->6818 6819 40df63 6818->6819 6819->6805 6821 401ae2 GetProcAddress 6820->6821 6827 401b68 GetComputerNameA GetVolumeInformationA 6820->6827 6824 401af5 6821->6824 6821->6827 6822 401b1c GetAdaptersAddresses 6822->6824 6825 401b29 6822->6825 6823 40ebed 8 API calls 6823->6824 6824->6822 6824->6823 6824->6825 6825->6825 6826 40ec2e codecvt 4 API calls 6825->6826 6825->6827 6826->6827 6827->6761 6829 406ec3 2 API calls 6828->6829 6830 407ef4 6829->6830 6840 407fc9 6830->6840 6864 4073ff 6830->6864 6832 407f16 6832->6840 6884 407809 GetUserNameA 6832->6884 6834 407f63 6834->6840 6908 40ef1e lstrlenA 6834->6908 6837 40ef1e lstrlenA 6838 407fb7 6837->6838 6910 407a95 RegOpenKeyExA 6838->6910 6840->6330 6842 407073 6841->6842 6843 4070b9 RegOpenKeyExA 6842->6843 6844 4070d0 6843->6844 6858 4071b8 6843->6858 6845 406dc2 6 API calls 6844->6845 6848 4070d5 6845->6848 6846 40719b RegEnumValueA 6847 4071af RegCloseKey 6846->6847 6846->6848 6847->6858 6848->6846 6850 4071d0 6848->6850 6941 40f1a5 lstrlenA 6848->6941 6851 407205 RegCloseKey 6850->6851 6852 407227 6850->6852 6851->6858 6853 4072b8 ___ascii_stricmp 6852->6853 6854 40728e RegCloseKey 6852->6854 6855 4072cd RegCloseKey 6853->6855 6856 4072dd 6853->6856 6854->6858 6855->6858 6857 407311 RegCloseKey 6856->6857 6860 407335 6856->6860 6857->6858 6858->6329 6859 4073d5 RegCloseKey 6861 4073e4 6859->6861 6860->6859 6862 40737e GetFileAttributesExA 6860->6862 6863 407397 6860->6863 6862->6863 6863->6859 6865 40741b 6864->6865 6866 406dc2 6 API calls 6865->6866 6867 40743f 6866->6867 6868 407469 RegOpenKeyExA 6867->6868 6869 4077f9 6868->6869 6880 407487 ___ascii_stricmp 6868->6880 6869->6832 6870 407703 RegEnumKeyA 6871 407714 RegCloseKey 6870->6871 6870->6880 6871->6869 6872 40f1a5 lstrlenA 6872->6880 6873 4074d2 RegOpenKeyExA 6873->6880 6874 40772c 6876 407742 RegCloseKey 6874->6876 6877 40774b 6874->6877 6875 407521 RegQueryValueExA 6875->6880 6876->6877 6878 4077ec RegCloseKey 6877->6878 6878->6869 6879 4076e4 RegCloseKey 6879->6880 6880->6870 6880->6872 6880->6873 6880->6874 6880->6875 6880->6879 6882 40777e GetFileAttributesExA 6880->6882 6883 407769 6880->6883 6881 4077e3 RegCloseKey 6881->6878 6882->6883 6883->6881 6885 40783d LookupAccountNameA 6884->6885 6886 407a8d 6884->6886 6885->6886 6887 407874 GetLengthSid GetFileSecurityA 6885->6887 6886->6834 6887->6886 6888 4078a8 GetSecurityDescriptorOwner 6887->6888 6889 4078c5 EqualSid 6888->6889 6890 40791d GetSecurityDescriptorDacl 6888->6890 6889->6890 6891 4078dc LocalAlloc 6889->6891 6890->6886 6897 407941 6890->6897 6891->6890 6892 4078ef InitializeSecurityDescriptor 6891->6892 6893 407916 LocalFree 6892->6893 6894 4078fb SetSecurityDescriptorOwner 6892->6894 6893->6890 6894->6893 6896 40790b SetFileSecurityA 6894->6896 6895 40795b GetAce 6895->6897 6896->6893 6897->6886 6897->6895 6898 407980 EqualSid 6897->6898 6899 407a3d 6897->6899 6900 4079be EqualSid 6897->6900 6901 40799d DeleteAce 6897->6901 6898->6897 6899->6886 6902 407a43 LocalAlloc 6899->6902 6900->6897 6901->6897 6902->6886 6903 407a56 InitializeSecurityDescriptor 6902->6903 6904 407a62 SetSecurityDescriptorDacl 6903->6904 6905 407a86 LocalFree 6903->6905 6904->6905 6906 407a73 SetFileSecurityA 6904->6906 6905->6886 6906->6905 6907 407a83 6906->6907 6907->6905 6909 407fa6 6908->6909 6909->6837 6911 407ac4 6910->6911 6912 407acb GetUserNameA 6910->6912 6911->6840 6913 407da7 RegCloseKey 6912->6913 6914 407aed LookupAccountNameA 6912->6914 6913->6911 6914->6913 6915 407b24 RegGetKeySecurity 6914->6915 6915->6913 6916 407b49 GetSecurityDescriptorOwner 6915->6916 6917 407b63 EqualSid 6916->6917 6918 407bb8 GetSecurityDescriptorDacl 6916->6918 6917->6918 6920 407b74 LocalAlloc 6917->6920 6919 407da6 6918->6919 6926 407bdc 6918->6926 6919->6913 6920->6918 6921 407b8a InitializeSecurityDescriptor 6920->6921 6922 407bb1 LocalFree 6921->6922 6923 407b96 SetSecurityDescriptorOwner 6921->6923 6922->6918 6923->6922 6925 407ba6 RegSetKeySecurity 6923->6925 6924 407bf8 GetAce 6924->6926 6925->6922 6926->6919 6926->6924 6927 407c1d EqualSid 6926->6927 6928 407cd9 6926->6928 6929 407c5f EqualSid 6926->6929 6930 407c3a DeleteAce 6926->6930 6927->6926 6928->6919 6931 407d5a LocalAlloc 6928->6931 6933 407cf2 RegOpenKeyExA 6928->6933 6929->6926 6930->6926 6931->6919 6932 407d70 InitializeSecurityDescriptor 6931->6932 6934 407d7c SetSecurityDescriptorDacl 6932->6934 6935 407d9f LocalFree 6932->6935 6933->6931 6938 407d0f 6933->6938 6934->6935 6936 407d8c RegSetKeySecurity 6934->6936 6935->6919 6936->6935 6937 407d9c 6936->6937 6937->6935 6939 407d43 RegSetValueExA 6938->6939 6939->6931 6940 407d54 6939->6940 6940->6931 6942 40f1c3 6941->6942 6942->6848 6943->6349 6945 40dd05 6 API calls 6944->6945 6948 40e65f 6945->6948 6946 40ebcc 4 API calls 6950 40e6b0 6946->6950 6947 40e6a5 6947->6946 6953 40e6f5 6947->6953 6948->6947 6949 40e68c lstrcmpA 6948->6949 6949->6948 6951 40e6b7 6950->6951 6952 40e6e0 lstrcpynA 6950->6952 6950->6953 6951->6351 6952->6953 6953->6951 6954 40e71d lstrcmpA 6953->6954 6954->6953 6955->6357 6957 402692 inet_addr 6956->6957 6958 40268e 6956->6958 6957->6958 6959 40269e gethostbyname 6957->6959 6960 40f428 6958->6960 6959->6958 7108 40f315 6960->7108 6963 40f43e 6964 40f473 recv 6963->6964 6965 40f458 6964->6965 6966 40f47c 6964->6966 6965->6964 6965->6966 6966->6388 6968 40c525 6967->6968 6969 40c532 6967->6969 6968->6969 6971 40ec2e codecvt 4 API calls 6968->6971 6970 40c548 6969->6970 7121 40e7ff 6969->7121 6973 40e7ff lstrcmpiA 6970->6973 6981 40c54f 6970->6981 6971->6969 6974 40c615 6973->6974 6975 40ebcc 4 API calls 6974->6975 6974->6981 6975->6981 6976 40c5d1 6978 40ebcc 4 API calls 6976->6978 6978->6981 6979 40e819 11 API calls 6980 40c5b7 6979->6980 6982 40f04e 4 API calls 6980->6982 6981->6371 6983 40c5bf 6982->6983 6983->6970 6983->6976 6985 40c8d2 6984->6985 6986 40c907 6985->6986 6987 40c517 23 API calls 6985->6987 6986->6372 6987->6986 6989 40c670 6988->6989 6990 40c67d 6988->6990 6991 40ebcc 4 API calls 6989->6991 6992 40ebcc 4 API calls 6990->6992 6993 40c699 6990->6993 6991->6990 6992->6993 6994 40c6f3 6993->6994 6995 40c73c send 6993->6995 6994->6401 6994->6467 6995->6994 6997 40c770 6996->6997 6998 40c77d 6996->6998 6999 40ebcc 4 API calls 6997->6999 7000 40c799 6998->7000 7001 40ebcc 4 API calls 6998->7001 6999->6998 7002 40c7b5 7000->7002 7003 40ebcc 4 API calls 7000->7003 7001->7000 7004 40f43e recv 7002->7004 7003->7002 7005 40c7cb 7004->7005 7006 40f43e recv 7005->7006 7007 40c7d3 7005->7007 7006->7007 7007->6467 7124 407db7 7008->7124 7011 407e96 7011->6467 7012 40f04e 4 API calls 7014 407e4c 7012->7014 7013 40f04e 4 API calls 7013->7011 7015 40f04e 4 API calls 7014->7015 7016 407e70 7014->7016 7015->7016 7016->7011 7016->7013 7018 406ec3 2 API calls 7017->7018 7019 407fdd 7018->7019 7020 4073ff 17 API calls 7019->7020 7029 4080c2 CreateProcessA 7019->7029 7021 407fff 7020->7021 7022 407809 21 API calls 7021->7022 7021->7029 7023 40804d 7022->7023 7024 40ef1e lstrlenA 7023->7024 7023->7029 7025 40809e 7024->7025 7026 40ef1e lstrlenA 7025->7026 7027 4080af 7026->7027 7028 407a95 24 API calls 7027->7028 7028->7029 7029->6453 7029->6454 7031 407db7 2 API calls 7030->7031 7032 407eb8 7031->7032 7033 40f04e 4 API calls 7032->7033 7034 407ece DeleteFileA 7033->7034 7034->6467 7036 40dd05 6 API calls 7035->7036 7037 40e31d 7036->7037 7128 40e177 7037->7128 7039 40e326 7039->6425 7041 4031f3 7040->7041 7051 4031ec 7040->7051 7042 40ebcc 4 API calls 7041->7042 7056 4031fc 7042->7056 7043 40344b 7044 403459 7043->7044 7045 40349d 7043->7045 7046 40f04e 4 API calls 7044->7046 7047 40ec2e codecvt 4 API calls 7045->7047 7048 40345f 7046->7048 7047->7051 7049 4030fa 4 API calls 7048->7049 7049->7051 7050 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7050->7056 7051->6467 7052 40344d 7053 40ec2e codecvt 4 API calls 7052->7053 7053->7043 7055 403141 lstrcmpiA 7055->7056 7056->7043 7056->7050 7056->7051 7056->7052 7056->7055 7154 4030fa GetTickCount 7056->7154 7058 4030fa 4 API calls 7057->7058 7059 403c1a 7058->7059 7063 403ce6 7059->7063 7159 403a72 7059->7159 7062 403a72 9 API calls 7065 403c5e 7062->7065 7063->6467 7064 403a72 9 API calls 7064->7065 7065->7063 7065->7064 7066 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7065->7066 7066->7065 7068 403a10 7067->7068 7069 4030fa 4 API calls 7068->7069 7070 403a1a 7069->7070 7070->6467 7072 40dd05 6 API calls 7071->7072 7073 40e7be 7072->7073 7073->6467 7075 40c105 7074->7075 7076 40c07e wsprintfA 7074->7076 7075->6467 7168 40bfce GetTickCount wsprintfA 7076->7168 7078 40c0ef 7169 40bfce GetTickCount wsprintfA 7078->7169 7081 407047 7080->7081 7082 406f88 LookupAccountNameA 7080->7082 7081->6467 7084 407025 7082->7084 7085 406fcb 7082->7085 7170 406edd 7084->7170 7088 406fdb ConvertSidToStringSidA 7085->7088 7088->7084 7089 406ff1 7088->7089 7090 407013 LocalFree 7089->7090 7090->7084 7092 40dd05 6 API calls 7091->7092 7093 40e85c 7092->7093 7094 40dd84 lstrcmpiA 7093->7094 7095 40e867 7094->7095 7096 40e885 lstrcpyA 7095->7096 7181 4024a5 7095->7181 7184 40dd69 7096->7184 7102 407db7 2 API calls 7101->7102 7103 407de1 7102->7103 7104 407e16 7103->7104 7105 40f04e 4 API calls 7103->7105 7104->6467 7106 407df2 7105->7106 7106->7104 7107 40f04e 4 API calls 7106->7107 7107->7104 7109 40f33b 7108->7109 7117 40ca1d 7108->7117 7110 40f347 htons socket 7109->7110 7111 40f382 ioctlsocket 7110->7111 7112 40f374 closesocket 7110->7112 7113 40f3aa connect select 7111->7113 7114 40f39d 7111->7114 7112->7117 7116 40f3f2 __WSAFDIsSet 7113->7116 7113->7117 7115 40f39f closesocket 7114->7115 7115->7117 7116->7115 7118 40f403 ioctlsocket 7116->7118 7117->6385 7117->6963 7120 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7118->7120 7120->7117 7122 40dd84 lstrcmpiA 7121->7122 7123 40c58e 7122->7123 7123->6970 7123->6976 7123->6979 7125 407dc8 InterlockedExchange 7124->7125 7126 407dc0 Sleep 7125->7126 7127 407dd4 7125->7127 7126->7125 7127->7012 7127->7016 7129 40e184 7128->7129 7130 40e223 7129->7130 7142 40e2e4 7129->7142 7144 40dfe2 7129->7144 7132 40dfe2 8 API calls 7130->7132 7130->7142 7136 40e23c 7132->7136 7133 40e1be 7133->7130 7134 40dbcf 3 API calls 7133->7134 7137 40e1d6 7134->7137 7135 40e21a CloseHandle 7135->7130 7136->7142 7148 40e095 RegCreateKeyExA 7136->7148 7137->7130 7137->7135 7138 40e1f9 WriteFile 7137->7138 7138->7135 7140 40e213 7138->7140 7140->7135 7141 40e2a3 7141->7142 7143 40e095 4 API calls 7141->7143 7142->7039 7143->7142 7145 40dffc 7144->7145 7147 40e024 7144->7147 7146 40db2e 8 API calls 7145->7146 7145->7147 7146->7147 7147->7133 7149 40e172 7148->7149 7151 40e0c0 7148->7151 7149->7141 7150 40e13d 7152 40e14e RegDeleteValueA RegCloseKey 7150->7152 7151->7150 7153 40e115 RegSetValueExA 7151->7153 7152->7149 7153->7150 7153->7151 7155 403122 InterlockedExchange 7154->7155 7156 40312e 7155->7156 7157 40310f GetTickCount 7155->7157 7156->7056 7157->7156 7158 40311a Sleep 7157->7158 7158->7155 7160 40f04e 4 API calls 7159->7160 7161 403a83 7160->7161 7162 403bc0 7161->7162 7166 403b66 lstrlenA 7161->7166 7167 403ac1 7161->7167 7163 403be6 7162->7163 7164 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7162->7164 7165 40ec2e codecvt 4 API calls 7163->7165 7164->7162 7165->7167 7166->7161 7166->7167 7167->7062 7167->7063 7168->7078 7169->7075 7171 406f55 wsprintfA 7170->7171 7172 406eef AllocateAndInitializeSid 7170->7172 7171->7081 7173 406f44 7172->7173 7174 406f1c CheckTokenMembership 7172->7174 7173->7171 7178 406e36 GetUserNameW 7173->7178 7175 406f3b FreeSid 7174->7175 7176 406f2e 7174->7176 7175->7173 7176->7175 7179 406e97 7178->7179 7180 406e5f LookupAccountNameW 7178->7180 7179->7171 7180->7179 7182 402419 4 API calls 7181->7182 7183 4024b6 7182->7183 7183->7096 7185 40dd79 lstrlenA 7184->7185 7185->6467 7187 40eb17 7186->7187 7189 40eb21 7186->7189 7188 40eae4 2 API calls 7187->7188 7188->7189 7189->6512 7192 4069b9 WriteFile 7190->7192 7193 406a3c 7192->7193 7195 4069ff 7192->7195 7193->6508 7193->6509 7194 406a10 WriteFile 7194->7193 7194->7195 7195->7193 7195->7194 7197 403ee2 7196->7197 7198 403edc 7196->7198 7197->6523 7199 406dc2 6 API calls 7198->7199 7199->7197 7201 40400b CreateFileA 7200->7201 7202 40402c GetLastError 7201->7202 7203 404052 7201->7203 7202->7203 7204 404037 7202->7204 7203->6526 7204->7203 7205 404041 Sleep 7204->7205 7205->7201 7205->7203 7207 403f4e GetLastError 7206->7207 7208 403f7c 7206->7208 7207->7208 7209 403f5b WaitForSingleObject GetOverlappedResult 7207->7209 7210 403f8c ReadFile 7208->7210 7209->7208 7211 403ff0 7210->7211 7212 403fc2 GetLastError 7210->7212 7211->6531 7211->6532 7212->7211 7213 403fcf WaitForSingleObject GetOverlappedResult 7212->7213 7213->7211 7215 401924 GetVersionExA 7214->7215 7215->6571 7217 40f0f1 7216->7217 7218 40f0ed 7216->7218 7219 40f119 7217->7219 7220 40f0fa lstrlenA SysAllocStringByteLen 7217->7220 7218->6603 7222 40f11c MultiByteToWideChar 7219->7222 7221 40f117 7220->7221 7220->7222 7221->6603 7222->7221 7224 401820 17 API calls 7223->7224 7225 4018f2 7224->7225 7226 4018f9 7225->7226 7240 401280 7225->7240 7226->6598 7228 401908 7228->6598 7253 401000 7229->7253 7231 401839 7232 401851 GetCurrentProcess 7231->7232 7233 40183d 7231->7233 7234 401864 7232->7234 7233->6589 7234->6589 7236 409308 7235->7236 7239 40920e 7235->7239 7236->6598 7237 4092f1 Sleep 7237->7239 7238 4092bf ShellExecuteA 7238->7236 7238->7239 7239->7236 7239->7237 7239->7238 7239->7239 7244 4012e1 ShellExecuteExW 7240->7244 7242 4016f9 GetLastError 7245 401699 7242->7245 7243 4013a8 7243->7245 7246 401570 lstrlenW 7243->7246 7247 4015be GetStartupInfoW 7243->7247 7248 4015ff CreateProcessWithLogonW 7243->7248 7252 401668 CloseHandle 7243->7252 7244->7242 7244->7243 7245->7228 7246->7243 7247->7243 7249 4016bf GetLastError 7248->7249 7250 40163f WaitForSingleObject 7248->7250 7249->7245 7250->7243 7251 401659 CloseHandle 7250->7251 7251->7243 7252->7243 7254 40100d LoadLibraryA 7253->7254 7269 401023 7253->7269 7255 401021 7254->7255 7254->7269 7255->7231 7256 4010b5 GetProcAddress 7257 4010d1 GetProcAddress 7256->7257 7258 40127b 7256->7258 7257->7258 7259 4010f0 GetProcAddress 7257->7259 7258->7231 7259->7258 7260 401110 GetProcAddress 7259->7260 7260->7258 7261 401130 GetProcAddress 7260->7261 7261->7258 7262 40114f GetProcAddress 7261->7262 7262->7258 7263 40116f GetProcAddress 7262->7263 7263->7258 7264 40118f GetProcAddress 7263->7264 7264->7258 7265 4011ae GetProcAddress 7264->7265 7265->7258 7266 4011ce GetProcAddress 7265->7266 7266->7258 7267 4011ee GetProcAddress 7266->7267 7267->7258 7268 401209 GetProcAddress 7267->7268 7268->7258 7270 401225 GetProcAddress 7268->7270 7269->7256 7273 4010ae 7269->7273 7270->7258 7271 401241 GetProcAddress 7270->7271 7271->7258 7272 40125c GetProcAddress 7271->7272 7272->7258 7273->7231 7275 40908d 7274->7275 7276 4090e2 wsprintfA 7275->7276 7277 40ee2a 7276->7277 7278 4090fd CreateFileA 7277->7278 7279 40911a lstrlenA WriteFile CloseHandle 7278->7279 7280 40913f 7278->7280 7279->7280 7280->6626 7280->6627 7282 40ee2a 7281->7282 7283 409794 CreateProcessA 7282->7283 7284 4097c2 7283->7284 7285 4097bb 7283->7285 7286 4097d4 GetThreadContext 7284->7286 7285->6638 7287 409801 7286->7287 7288 4097f5 7286->7288 7295 40637c 7287->7295 7289 4097f6 TerminateProcess 7288->7289 7289->7285 7291 409816 7291->7289 7292 40981e WriteProcessMemory 7291->7292 7292->7288 7293 40983b SetThreadContext 7292->7293 7293->7288 7294 409858 ResumeThread 7293->7294 7294->7285 7296 406386 7295->7296 7297 40638a GetModuleHandleA VirtualAlloc 7295->7297 7296->7291 7298 4063f5 7297->7298 7299 4063b6 7297->7299 7298->7291 7300 4063be VirtualAllocEx 7299->7300 7300->7298 7301 4063d6 7300->7301 7302 4063df WriteProcessMemory 7301->7302 7302->7298 7304 408791 7303->7304 7305 40879f 7303->7305 7307 40f04e 4 API calls 7304->7307 7306 4087bc 7305->7306 7308 40f04e 4 API calls 7305->7308 7309 40e819 11 API calls 7306->7309 7307->7305 7308->7306 7310 4087d7 7309->7310 7323 408803 7310->7323 7458 4026b2 gethostbyaddr 7310->7458 7313 4087eb 7315 40e8a1 30 API calls 7313->7315 7313->7323 7315->7323 7318 40e819 11 API calls 7318->7323 7319 4088a0 Sleep 7319->7323 7320 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7320->7323 7322 4026b2 2 API calls 7322->7323 7323->7318 7323->7319 7323->7320 7323->7322 7324 40e8a1 30 API calls 7323->7324 7355 408cee 7323->7355 7363 40c4d6 7323->7363 7366 40c4e2 7323->7366 7369 402011 7323->7369 7404 408328 7323->7404 7324->7323 7326 404084 7325->7326 7327 40407d 7325->7327 7328 403ecd 6 API calls 7326->7328 7329 40408f 7328->7329 7330 404000 3 API calls 7329->7330 7331 404095 7330->7331 7332 404130 7331->7332 7333 4040c0 7331->7333 7334 403ecd 6 API calls 7332->7334 7338 403f18 4 API calls 7333->7338 7335 404159 CreateNamedPipeA 7334->7335 7336 404167 Sleep 7335->7336 7337 404188 ConnectNamedPipe 7335->7337 7336->7332 7341 404176 CloseHandle 7336->7341 7340 404195 GetLastError 7337->7340 7351 4041ab 7337->7351 7339 4040da 7338->7339 7342 403f8c 4 API calls 7339->7342 7343 40425e DisconnectNamedPipe 7340->7343 7340->7351 7341->7337 7344 4040ec 7342->7344 7343->7337 7345 404127 CloseHandle 7344->7345 7346 404101 7344->7346 7345->7332 7348 403f18 4 API calls 7346->7348 7347 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7347->7351 7349 40411c ExitProcess 7348->7349 7350 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7350->7351 7351->7337 7351->7343 7351->7347 7351->7350 7352 40426a CloseHandle CloseHandle 7351->7352 7353 40e318 23 API calls 7352->7353 7354 40427b 7353->7354 7354->7354 7356 408d02 GetTickCount 7355->7356 7357 408dae 7355->7357 7356->7357 7361 408d19 7356->7361 7357->7323 7358 408da1 GetTickCount 7358->7357 7361->7358 7362 408d89 7361->7362 7463 40a677 7361->7463 7466 40a688 7361->7466 7362->7358 7474 40c2dc 7363->7474 7367 40c2dc 125 API calls 7366->7367 7368 40c4ec 7367->7368 7368->7323 7370 402020 7369->7370 7371 40202e 7369->7371 7372 40f04e 4 API calls 7370->7372 7373 40204b 7371->7373 7374 40f04e 4 API calls 7371->7374 7372->7371 7375 40206e GetTickCount 7373->7375 7377 40f04e 4 API calls 7373->7377 7374->7373 7376 4020db GetTickCount 7375->7376 7386 402090 7375->7386 7379 402132 GetTickCount GetTickCount 7376->7379 7387 4020e7 7376->7387 7380 402068 7377->7380 7378 4020d4 GetTickCount 7378->7376 7381 40f04e 4 API calls 7379->7381 7380->7375 7384 402159 7381->7384 7382 40212b GetTickCount 7382->7379 7383 402684 2 API calls 7383->7386 7389 40e854 13 API calls 7384->7389 7403 4021b4 7384->7403 7386->7378 7386->7383 7392 4020ce 7386->7392 7750 401978 7386->7750 7387->7382 7395 401978 15 API calls 7387->7395 7396 402125 7387->7396 7740 402ef8 7387->7740 7388 40f04e 4 API calls 7391 4021d1 7388->7391 7393 40218e 7389->7393 7397 40ea84 30 API calls 7391->7397 7402 4021f2 7391->7402 7392->7378 7394 40e819 11 API calls 7393->7394 7399 40219c 7394->7399 7395->7387 7396->7382 7398 4021ec 7397->7398 7400 40f04e 4 API calls 7398->7400 7399->7403 7755 401c5f 7399->7755 7400->7402 7402->7323 7403->7388 7405 407dd6 6 API calls 7404->7405 7406 40833c 7405->7406 7407 408340 7406->7407 7408 406ec3 2 API calls 7406->7408 7407->7323 7409 40834f 7408->7409 7410 40835c 7409->7410 7413 40846b 7409->7413 7411 4073ff 17 API calls 7410->7411 7412 408373 7411->7412 7412->7407 7435 4083ea RegOpenKeyExA 7412->7435 7445 408450 7412->7445 7416 4084a7 RegOpenKeyExA 7413->7416 7413->7445 7414 408626 GetTempPathA 7432 408638 7414->7432 7415 40675c 21 API calls 7418 4085df 7415->7418 7419 4084c0 RegQueryValueExA 7416->7419 7420 40852f 7416->7420 7418->7414 7427 408768 7418->7427 7448 408671 7418->7448 7421 408521 RegCloseKey 7419->7421 7422 4084dd 7419->7422 7425 408564 RegOpenKeyExA 7420->7425 7437 4085a5 7420->7437 7421->7420 7422->7421 7429 40ebcc 4 API calls 7422->7429 7423 408762 7423->7427 7424 4086ad 7424->7423 7426 407e2f 6 API calls 7424->7426 7428 408573 RegSetValueExA RegCloseKey 7425->7428 7425->7437 7438 4086bb 7426->7438 7427->7407 7431 40ec2e codecvt 4 API calls 7427->7431 7428->7437 7434 4084f0 7429->7434 7430 40875b DeleteFileA 7430->7423 7431->7407 7432->7448 7434->7421 7436 4084f8 RegQueryValueExA 7434->7436 7439 4083fd RegQueryValueExA 7435->7439 7435->7445 7436->7421 7440 408515 7436->7440 7441 40ec2e codecvt 4 API calls 7437->7441 7437->7445 7438->7430 7446 4086e0 lstrcpyA lstrlenA 7438->7446 7442 40842d RegSetValueExA 7439->7442 7443 40841e 7439->7443 7444 40ec2e codecvt 4 API calls 7440->7444 7441->7445 7449 408447 RegCloseKey 7442->7449 7443->7442 7443->7449 7450 40851d 7444->7450 7445->7415 7445->7418 7447 407fcf 64 API calls 7446->7447 7451 408719 CreateProcessA 7447->7451 7827 406ba7 IsBadCodePtr 7448->7827 7449->7445 7450->7421 7452 40873d CloseHandle CloseHandle 7451->7452 7453 40874f 7451->7453 7452->7427 7454 407ee6 64 API calls 7453->7454 7455 408754 7454->7455 7456 407ead 6 API calls 7455->7456 7457 40875a 7456->7457 7457->7430 7459 4026fb 7458->7459 7460 4026cd 7458->7460 7459->7313 7461 4026e1 inet_ntoa 7460->7461 7462 4026de 7460->7462 7461->7462 7462->7313 7469 40a63d 7463->7469 7465 40a685 7465->7361 7467 40a63d GetTickCount 7466->7467 7468 40a696 7467->7468 7468->7361 7470 40a645 7469->7470 7471 40a64d 7469->7471 7470->7465 7472 40a65e GetTickCount 7471->7472 7473 40a66e 7471->7473 7472->7473 7473->7465 7491 40a4c7 GetTickCount 7474->7491 7477 40c300 GetTickCount 7479 40c337 7477->7479 7478 40c326 7478->7479 7480 40c32b GetTickCount 7478->7480 7484 40c363 GetTickCount 7479->7484 7485 40c47a 7479->7485 7480->7479 7481 40c4d2 7481->7323 7482 40c4ab InterlockedIncrement CreateThread 7482->7481 7483 40c4cb CloseHandle 7482->7483 7496 40b535 7482->7496 7483->7481 7484->7485 7486 40c373 7484->7486 7485->7481 7485->7482 7487 40c378 GetTickCount 7486->7487 7488 40c37f 7486->7488 7487->7488 7489 40c43b GetTickCount 7488->7489 7490 40c45e 7489->7490 7490->7485 7492 40a4f7 InterlockedExchange 7491->7492 7493 40a500 7492->7493 7494 40a4e4 GetTickCount 7492->7494 7493->7477 7493->7478 7493->7485 7494->7493 7495 40a4ef Sleep 7494->7495 7495->7492 7497 40b566 7496->7497 7498 40ebcc 4 API calls 7497->7498 7499 40b587 7498->7499 7500 40ebcc 4 API calls 7499->7500 7527 40b590 7500->7527 7501 40bdcd InterlockedDecrement 7502 40bde2 7501->7502 7504 40ec2e codecvt 4 API calls 7502->7504 7505 40bdea 7504->7505 7507 40ec2e codecvt 4 API calls 7505->7507 7506 40bdb7 Sleep 7506->7527 7508 40bdf2 7507->7508 7510 40be05 7508->7510 7511 40ec2e codecvt 4 API calls 7508->7511 7509 40bdcc 7509->7501 7511->7510 7512 40ebed 8 API calls 7512->7527 7515 40b6b6 lstrlenA 7515->7527 7516 4030b5 2 API calls 7516->7527 7517 40e819 11 API calls 7517->7527 7518 40b6ed lstrcpyA 7570 405ce1 7518->7570 7521 40b731 lstrlenA 7521->7527 7522 40b71f lstrcmpA 7522->7521 7522->7527 7523 40b772 GetTickCount 7523->7527 7524 40bd49 InterlockedIncrement 7633 40a628 7524->7633 7527->7501 7527->7506 7527->7509 7527->7512 7527->7515 7527->7516 7527->7517 7527->7518 7527->7521 7527->7522 7527->7523 7527->7524 7528 40b7ce InterlockedIncrement 7527->7528 7529 4038f0 6 API calls 7527->7529 7530 40bc5b InterlockedIncrement 7527->7530 7533 40b912 GetTickCount 7527->7533 7534 40b932 GetTickCount 7527->7534 7535 40bcdc closesocket 7527->7535 7536 40b826 InterlockedIncrement 7527->7536 7539 40bba6 InterlockedIncrement 7527->7539 7541 40a7c1 22 API calls 7527->7541 7543 40bc4c closesocket 7527->7543 7545 40ba71 wsprintfA 7527->7545 7546 40ab81 lstrcpynA InterlockedIncrement 7527->7546 7547 405ce1 22 API calls 7527->7547 7549 40ef1e lstrlenA 7527->7549 7550 405ded 12 API calls 7527->7550 7551 40a688 GetTickCount 7527->7551 7552 403e10 7527->7552 7555 403e4f 7527->7555 7558 40384f 7527->7558 7578 40a7a3 inet_ntoa 7527->7578 7585 40abee 7527->7585 7597 401feb GetTickCount 7527->7597 7618 403cfb 7527->7618 7621 40ab81 7527->7621 7580 40acd7 7528->7580 7529->7527 7530->7527 7533->7527 7534->7527 7537 40bc6d InterlockedIncrement 7534->7537 7535->7527 7536->7523 7537->7527 7539->7527 7541->7527 7543->7527 7598 40a7c1 7545->7598 7546->7527 7547->7527 7549->7527 7550->7527 7551->7527 7553 4030fa 4 API calls 7552->7553 7554 403e1d 7553->7554 7554->7527 7556 4030fa 4 API calls 7555->7556 7557 403e5c 7556->7557 7557->7527 7559 4030fa 4 API calls 7558->7559 7561 403863 7559->7561 7560 4038b2 7560->7527 7561->7560 7562 4038b9 7561->7562 7563 403889 7561->7563 7642 4035f9 7562->7642 7636 403718 7563->7636 7568 403718 6 API calls 7568->7560 7569 4035f9 6 API calls 7569->7560 7571 405cf4 7570->7571 7572 405cec 7570->7572 7574 404bd1 4 API calls 7571->7574 7648 404bd1 GetTickCount 7572->7648 7575 405d02 7574->7575 7653 405472 7575->7653 7579 40a7b9 7578->7579 7579->7527 7581 40f315 14 API calls 7580->7581 7582 40aceb 7581->7582 7583 40acff 7582->7583 7584 40f315 14 API calls 7582->7584 7583->7527 7584->7583 7586 40abfb 7585->7586 7589 40ac65 7586->7589 7716 402f22 7586->7716 7588 40f315 14 API calls 7588->7589 7589->7588 7590 40ac6f 7589->7590 7596 40ac8a 7589->7596 7591 40ab81 2 API calls 7590->7591 7593 40ac81 7591->7593 7592 402684 2 API calls 7594 40ac23 7592->7594 7724 4038f0 7593->7724 7594->7589 7594->7592 7596->7527 7597->7527 7599 40a87d lstrlenA send 7598->7599 7600 40a7df 7598->7600 7601 40a899 7599->7601 7602 40a8bf 7599->7602 7600->7599 7606 40a7fa wsprintfA 7600->7606 7609 40a80a 7600->7609 7611 40a8f2 7600->7611 7603 40a8a5 wsprintfA 7601->7603 7617 40a89e 7601->7617 7604 40a8c4 send 7602->7604 7602->7611 7603->7617 7607 40a8d8 wsprintfA 7604->7607 7604->7611 7605 40a978 recv 7610 40a982 7605->7610 7605->7611 7606->7609 7607->7617 7608 40a9b0 wsprintfA 7608->7617 7609->7599 7612 4030b5 2 API calls 7610->7612 7610->7617 7611->7605 7611->7608 7611->7610 7613 40ab05 7612->7613 7614 40e819 11 API calls 7613->7614 7615 40ab17 7614->7615 7616 40a7a3 inet_ntoa 7615->7616 7616->7617 7617->7527 7619 4030fa 4 API calls 7618->7619 7620 403d0b 7619->7620 7620->7527 7622 40abe9 GetTickCount 7621->7622 7624 40ab8c 7621->7624 7626 40a51d 7622->7626 7623 40aba8 lstrcpynA 7623->7624 7624->7622 7624->7623 7625 40abe1 InterlockedIncrement 7624->7625 7625->7624 7627 40a4c7 4 API calls 7626->7627 7628 40a52c 7627->7628 7629 40a542 GetTickCount 7628->7629 7631 40a539 GetTickCount 7628->7631 7629->7631 7632 40a56c 7631->7632 7632->7527 7634 40a4c7 4 API calls 7633->7634 7635 40a633 7634->7635 7635->7527 7637 40f04e 4 API calls 7636->7637 7639 40372a 7637->7639 7638 403847 7638->7560 7638->7568 7639->7638 7640 4037b3 GetCurrentThreadId 7639->7640 7640->7639 7641 4037c8 GetCurrentThreadId 7640->7641 7641->7639 7643 40f04e 4 API calls 7642->7643 7647 40360c 7643->7647 7644 4036f1 7644->7560 7644->7569 7645 4036da GetCurrentThreadId 7645->7644 7646 4036e5 GetCurrentThreadId 7645->7646 7646->7644 7647->7644 7647->7645 7649 404bff InterlockedExchange 7648->7649 7650 404c08 7649->7650 7651 404bec GetTickCount 7649->7651 7650->7571 7651->7650 7652 404bf7 Sleep 7651->7652 7652->7649 7672 404763 7653->7672 7655 405b58 7682 404699 7655->7682 7658 404763 lstrlenA 7659 405b6e 7658->7659 7703 404f9f 7659->7703 7661 405b79 7661->7527 7663 405549 lstrlenA 7666 40548a 7663->7666 7665 40558d lstrcpynA 7665->7666 7666->7655 7666->7665 7667 405a9f lstrcpyA 7666->7667 7668 404ae6 8 API calls 7666->7668 7669 405935 lstrcpynA 7666->7669 7670 405472 13 API calls 7666->7670 7671 4058e7 lstrcpyA 7666->7671 7676 404ae6 7666->7676 7680 40ef7c lstrlenA lstrlenA lstrlenA 7666->7680 7667->7666 7668->7666 7669->7666 7670->7666 7671->7666 7674 40477a 7672->7674 7673 404859 7673->7666 7674->7673 7675 40480d lstrlenA 7674->7675 7675->7674 7677 404af3 7676->7677 7679 404b03 7676->7679 7678 40ebed 8 API calls 7677->7678 7678->7679 7679->7663 7681 40efb4 7680->7681 7681->7666 7708 4045b3 7682->7708 7685 4045b3 7 API calls 7686 4046c6 7685->7686 7687 4045b3 7 API calls 7686->7687 7688 4046d8 7687->7688 7689 4045b3 7 API calls 7688->7689 7690 4046ea 7689->7690 7691 4045b3 7 API calls 7690->7691 7692 4046ff 7691->7692 7693 4045b3 7 API calls 7692->7693 7694 404711 7693->7694 7695 4045b3 7 API calls 7694->7695 7696 404723 7695->7696 7697 40ef7c 3 API calls 7696->7697 7698 404735 7697->7698 7699 40ef7c 3 API calls 7698->7699 7700 40474a 7699->7700 7701 40ef7c 3 API calls 7700->7701 7702 40475c 7701->7702 7702->7658 7704 404fac 7703->7704 7707 404fb0 7703->7707 7704->7661 7705 404ffd 7705->7661 7706 404fd5 IsBadCodePtr 7706->7707 7707->7705 7707->7706 7709 4045c1 7708->7709 7710 4045c8 7708->7710 7711 40ebcc 4 API calls 7709->7711 7712 40ebcc 4 API calls 7710->7712 7714 4045e1 7710->7714 7711->7710 7712->7714 7713 404691 7713->7685 7714->7713 7715 40ef7c 3 API calls 7714->7715 7715->7714 7731 402d21 GetModuleHandleA 7716->7731 7719 402f85 7721 402fcf GetProcessHeap HeapFree 7719->7721 7720 402f4f 7722 402f6b GetProcessHeap HeapFree 7720->7722 7723 402f44 7721->7723 7722->7723 7723->7594 7725 403900 7724->7725 7727 403980 7724->7727 7726 4030fa 4 API calls 7725->7726 7730 40390a 7726->7730 7727->7596 7728 40391b GetCurrentThreadId 7728->7730 7729 403939 GetCurrentThreadId 7729->7730 7730->7727 7730->7728 7730->7729 7732 402d46 LoadLibraryA 7731->7732 7733 402d5b GetProcAddress 7731->7733 7732->7733 7737 402d54 7732->7737 7734 402d6b DnsQuery_A 7733->7734 7733->7737 7735 402d7d 7734->7735 7734->7737 7736 402d97 GetProcessHeap HeapAlloc 7735->7736 7735->7737 7736->7737 7739 402dac 7736->7739 7737->7719 7737->7720 7737->7723 7738 402db5 lstrcpynA 7738->7739 7739->7735 7739->7738 7741 402d21 7 API calls 7740->7741 7742 402f01 7741->7742 7743 402f14 7742->7743 7744 402f06 7742->7744 7745 402684 2 API calls 7743->7745 7763 402df2 GetModuleHandleA 7744->7763 7747 402f1d 7745->7747 7747->7387 7749 402f1f 7749->7387 7751 40f428 14 API calls 7750->7751 7752 40198a 7751->7752 7753 401990 closesocket 7752->7753 7754 401998 7752->7754 7753->7754 7754->7386 7759 401c80 7755->7759 7756 401cc2 wsprintfA 7758 402684 2 API calls 7756->7758 7757 401d1c 7757->7757 7760 401d47 wsprintfA 7757->7760 7758->7759 7759->7756 7759->7757 7762 401d79 7759->7762 7761 402684 2 API calls 7760->7761 7761->7762 7762->7403 7764 402e10 LoadLibraryA 7763->7764 7765 402e0b 7763->7765 7766 402e17 7764->7766 7765->7764 7765->7766 7767 402ef1 7766->7767 7768 402e28 GetProcAddress 7766->7768 7767->7743 7767->7749 7768->7767 7769 402e3e GetProcessHeap HeapAlloc 7768->7769 7771 402e62 7769->7771 7770 402ede GetProcessHeap HeapFree 7770->7767 7771->7767 7771->7770 7772 402e7f htons inet_addr 7771->7772 7773 402ea5 gethostbyname 7771->7773 7775 402ceb 7771->7775 7772->7771 7772->7773 7773->7771 7776 402cf2 7775->7776 7778 402d1c 7776->7778 7779 402d0e Sleep 7776->7779 7780 402a62 GetProcessHeap HeapAlloc 7776->7780 7778->7771 7779->7776 7779->7778 7781 402a99 socket 7780->7781 7782 402a92 7780->7782 7783 402cd3 GetProcessHeap HeapFree 7781->7783 7784 402ab4 7781->7784 7782->7776 7783->7782 7784->7783 7798 402abd 7784->7798 7785 402adb htons 7800 4026ff 7785->7800 7787 402b04 select 7787->7798 7788 402ca4 7789 402cb3 GetProcessHeap HeapFree closesocket 7788->7789 7789->7782 7790 402b3f recv 7790->7798 7791 402b66 htons 7791->7788 7791->7798 7792 402b87 htons 7792->7788 7792->7798 7794 402bf3 GetProcessHeap HeapAlloc 7794->7798 7796 402c17 htons 7815 402871 7796->7815 7798->7785 7798->7787 7798->7788 7798->7789 7798->7790 7798->7791 7798->7792 7798->7794 7798->7796 7799 402c4d GetProcessHeap HeapFree 7798->7799 7807 402923 7798->7807 7819 402904 7798->7819 7799->7798 7801 40271d 7800->7801 7802 402717 7800->7802 7804 40272b GetTickCount htons 7801->7804 7803 40ebcc 4 API calls 7802->7803 7803->7801 7805 4027cc htons htons sendto 7804->7805 7806 40278a 7804->7806 7805->7798 7806->7805 7808 402944 7807->7808 7809 40293d 7807->7809 7823 402816 htons 7808->7823 7809->7798 7811 402871 htons 7814 402950 7811->7814 7812 4029bd htons htons htons 7812->7809 7813 4029f6 GetProcessHeap HeapAlloc 7812->7813 7813->7809 7813->7814 7814->7809 7814->7811 7814->7812 7816 402889 7815->7816 7817 4028e3 7815->7817 7816->7817 7818 4028c3 htons 7816->7818 7817->7798 7818->7816 7818->7817 7820 402921 7819->7820 7821 402908 7819->7821 7820->7798 7822 402909 GetProcessHeap HeapFree 7821->7822 7822->7820 7822->7822 7824 40286b 7823->7824 7825 402836 7823->7825 7824->7814 7825->7824 7826 40285c htons 7825->7826 7826->7824 7826->7825 7828 406bc0 7827->7828 7829 406bbc 7827->7829 7830 40ebcc 4 API calls 7828->7830 7840 406bd4 7828->7840 7829->7424 7831 406be4 7830->7831 7832 406c07 CreateFileA 7831->7832 7833 406bfc 7831->7833 7831->7840 7835 406c34 WriteFile 7832->7835 7836 406c2a 7832->7836 7834 40ec2e codecvt 4 API calls 7833->7834 7834->7840 7838 406c49 CloseHandle DeleteFileA 7835->7838 7839 406c5a CloseHandle 7835->7839 7837 40ec2e codecvt 4 API calls 7836->7837 7837->7840 7838->7836 7841 40ec2e codecvt 4 API calls 7839->7841 7840->7424 7841->7840 8210 40be31 lstrcmpiA 8211 40be55 lstrcmpiA 8210->8211 8218 40be71 8210->8218 8212 40be61 lstrcmpiA 8211->8212 8211->8218 8212->8218 8222 40bfc8 8212->8222 8213 40bf62 lstrcmpiA 8214 40bf77 lstrcmpiA 8213->8214 8216 40bf70 8213->8216 8215 40bf8c lstrcmpiA 8214->8215 8214->8216 8215->8216 8217 40bfc2 8216->8217 8220 40ec2e codecvt 4 API calls 8216->8220 8216->8222 8219 40ec2e codecvt 4 API calls 8217->8219 8218->8213 8221 40ebcc 4 API calls 8218->8221 8219->8222 8220->8216 8225 40beb6 8221->8225 8223 40bf5a 8223->8213 8224 40ebcc 4 API calls 8224->8225 8225->8213 8225->8222 8225->8223 8225->8224 8226 405d34 IsBadWritePtr 8227 405d47 8226->8227 8228 405d4a 8226->8228 8229 405389 12 API calls 8228->8229 8230 405d80 8229->8230 7981 40b3f8 7982 405ce1 22 API calls 7981->7982 7984 40b404 7982->7984 7983 40b440 7986 40ef7c 3 API calls 7983->7986 7984->7983 7985 40ef7c 3 API calls 7984->7985 7988 40b42b 7985->7988 7987 40b458 wsprintfA 7986->7987 7989 40ef7c 3 API calls 7987->7989 7990 40ef7c 3 API calls 7988->7990 7991 40b480 7989->7991 7990->7983 7992 40ef7c 3 API calls 7991->7992 7993 40b493 7992->7993 7994 40ef7c 3 API calls 7993->7994 7995 40b4bb 7994->7995 8010 40ad89 GetLocalTime SystemTimeToFileTime 7995->8010 7999 40b4cc 8000 40ef7c 3 API calls 7999->8000 8001 40b4dd 8000->8001 8002 40b211 7 API calls 8001->8002 8003 40b4ec 8002->8003 8004 40ef7c 3 API calls 8003->8004 8005 40b4fd 8004->8005 8006 40b211 7 API calls 8005->8006 8007 40b509 8006->8007 8008 40ef7c 3 API calls 8007->8008 8009 40b51a 8008->8009 8011 40adbf 8010->8011 8035 40ad08 gethostname 8011->8035 8014 4030b5 2 API calls 8015 40add3 8014->8015 8016 40a7a3 inet_ntoa 8015->8016 8018 40ade4 8015->8018 8016->8018 8017 40ae85 wsprintfA 8019 40ef7c 3 API calls 8017->8019 8018->8017 8020 40ae36 wsprintfA wsprintfA 8018->8020 8021 40aebb 8019->8021 8022 40ef7c 3 API calls 8020->8022 8023 40ef7c 3 API calls 8021->8023 8022->8018 8024 40aed2 8023->8024 8025 40b211 8024->8025 8026 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 8025->8026 8027 40b2af GetLocalTime 8025->8027 8028 40b2d2 8026->8028 8027->8028 8029 40b2d9 SystemTimeToFileTime 8028->8029 8030 40b31c GetTimeZoneInformation 8028->8030 8031 40b2ec 8029->8031 8032 40b33a wsprintfA 8030->8032 8033 40b312 FileTimeToSystemTime 8031->8033 8032->7999 8033->8030 8036 40ad71 8035->8036 8041 40ad26 lstrlenA 8035->8041 8038 40ad85 8036->8038 8039 40ad79 lstrcpyA 8036->8039 8038->8014 8039->8038 8040 40ad68 lstrlenA 8040->8036 8041->8036 8041->8040
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,03900108), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$X A$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-2372874219
                                                                                            • Opcode ID: 7f287d8b5622ce2f33a76550972da38f4545f8b89f8b46b54d0cc34956d9bf71
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 7f287d8b5622ce2f33a76550972da38f4545f8b89f8b46b54d0cc34956d9bf71
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNELBASE(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$D$P$\$pomunxzj
                                                                                            • API String ID: 2089075347-2119518856
                                                                                            • Opcode ID: d587aebee3d01fbc0baf05daae68ca334350240db1798278d38cb52bac640f00
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: d587aebee3d01fbc0baf05daae68ca334350240db1798278d38cb52bac640f00
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 40199c-4019cc inet_addr LoadLibraryA 906 4019d5-4019fe GetProcAddress * 3 905->906 907 4019ce-4019d0 905->907 909 401ab3-401ab6 FreeLibrary 906->909 910 401a04-401a06 906->910 908 401abf-401ac2 907->908 912 401abc 909->912 910->909 911 401a0c-401a0e 910->911 911->909 913 401a14-401a28 GetBestInterface GetProcessHeap 911->913 914 401abe 912->914 913->912 915 401a2e-401a40 HeapAlloc 913->915 914->908 915->912 916 401a42-401a50 GetAdaptersInfo 915->916 917 401a62-401a67 916->917 918 401a52-401a60 HeapReAlloc 916->918 919 401aa1-401aad FreeLibrary 917->919 920 401a69-401a73 GetAdaptersInfo 917->920 918->917 919->912 921 401aaf-401ab1 919->921 920->919 922 401a75 920->922 921->914 923 401a77-401a80 922->923 924 401a82-401a86 923->924 925 401a8a-401a91 923->925 924->923 928 401a88 924->928 926 401a93 925->926 927 401a96-401a9b HeapFree 925->927 926->927 927->919 928->927
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00401E9E), ref: 00401A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 407a95-407ac2 RegOpenKeyExA 697 407ac4-407ac6 696->697 698 407acb-407ae7 GetUserNameA 696->698 699 407db4-407db6 697->699 700 407da7-407db3 RegCloseKey 698->700 701 407aed-407b1e LookupAccountNameA 698->701 700->699 701->700 702 407b24-407b43 RegGetKeySecurity 701->702 702->700 703 407b49-407b61 GetSecurityDescriptorOwner 702->703 704 407b63-407b72 EqualSid 703->704 705 407bb8-407bd6 GetSecurityDescriptorDacl 703->705 704->705 708 407b74-407b88 LocalAlloc 704->708 706 407da6 705->706 707 407bdc-407be1 705->707 706->700 707->706 709 407be7-407bf2 707->709 708->705 710 407b8a-407b94 InitializeSecurityDescriptor 708->710 709->706 713 407bf8-407c08 GetAce 709->713 711 407bb1-407bb2 LocalFree 710->711 712 407b96-407ba4 SetSecurityDescriptorOwner 710->712 711->705 712->711 714 407ba6-407bab RegSetKeySecurity 712->714 715 407cc6 713->715 716 407c0e-407c1b 713->716 714->711 717 407cc9-407cd3 715->717 718 407c1d-407c2f EqualSid 716->718 719 407c4f-407c52 716->719 717->713 720 407cd9-407cdc 717->720 721 407c31-407c34 718->721 722 407c36-407c38 718->722 723 407c54-407c5e 719->723 724 407c5f-407c71 EqualSid 719->724 720->706 725 407ce2-407ce8 720->725 721->718 721->722 722->719 726 407c3a-407c4d DeleteAce 722->726 723->724 727 407c73-407c84 724->727 728 407c86 724->728 730 407d5a-407d6e LocalAlloc 725->730 731 407cea-407cf0 725->731 726->717 729 407c8b-407c8e 727->729 728->729 732 407c90-407c96 729->732 733 407c9d-407c9f 729->733 730->706 734 407d70-407d7a InitializeSecurityDescriptor 730->734 731->730 735 407cf2-407d0d RegOpenKeyExA 731->735 732->733 736 407ca1-407ca5 733->736 737 407ca7-407cc3 733->737 738 407d7c-407d8a SetSecurityDescriptorDacl 734->738 739 407d9f-407da0 LocalFree 734->739 735->730 740 407d0f-407d16 735->740 736->715 736->737 737->715 738->739 741 407d8c-407d9a RegSetKeySecurity 738->741 739->706 742 407d19-407d1e 740->742 741->739 743 407d9c 741->743 742->742 744 407d20-407d52 call 402544 RegSetValueExA 742->744 743->739 744->730 747 407d54 744->747 747->730
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$D
                                                                                            • API String ID: 2976863881-4243593276
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 407809-407837 GetUserNameA 749 40783d-40786e LookupAccountNameA 748->749 750 407a8e-407a94 748->750 749->750 751 407874-4078a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 4078a8-4078c3 GetSecurityDescriptorOwner 751->752 753 4078c5-4078da EqualSid 752->753 754 40791d-40793b GetSecurityDescriptorDacl 752->754 753->754 755 4078dc-4078ed LocalAlloc 753->755 756 407941-407946 754->756 757 407a8d 754->757 755->754 758 4078ef-4078f9 InitializeSecurityDescriptor 755->758 756->757 759 40794c-407955 756->759 757->750 760 407916-407917 LocalFree 758->760 761 4078fb-407909 SetSecurityDescriptorOwner 758->761 759->757 762 40795b-40796b GetAce 759->762 760->754 761->760 763 40790b-407910 SetFileSecurityA 761->763 764 407971-40797e 762->764 765 407a2a 762->765 763->760 767 407980-407992 EqualSid 764->767 768 4079ae-4079b1 764->768 766 407a2d-407a37 765->766 766->762 771 407a3d-407a41 766->771 769 407994-407997 767->769 770 407999-40799b 767->770 772 4079b3-4079bd 768->772 773 4079be-4079d0 EqualSid 768->773 769->767 769->770 770->768 774 40799d-4079ac DeleteAce 770->774 771->757 775 407a43-407a54 LocalAlloc 771->775 772->773 776 4079d2-4079e3 773->776 777 4079e5 773->777 774->766 775->757 778 407a56-407a60 InitializeSecurityDescriptor 775->778 779 4079ea-4079ed 776->779 777->779 780 407a62-407a71 SetSecurityDescriptorDacl 778->780 781 407a86-407a87 LocalFree 778->781 782 4079f8-4079fb 779->782 783 4079ef-4079f5 779->783 780->781 784 407a73-407a81 SetFileSecurityA 780->784 781->757 785 407a03-407a0e 782->785 786 4079fd-407a01 782->786 783->782 784->781 787 407a83 784->787 788 407a10-407a17 785->788 789 407a19-407a24 785->789 786->765 786->785 787->781 790 407a27 788->790 789->790 790->765
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 408328-40833e call 407dd6 794 408340-408343 791->794 795 408348-408356 call 406ec3 791->795 796 40877b-40877d 794->796 799 40846b-408474 795->799 800 40835c-408378 call 4073ff 795->800 802 4085c2-4085ce 799->802 803 40847a-408480 799->803 811 408464-408466 800->811 812 40837e-408384 800->812 805 4085d0-4085da call 40675c 802->805 806 408615-408620 802->806 803->802 807 408486-4084ba call 402544 RegOpenKeyExA 803->807 819 4085df-4085eb 805->819 809 408626-40864c GetTempPathA call 408274 call 40eca5 806->809 810 4086a7-4086b0 call 406ba7 806->810 821 4084c0-4084db RegQueryValueExA 807->821 822 408543-408571 call 402544 RegOpenKeyExA 807->822 849 408671-4086a4 call 402544 call 40ef00 call 40ee2a 809->849 850 40864e-40866f call 40eca5 809->850 830 408762 810->830 831 4086b6-4086bd call 407e2f 810->831 818 408779-40877a 811->818 812->811 817 40838a-40838d 812->817 817->811 825 408393-408399 817->825 818->796 819->806 820 4085ed-4085ef 819->820 820->806 826 4085f1-4085fa 820->826 828 408521-40852d RegCloseKey 821->828 829 4084dd-4084e1 821->829 843 408573-40857b 822->843 844 4085a5-4085b7 call 40ee2a 822->844 833 40839c-4083a1 825->833 826->806 834 4085fc-40860f call 4024c2 826->834 828->822 840 40852f-408541 call 40eed1 828->840 829->828 836 4084e3-4084e6 829->836 838 408768-40876b 830->838 860 4086c3-40873b call 40ee2a * 2 lstrcpyA lstrlenA call 407fcf CreateProcessA 831->860 861 40875b-40875c DeleteFileA 831->861 833->833 841 4083a3-4083af 833->841 834->806 834->838 836->828 845 4084e8-4084f6 call 40ebcc 836->845 847 408776-408778 838->847 848 40876d-408775 call 40ec2e 838->848 840->822 840->844 852 4083b1 841->852 853 4083b3-4083ba 841->853 857 40857e-408583 843->857 844->802 878 4085b9-4085c1 call 40ec2e 844->878 845->828 877 4084f8-408513 RegQueryValueExA 845->877 847->818 848->847 849->810 850->849 852->853 854 408450-40845f call 40ee2a 853->854 855 4083c0-4083fb call 402544 RegOpenKeyExA 853->855 854->802 855->854 882 4083fd-40841c RegQueryValueExA 855->882 857->857 868 408585-40859f RegSetValueExA RegCloseKey 857->868 899 40873d-40874d CloseHandle * 2 860->899 900 40874f-40875a call 407ee6 call 407ead 860->900 861->830 868->844 877->828 883 408515-40851e call 40ec2e 877->883 878->802 887 40842d-408441 RegSetValueExA 882->887 888 40841e-408421 882->888 883->828 895 408447-40844a RegCloseKey 887->895 888->887 894 408423-408426 888->894 894->887 898 408428-40842b 894->898 895->854 898->887 898->895 899->838 900->861
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.KERNELBASE(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.KERNELBASE(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe$localcfg
                                                                                            • API String ID: 237177642-1071712786
                                                                                            • Opcode ID: 71accc872682bc7ef36c93ac4e9529936c02b9f931ead9e4b8517653b3d332ec
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 71accc872682bc7ef36c93ac4e9529936c02b9f931ead9e4b8517653b3d332ec
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 929 401d96-401dce call 40ee2a GetVersionExA 932 401de0 929->932 933 401dd0-401dde 929->933 934 401de3-401e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 401e24-401e59 call 40e819 * 2 934->935 936 401e16-401e21 GetCurrentProcess 934->936 941 401e7a-401ea0 call 40ea84 call 40e819 call 40199c 935->941 942 401e5b-401e77 call 40df70 * 2 935->942 936->935 953 401ea2-401ea6 941->953 954 401ea8 941->954 942->941 955 401eac-401ec1 call 40e819 953->955 954->955 958 401ee0-401ef6 call 40e819 955->958 959 401ec3-401ede call 40f04e call 40ea84 955->959 964 401f14-401f2b call 40e819 958->964 965 401ef8 call 401b71 958->965 959->958 973 401f49-401f65 call 40e819 964->973 974 401f2d call 401bdf 964->974 970 401efd-401f11 call 40ea84 965->970 970->964 980 401f67-401f77 call 40ea84 973->980 981 401f7a-401f8c call 4030b5 973->981 978 401f32-401f46 call 40ea84 974->978 978->973 980->981 988 401f93-401f9a 981->988 989 401f8e-401f91 981->989 991 401fb7 988->991 992 401f9c-401fa3 call 406ec3 988->992 990 401fbb-401fc0 989->990 994 401fc2 990->994 995 401fc9-401fea GetTickCount 990->995 991->990 997 401fa5-401fac 992->997 998 401fae-401fb5 992->998 994->995 997->990 998->990
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 4073ff-407419 1000 40741b 999->1000 1001 40741d-407422 999->1001 1000->1001 1002 407424 1001->1002 1003 407426-40742b 1001->1003 1002->1003 1004 407430-407435 1003->1004 1005 40742d 1003->1005 1006 407437 1004->1006 1007 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 407487-40749d call 40ee2a 1007->1012 1013 4077f9-4077fe call 40ee2a 1007->1013 1019 407703-40770e RegEnumKeyA 1012->1019 1018 407801 1013->1018 1020 407804-407808 1018->1020 1021 4074a2-4074b1 call 406cad 1019->1021 1022 407714-40771d RegCloseKey 1019->1022 1025 4074b7-4074cc call 40f1a5 1021->1025 1026 4076ed-407700 1021->1026 1022->1018 1025->1026 1029 4074d2-4074f8 RegOpenKeyExA 1025->1029 1026->1019 1030 407727-40772a 1029->1030 1031 4074fe-407530 call 402544 RegQueryValueExA 1029->1031 1032 407755-407764 call 40ee2a 1030->1032 1033 40772c-407740 call 40ef00 1030->1033 1031->1030 1039 407536-40753c 1031->1039 1044 4076df-4076e2 1032->1044 1041 407742-407745 RegCloseKey 1033->1041 1042 40774b-40774e 1033->1042 1043 40753f-407544 1039->1043 1041->1042 1046 4077ec-4077f7 RegCloseKey 1042->1046 1043->1043 1045 407546-40754b 1043->1045 1044->1026 1047 4076e4-4076e7 RegCloseKey 1044->1047 1045->1032 1048 407551-40756b call 40ee95 1045->1048 1046->1020 1047->1026 1048->1032 1051 407571-407593 call 402544 call 40ee95 1048->1051 1056 407753 1051->1056 1057 407599-4075a0 1051->1057 1056->1032 1058 4075a2-4075c6 call 40ef00 call 40ed03 1057->1058 1059 4075c8-4075d7 call 40ed03 1057->1059 1065 4075d8-4075da 1058->1065 1059->1065 1067 4075dc 1065->1067 1068 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 1065->1068 1067->1068 1077 407626-40762b 1068->1077 1077->1077 1078 40762d-407634 1077->1078 1079 407637-40763c 1078->1079 1079->1079 1080 40763e-407642 1079->1080 1081 407644-407656 call 40ed77 1080->1081 1082 40765c-407673 call 40ed23 1080->1082 1081->1082 1087 407769-40777c call 40ef00 1081->1087 1088 407680 1082->1088 1089 407675-40767e 1082->1089 1095 4077e3-4077e6 RegCloseKey 1087->1095 1091 407683-40768e call 406cad 1088->1091 1089->1091 1096 407722-407725 1091->1096 1097 407694-4076bf call 40f1a5 call 406c96 1091->1097 1095->1046 1098 4076dd 1096->1098 1103 4076c1-4076c7 1097->1103 1104 4076d8 1097->1104 1098->1044 1103->1104 1105 4076c9-4076d2 1103->1105 1104->1098 1105->1104 1106 40777e-407797 GetFileAttributesExA 1105->1106 1107 407799 1106->1107 1108 40779a-40779f 1106->1108 1107->1108 1109 4077a1 1108->1109 1110 4077a3-4077a8 1108->1110 1109->1110 1111 4077c4-4077c8 1110->1111 1112 4077aa-4077c0 call 40ee08 1110->1112 1114 4077d7-4077dc 1111->1114 1115 4077ca-4077d6 call 40ef00 1111->1115 1112->1111 1118 4077e0-4077e2 1114->1118 1119 4077de 1114->1119 1115->1114 1118->1095 1119->1118
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,774D0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,774D0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,774D0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,774D0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,774D0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 67189bb2017e26718a859ea1bf01b3e2ba6572e478c662b1d1fffdcb133cac70
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 67189bb2017e26718a859ea1bf01b3e2ba6572e478c662b1d1fffdcb133cac70
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 40675c-406778 1122 406784-4067a2 CreateFileA 1121->1122 1123 40677a-40677e SetFileAttributesA 1121->1123 1124 4067a4-4067b2 CreateFileA 1122->1124 1125 4067b5-4067b8 1122->1125 1123->1122 1124->1125 1126 4067c5-4067c9 1125->1126 1127 4067ba-4067bf SetFileAttributesA 1125->1127 1128 406977-406986 1126->1128 1129 4067cf-4067df GetFileSize 1126->1129 1127->1126 1130 4067e5-4067e7 1129->1130 1131 40696b 1129->1131 1130->1131 1132 4067ed-40680b ReadFile 1130->1132 1133 40696e-406971 CloseHandle 1131->1133 1132->1131 1134 406811-406824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 40682a-406842 ReadFile 1134->1135 1135->1131 1136 406848-406861 SetFilePointer 1135->1136 1136->1131 1137 406867-406876 1136->1137 1138 4068d5-4068df 1137->1138 1139 406878-40688f ReadFile 1137->1139 1138->1133 1140 4068e5-4068eb 1138->1140 1141 406891-40689e 1139->1141 1142 4068d2 1139->1142 1143 4068f0-4068fe call 40ebcc 1140->1143 1144 4068ed 1140->1144 1145 4068a0-4068b5 1141->1145 1146 4068b7-4068ba 1141->1146 1142->1138 1143->1131 1152 406900-40690b SetFilePointer 1143->1152 1144->1143 1148 4068bd-4068c3 1145->1148 1146->1148 1150 4068c5 1148->1150 1151 4068c8-4068ce 1148->1151 1150->1151 1151->1139 1153 4068d0 1151->1153 1154 40695a-406969 call 40ec2e 1152->1154 1155 40690d-406920 ReadFile 1152->1155 1153->1138 1154->1133 1155->1154 1156 406922-406958 1155->1156 1156->1133
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,774D0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,774D0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,774D0F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNELBASE(000000FF,?,774D0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 40f315-40f332 1160 40f334-40f336 1159->1160 1161 40f33b-40f372 call 40ee2a htons socket 1159->1161 1163 40f424-40f427 1160->1163 1165 40f382-40f39b ioctlsocket 1161->1165 1166 40f374-40f37d closesocket 1161->1166 1167 40f3aa-40f3f0 connect select 1165->1167 1168 40f39d 1165->1168 1166->1163 1170 40f421 1167->1170 1171 40f3f2-40f401 __WSAFDIsSet 1167->1171 1169 40f39f-40f3a8 closesocket 1168->1169 1172 40f423 1169->1172 1170->1172 1171->1169 1173 40f403-40f416 ioctlsocket call 40f26d 1171->1173 1172->1163 1175 40f41b-40f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 40405e-40407b CreateEventA 1177 404084-4040a8 call 403ecd call 404000 1176->1177 1178 40407d-404081 1176->1178 1183 404130-40413e call 40ee2a 1177->1183 1184 4040ae-4040be call 40ee2a 1177->1184 1189 40413f-404165 call 403ecd CreateNamedPipeA 1183->1189 1184->1183 1190 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 1184->1190 1195 404167-404174 Sleep 1189->1195 1196 404188-404193 ConnectNamedPipe 1189->1196 1207 4040f3-4040ff 1190->1207 1208 404127-40412a CloseHandle 1190->1208 1195->1189 1201 404176-404182 CloseHandle 1195->1201 1199 404195-4041a5 GetLastError 1196->1199 1200 4041ab-4041c0 call 403f8c 1196->1200 1199->1200 1203 40425e-404265 DisconnectNamedPipe 1199->1203 1200->1196 1209 4041c2-4041f2 call 403f18 call 403f8c 1200->1209 1201->1196 1203->1196 1207->1208 1210 404101-404121 call 403f18 ExitProcess 1207->1210 1208->1183 1209->1203 1217 4041f4-404200 1209->1217 1217->1203 1218 404202-404215 call 403f8c 1217->1218 1218->1203 1221 404217-40421b 1218->1221 1221->1203 1222 40421d-404230 call 403f8c 1221->1222 1222->1203 1225 404232-404236 1222->1225 1225->1196 1226 40423c-404251 call 403f18 1225->1226 1229 404253-404259 1226->1229 1230 40426a-404276 CloseHandle * 2 call 40e318 1226->1230 1229->1196 1232 40427b 1230->1232 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 402d21-402d44 GetModuleHandleA 1234 402d46-402d52 LoadLibraryA 1233->1234 1235 402d5b-402d69 GetProcAddress 1233->1235 1234->1235 1236 402d54-402d56 1234->1236 1235->1236 1237 402d6b-402d7b DnsQuery_A 1235->1237 1238 402dee-402df1 1236->1238 1237->1236 1239 402d7d-402d88 1237->1239 1240 402d8a-402d8b 1239->1240 1241 402deb 1239->1241 1242 402d90-402d95 1240->1242 1241->1238 1243 402de2-402de8 1242->1243 1244 402d97-402daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 402dea 1243->1245 1244->1245 1246 402dac-402dd9 call 40ee2a lstrcpynA 1244->1246 1245->1241 1249 402de0 1246->1249 1250 402ddb-402dde 1246->1250 1249->1243 1250->1243
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00402D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 4080c9-4080ed call 406ec3 1254 4080f9-408115 call 40704c 1251->1254 1255 4080ef call 407ee6 1251->1255 1260 408225-40822b 1254->1260 1261 40811b-408121 1254->1261 1258 4080f4 1255->1258 1258->1260 1263 40826c-408273 1260->1263 1264 40822d-408233 1260->1264 1261->1260 1262 408127-40812a 1261->1262 1262->1260 1265 408130-408167 call 402544 RegOpenKeyExA 1262->1265 1264->1263 1266 408235-40823f call 40675c 1264->1266 1272 408216-408222 call 40ee2a 1265->1272 1273 40816d-40818b RegQueryValueExA 1265->1273 1269 408244-40824b 1266->1269 1269->1263 1271 40824d-408269 call 4024c2 call 40ec2e 1269->1271 1271->1263 1272->1260 1275 4081f7-4081fe 1273->1275 1276 40818d-408191 1273->1276 1279 408200-408206 call 40ec2e 1275->1279 1280 40820d-408210 RegCloseKey 1275->1280 1276->1275 1281 408193-408196 1276->1281 1289 40820c 1279->1289 1280->1272 1281->1275 1285 408198-4081a8 call 40ebcc 1281->1285 1285->1280 1291 4081aa-4081c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 4081c4-4081ca 1291->1292 1293 4081cd-4081d2 1292->1293 1293->1293 1294 4081d4-4081e5 call 40ebcc 1293->1294 1294->1280 1297 4081e7-4081f5 call 40ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,774D0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,774D0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,774D0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,774D0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,774D0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,774D0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,774D0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,774D0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,774D0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\pomunxzj\qxavuooi.exe
                                                                                            • API String ID: 124786226-2632200365
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 401ac3-401adc LoadLibraryA 1301 401ae2-401af3 GetProcAddress 1300->1301 1302 401b6b-401b70 1300->1302 1303 401af5-401b01 1301->1303 1304 401b6a 1301->1304 1305 401b1c-401b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 401b03-401b12 call 40ebed 1305->1306 1307 401b29-401b2b 1305->1307 1306->1307 1318 401b14-401b1b 1306->1318 1309 401b5b-401b5e 1307->1309 1310 401b2d-401b32 1307->1310 1311 401b60-401b68 call 40ec2e 1309->1311 1312 401b69 1309->1312 1310->1312 1314 401b34-401b3b 1310->1314 1311->1312 1312->1304 1315 401b54-401b59 1314->1315 1316 401b3d-401b52 1314->1316 1315->1309 1315->1314 1316->1315 1316->1316 1318->1305
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00401B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 40e3ca-40e3ee RegOpenKeyExA 1321 40e3f4-40e3fb 1320->1321 1322 40e528-40e52d 1320->1322 1323 40e3fe-40e403 1321->1323 1323->1323 1324 40e405-40e40f 1323->1324 1325 40e411-40e413 1324->1325 1326 40e414-40e452 call 40ee08 call 40f1ed RegQueryValueExA 1324->1326 1325->1326 1331 40e458-40e486 call 40f1ed RegQueryValueExA 1326->1331 1332 40e51d-40e527 RegCloseKey 1326->1332 1335 40e488-40e48a 1331->1335 1332->1322 1335->1332 1336 40e490-40e4a1 call 40db2e 1335->1336 1336->1332 1339 40e4a3-40e4a6 1336->1339 1340 40e4a9-40e4d3 call 40f1ed RegQueryValueExA 1339->1340 1343 40e4d5-40e4da 1340->1343 1344 40e4e8-40e4ea 1340->1344 1343->1344 1345 40e4dc-40e4e6 1343->1345 1344->1332 1346 40e4ec-40e516 call 402544 call 40e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 40f26d-40f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 401bdf-401c04 call 401ac3 1354 401c09-401c0b 1352->1354 1355 401c5a-401c5e 1354->1355 1356 401c0d-401c1d GetComputerNameA 1354->1356 1357 401c45-401c57 GetVolumeInformationA 1356->1357 1358 401c1f-401c24 1356->1358 1357->1355 1358->1357 1359 401c26-401c3b 1358->1359 1359->1359 1360 401c3d-401c3f 1359->1360 1360->1357 1361 401c41-401c43 1360->1361 1361->1355
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • Part of subcall function 00401AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00401B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: 524bc83db48690ca31664134dd47c2b4b5acd3502c5eb4539d362831ce6af338
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 524bc83db48690ca31664134dd47c2b4b5acd3502c5eb4539d362831ce6af338
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • Part of subcall function 00401AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00401B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: c74a9ce4acea1625e0b7a0adcdb652bc2852029cccc897b1901b99e806fd5a70
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: c74a9ce4acea1625e0b7a0adcdb652bc2852029cccc897b1901b99e806fd5a70
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                              • Part of subcall function 0040EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0040EC0A,00000000,80000001,?,0040DB55,7FFF0001), ref: 0040EBAD
                                                                                              • Part of subcall function 0040EBA0: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID: '@
                                                                                            • API String ID: 1305341483-3530194223
                                                                                            • Opcode ID: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                                            • Instruction ID: 2d0ac8bb9d02bc94818634b60920d143dc176b06b32ab47b2cd542b2b5f2599d
                                                                                            • Opcode Fuzzy Hash: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                                            • Instruction Fuzzy Hash: 3AC012324062307BD5512751BC0DFDB7B28AF45711F0D481AF40576194C7BD588046ED
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,774D0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 004088A5
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 13b34ab91c6e089ab7e933aaa92d9685adbaeea338ba8bd8bb835a3507aa5658
                                                                                            • Instruction ID: 5e6dedd41dfaf3c57d823a58201cac5e3dd460c3402a322f58ee34bb67b68061
                                                                                            • Opcode Fuzzy Hash: 13b34ab91c6e089ab7e933aaa92d9685adbaeea338ba8bd8bb835a3507aa5658
                                                                                            • Instruction Fuzzy Hash: 0321D8721483006AF324B766AE47BAA36A8EB40714F90843FF944F61C3EFFD559441AD
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(0040DC19,?,00000104), ref: 0040DB7F
                                                                                            • lstrcpyA.KERNEL32(?,004128F8), ref: 0040DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0040DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: 24f24032dad758e48778ffe5b23201964ab22939b15f72a291980d466ea6d8d5
                                                                                            • Instruction ID: 3cc3424982f895eecdfaa0ba290256a8b16e46f45f4285ec1a6da07035465e3e
                                                                                            • Opcode Fuzzy Hash: 24f24032dad758e48778ffe5b23201964ab22939b15f72a291980d466ea6d8d5
                                                                                            • Instruction Fuzzy Hash: 6DF0B47050020DABEF10DF64EC49FD93B69BB14308F1081A4BB51A40D0D7F6E589CF18
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: 1c4510ea3c8f119ded68dcb48893df8f38566b617ec3988e52a2e0107d84e853
                                                                                            • Instruction ID: 209f5f21230a1b5cc5b6fae645c2427c5b441865e64d1a3e063d511977c76def
                                                                                            • Opcode Fuzzy Hash: 1c4510ea3c8f119ded68dcb48893df8f38566b617ec3988e52a2e0107d84e853
                                                                                            • Instruction Fuzzy Hash: 5AE0657190111D9BCB009BA8EC89FCA77ACBB04308F084471F905E3295EA74E9048794
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0040CA44), ref: 0040F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: c25d748a16f2f669b911248d4f354339d473ac49e56e49b64fc9d599091bb7aa
                                                                                            • Instruction ID: e797e194bf48e6f0e6173216f783d060d7714b120ce2497b1c58557781eda64f
                                                                                            • Opcode Fuzzy Hash: c25d748a16f2f669b911248d4f354339d473ac49e56e49b64fc9d599091bb7aa
                                                                                            • Instruction Fuzzy Hash: 49F08C3220064AABDB219E9ADC84CEB3BAEFB993107040132FE04E3110D631E8258BA4
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 00401992
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: 9103ea6bfe8de4cae49e0b7a2f5db4b6eba0f48876255aae83ee79cb38b1c761
                                                                                            • Instruction ID: 016b108087fadd824a79447a1a69e2ffd47558430db381becd763281358ebbb7
                                                                                            • Opcode Fuzzy Hash: 9103ea6bfe8de4cae49e0b7a2f5db4b6eba0f48876255aae83ee79cb38b1c761
                                                                                            • Instruction Fuzzy Hash: A8D012761486356A92512759BC054BFABDCDF45662751843BFC48D11A0D638CC818399
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: f32e692aa52d62e1b465e3b3afa81aaf6007ae79015592eabf09f2c192e24903
                                                                                            • Instruction ID: 316e6c5311d7da511c3396bdcce9fd5615906fb6662b81eda195395106d5980b
                                                                                            • Opcode Fuzzy Hash: f32e692aa52d62e1b465e3b3afa81aaf6007ae79015592eabf09f2c192e24903
                                                                                            • Instruction Fuzzy Hash: 08F08231A00203CBCB20CEA49944657B7E4EF85325F15493FE255E22D0D738DC59CB15
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,774CF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,774CF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,774D0F10,?,774D0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(774D0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,774D0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(774D0F10,?,774D0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(774D0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 87ab71409275c1c026864dbe9506cec04119f6ef0779617064456d932cdfe7f0
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 87ab71409275c1c026864dbe9506cec04119f6ef0779617064456d932cdfe7f0
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,774D23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7597EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-3679488032
                                                                                            • Opcode ID: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction ID: bd7dfe77e026ff01e11c6618f048304d5953ff5d6b37f7005ea1b6d17bf081bd
                                                                                            • Opcode Fuzzy Hash: ac16611c4fddf8c3cf7e82f2ce1d8bd22cf067ce21d7c8c5ccb760e75c026233
                                                                                            • Instruction Fuzzy Hash: 263197B25401197ADF016B96CCC2DFFBB6CEF49348B14052BF904B1182EB789A6587E9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,774C8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,774D0F10,?,00000000,0040E538,?,774D0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(?,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(774D0F18,00000000,?,774D0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,774D0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,774D0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,0081B054,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(0081B048,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7597EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(77600000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,774D23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2638079664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88