Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Spoofer.exe

Overview

General Information

Sample name:Spoofer.exe
Analysis ID:1545845
MD5:ffcd50b0755fa610e1ae01815431d1cb
SHA1:feff8f1a2f9ce0ac4dc7b759d7bf9f2159eb8d92
SHA256:a4c7cd980edcf99283128cfa36dbabcda06410b202c5c69c5c9db05bb9856d12
Tags:exeuser-lontze7
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Deletes shadow drive data (may be related to ransomware)
Infects the VBR (Volume Boot Record) of the hard disk
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Deletes files inside the Windows folder
Detected potential crypto function
Found potential string decryption / allocating functions
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • Spoofer.exe (PID: 1776 cmdline: "C:\Users\user\Desktop\Spoofer.exe" MD5: FFCD50B0755FA610E1AE01815431D1CB)
    • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5960 cmdline: C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Spoofer.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Spoofer.exeReversingLabs: Detection: 68%
Source: Spoofer.exeVirustotal: Detection: 76%Perma Link
Machine Learning detection for sample
Source: Spoofer.exeJoe Sandbox ML: detected
Source: Spoofer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: nload_prod.pdb source: Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: r2winload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdb8372-3968301570-199ub source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2k* source: Spoofer.exe, 00000000.00000003.2078674073.0000021C2426A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ware\Classes\SystemFileAssociations\.pdb source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\.pdb\OpenWithProgidsdleruser source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f2ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbntkrnlmp.pdb0ih source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2Y` source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb b source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Loaded\Desktop\User\x64\Release\User.pdb source: Spoofer.exe
Source: Binary string: sers\user\AppData\Local\Temp\Symbolswinload_prod.pdb7FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000003.2083286051.0000021C241E9000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000002.2298801073.0000021C241E1000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082651311.0000021C241E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdbr(bt source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBR source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb 1 source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdb source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NTFSMachine\Software\Classes\.val\OpenWithProgidsnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2Y` source: Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Local80369C7}os\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000002.2298801073.0000021C2418B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .ntkrnlmp.pdb source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Local80369C7}os\winload_prod.pdb7FAF3012B7846079AEECDBE0A58312* source: Spoofer.exe, 00000000.00000002.2298801073.0000021C2418B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb $z source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: q ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082481374.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079488665.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080634064.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ,ad_prod.pdb '' source: Spoofer.exe, 00000000.00000003.2082591001.0000021C2602C000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082125260.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local80369C7}os\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2]) source: Spoofer.exe, 00000000.00000003.2078674073.0000021C2426A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\CLSID\{679F85CB-0220-4080-B29B-5540CC05AAB6}WINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdbr source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA360B0 wsprintfW,FindFirstFileW,wsprintfW,StrStrW,FindNextFileW,FindClose,0_2_00007FF79FA360B0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA338A1 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA338A1
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33110 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33110
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33083 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33083
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31BA0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31BA0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333F0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333F0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31730 RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31730
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33F30 SHDeleteValueW,NtQueryKey,NtQueryKey,RegEnumKeyExW,RegCloseKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33F30
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3335C NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3335C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA312AD NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,SetFilePointer,WriteFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00007FF79FA312AD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B0E NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B0E
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33712 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33712
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32EF4 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32EF4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33685 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33685
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32E67 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32E67
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33930 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33930
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32180 RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32180
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA328AE NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA328AE
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33912 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33912
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA34500 RegEnumKeyExW,RegCloseKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA34500
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA330F4 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA330F4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333CD RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333CD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FD0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FD0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FB0 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FB0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31F41 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31F41
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA40328 FindFirstFileExW,0_2_00007FF79FA40328
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B7D RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B7D
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA336F6 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA336F6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32ED8 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32ED8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31DB6 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31DB6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D9A RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D9A
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32940 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32940
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D2B NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D2B
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3291F RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3291F
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Local\Temp\LowJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msJump to behavior
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net

Spam, unwanted Advertisements and Ransom Demands

barindex
Deletes shadow drive data (may be related to ransomware)
Source: Spoofer.exeBinary or memory string: vssadmin delete shadows /All /Quiet
Source: Spoofer.exe, 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin delete shadows /All /Quiet
Source: Spoofer.exe, 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \\.\%c:%c:\Windows\System32\restore\MachineGuid.txt%c:\Users\Public\Libraries\collection.dat%c:\System Volume Information\IndexerVolumeGuid%c:\System Volume Information\WPSettings.dat%c:\System Volume Information\tracking.log%c:\ProgramData\Microsoft\Windows\WER%c:\Users\Public\Shared Files%c:\Windows\INF\setupapi.dev.log%c:\Windows\INF\setupapi.setup.log%c:\Users\Public\Libraries%c:\MSOCache%c:\ProgramData\ntuser.pol%c:\Users\Default\NTUSER.DAT%c:\Recovery\ntuser.sys%c:\desktop.ini%c:\Windows\Prefetch\*%c:\Windows\Prefetch\%ws%c:\Users\*%c:\Users\%ws\*ntuser%c:\Users\%ws\%ws%c:\Usersdesktop.inifsutil usn deletejournal /d %c:vssadmin delete shadows /All /QuietWmiPrvSE.exeKilled Winmgmt
Source: Spoofer.exe, 00000000.00000000.2024820558.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin delete shadows /All /Quiet
Source: Spoofer.exe, 00000000.00000000.2024820558.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \\.\%c:%c:\Windows\System32\restore\MachineGuid.txt%c:\Users\Public\Libraries\collection.dat%c:\System Volume Information\IndexerVolumeGuid%c:\System Volume Information\WPSettings.dat%c:\System Volume Information\tracking.log%c:\ProgramData\Microsoft\Windows\WER%c:\Users\Public\Shared Files%c:\Windows\INF\setupapi.dev.log%c:\Windows\INF\setupapi.setup.log%c:\Users\Public\Libraries%c:\MSOCache%c:\ProgramData\ntuser.pol%c:\Users\Default\NTUSER.DAT%c:\Recovery\ntuser.sys%c:\desktop.ini%c:\Windows\Prefetch\*%c:\Windows\Prefetch\%ws%c:\Users\*%c:\Users\%ws\*ntuser%c:\Users\%ws\%ws%c:\Usersdesktop.inifsutil usn deletejournal /d %c:vssadmin delete shadows /All /QuietWmiPrvSE.exeKilled Winmgmt
Source: Spoofer.exeBinary or memory string: vssadmin delete shadows /All /Quiet
Source: Spoofer.exeBinary or memory string: \\.\%c:%c:\Windows\System32\restore\MachineGuid.txt%c:\Users\Public\Libraries\collection.dat%c:\System Volume Information\IndexerVolumeGuid%c:\System Volume Information\WPSettings.dat%c:\System Volume Information\tracking.log%c:\ProgramData\Microsoft\Windows\WER%c:\Users\Public\Shared Files%c:\Windows\INF\setupapi.dev.log%c:\Windows\INF\setupapi.setup.log%c:\Users\Public\Libraries%c:\MSOCache%c:\ProgramData\ntuser.pol%c:\Users\Default\NTUSER.DAT%c:\Recovery\ntuser.sys%c:\desktop.ini%c:\Windows\Prefetch\*%c:\Windows\Prefetch\%ws%c:\Users\*%c:\Users\%ws\*ntuser%c:\Users\%ws\%ws%c:\Usersdesktop.inifsutil usn deletejournal /d %c:vssadmin delete shadows /All /QuietWmiPrvSE.exeKilled Winmgmt
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA350B0 RegQueryValueExW,NtQueryKey,RegSetValueExW,NtQueryKey,0_2_00007FF79FA350B0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA338A1 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA338A1
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33110 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33110
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33083 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33083
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35C70 SHDeleteValueW,NtQueryKey,NtQueryKey,0_2_00007FF79FA35C70
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31BA0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31BA0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333F0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333F0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31730 RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31730
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33F30 SHDeleteValueW,NtQueryKey,NtQueryKey,RegEnumKeyExW,RegCloseKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33F30
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35B70 SHDeleteKeyW,NtQueryKey,NtQueryKey,0_2_00007FF79FA35B70
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3335C NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3335C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA312AD NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,SetFilePointer,WriteFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00007FF79FA312AD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA352A0 RegOpenKeyExW,NtQueryKey,RegQueryValueExW,RegSetValueExW,NtQueryKey,NtQueryKey,RegCloseKey,0_2_00007FF79FA352A0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B0E NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B0E
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33712 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33712
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35710 RegOpenKeyExW,NtQueryKey,RegQueryValueExW,NtQueryKey,RegSetValueExW,NtQueryKey,RegCloseKey,0_2_00007FF79FA35710
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32EF4 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32EF4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33685 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33685
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32E67 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32E67
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35950 RegCreateKeyW,RegCreateKeyExW,NtQueryKey,RegCopyTreeW,SHDeleteKeyW,NtQueryKey,NtQueryKey,NtQueryKey,RegCloseKey,0_2_00007FF79FA35950
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33930 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33930
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32180 RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32180
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35560 RegOpenKeyExW,NtQueryKey,RegSetValueExW,NtQueryKey,NtQueryKey,RegCloseKey,0_2_00007FF79FA35560
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA328AE NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA328AE
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33912 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33912
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA330F4 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA330F4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333CD RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333CD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FD0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FD0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FB0 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FB0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31F41 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31F41
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B7D RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B7D
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA336F6 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA336F6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32ED8 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32ED8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31DB6 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31DB6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D9A RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D9A
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32940 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32940
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D2B NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D2B
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3291F RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3291F
Source: C:\Users\user\Desktop\Spoofer.exeFile deleted: C:\Windows\INF\setupapi.dev.logJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA338A10_2_00007FF79FA338A1
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA331100_2_00007FF79FA33110
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA330830_2_00007FF79FA33083
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31BA00_2_00007FF79FA31BA0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333F00_2_00007FF79FA333F0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA317300_2_00007FF79FA31730
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33F300_2_00007FF79FA33F30
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3335C0_2_00007FF79FA3335C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA313600_2_00007FF79FA31360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA323600_2_00007FF79FA32360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA312AD0_2_00007FF79FA312AD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA352A00_2_00007FF79FA352A0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B0E0_2_00007FF79FA31B0E
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA337120_2_00007FF79FA33712
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32EF40_2_00007FF79FA32EF4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA336850_2_00007FF79FA33685
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32E670_2_00007FF79FA32E67
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA339300_2_00007FF79FA33930
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA321800_2_00007FF79FA32180
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA328AE0_2_00007FF79FA328AE
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA339120_2_00007FF79FA33912
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA345000_2_00007FF79FA34500
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA330F40_2_00007FF79FA330F4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA45C540_2_00007FF79FA45C54
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3B87C0_2_00007FF79FA3B87C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA4305C0_2_00007FF79FA4305C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333CD0_2_00007FF79FA333CD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FD00_2_00007FF79FA31FD0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FB00_2_00007FF79FA31FB0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA397D80_2_00007FF79FA397D8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31F410_2_00007FF79FA31F41
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA45F440_2_00007FF79FA45F44
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA403280_2_00007FF79FA40328
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3EB8C0_2_00007FF79FA3EB8C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B7D0_2_00007FF79FA31B7D
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA492A80_2_00007FF79FA492A8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA336F60_2_00007FF79FA336F6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32ED80_2_00007FF79FA32ED8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3F2480_2_00007FF79FA3F248
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA39A5C0_2_00007FF79FA39A5C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31DB60_2_00007FF79FA31DB6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D9A0_2_00007FF79FA31D9A
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3F94C0_2_00007FF79FA3F94C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA441400_2_00007FF79FA44140
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA329400_2_00007FF79FA32940
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D2B0_2_00007FF79FA31D2B
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA4011C0_2_00007FF79FA4011C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3291F0_2_00007FF79FA3291F
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3E1800_2_00007FF79FA3E180
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA4456C0_2_00007FF79FA4456C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA3A79C appears 102 times
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA31070 appears 34 times
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA38580 appears 38 times
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA35B70 appears 147 times
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA35560 appears 145 times
Source: C:\Users\user\Desktop\Spoofer.exeCode function: String function: 00007FF79FA31010 appears 781 times
Source: C:\Users\user\Desktop\Spoofer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284
Source: classification engineClassification label: mal68.rans.winEXE@3/7@0/0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA338A1 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA338A1
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1776
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\014d18ad-0b70-46e7-874d-e415a9596f31Jump to behavior
Source: Spoofer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Spoofer.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Spoofer.exeReversingLabs: Detection: 68%
Source: Spoofer.exeVirustotal: Detection: 76%
Source: unknownProcess created: C:\Users\user\Desktop\Spoofer.exe "C:\Users\user\Desktop\Spoofer.exe"
Source: C:\Users\user\Desktop\Spoofer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Spoofer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Spoofer.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Spoofer.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Spoofer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: nload_prod.pdb source: Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: r2winload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdb8372-3968301570-199ub source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2k* source: Spoofer.exe, 00000000.00000003.2078674073.0000021C2426A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ware\Classes\SystemFileAssociations\.pdb source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\.pdb\OpenWithProgidsdleruser source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f2ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbntkrnlmp.pdb0ih source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2Y` source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb b source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Loaded\Desktop\User\x64\Release\User.pdb source: Spoofer.exe
Source: Binary string: sers\user\AppData\Local\Temp\Symbolswinload_prod.pdb7FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000003.2083286051.0000021C241E9000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000002.2298801073.0000021C241E1000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082651311.0000021C241E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdbr(bt source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBR source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb 1 source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdb source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NTFSMachine\Software\Classes\.val\OpenWithProgidsnload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2Y` source: Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Local80369C7}os\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Spoofer.exe, 00000000.00000002.2298801073.0000021C2418B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .ntkrnlmp.pdb source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Local80369C7}os\winload_prod.pdb7FAF3012B7846079AEECDBE0A58312* source: Spoofer.exe, 00000000.00000002.2298801073.0000021C2418B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .winload_prod.pdb $z source: Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: q ntkrnlmp.pdbJ source: Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079330911.0000021C24277000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078656736.0000021C2427B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079372381.0000021C2427D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080608796.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082481374.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079488665.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079953506.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2080634064.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079815814.0000021C2427E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ,ad_prod.pdb '' source: Spoofer.exe, 00000000.00000003.2082591001.0000021C2602C000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079348981.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082125260.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079861244.0000021C2602B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local80369C7}os\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2]) source: Spoofer.exe, 00000000.00000003.2078674073.0000021C2426A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\CLSID\{679F85CB-0220-4080-B29B-5540CC05AAB6}WINLOA~1.PDB source: Spoofer.exe, 00000000.00000003.2079953506.0000021C2422E000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pdbr source: Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbR source: Spoofer.exe, 00000000.00000003.2080382501.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078793338.0000021C24210000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082160982.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079904178.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078773941.0000021C24237000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2079387961.0000021C2422D000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2078820610.0000021C24225000.00000004.00000020.00020000.00000000.sdmp, Spoofer.exe, 00000000.00000003.2082619302.0000021C24238000.00000004.00000020.00020000.00000000.sdmp
Source: Spoofer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Spoofer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Spoofer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Spoofer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Spoofer.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: Spoofer.exeStatic PE information: section name: _RDATA

Persistence and Installation Behavior

barindex
Infects the VBR (Volume Boot Record) of the hard disk
Source: C:\Users\user\Desktop\Spoofer.exeFile written: C: offset: 512Jump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TPM\WMIJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA360B0 wsprintfW,FindFirstFileW,wsprintfW,StrStrW,FindNextFileW,FindClose,0_2_00007FF79FA360B0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA338A1 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA338A1
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33110 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33110
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33083 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33083
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31BA0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31BA0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333F0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333F0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31730 RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31730
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33F30 SHDeleteValueW,NtQueryKey,NtQueryKey,RegEnumKeyExW,RegCloseKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33F30
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3335C NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3335C
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32360 RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegEnumKeyExW,RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32360
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA312AD NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,SHDeleteValueW,NtQueryKey,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,SetFilePointer,WriteFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00007FF79FA312AD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B0E NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B0E
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33712 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33712
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32EF4 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32EF4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33685 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33685
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32E67 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32E67
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33930 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33930
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32180 RegOpenKeyExW,NtQueryKey,RegCloseKey,RegEnumKeyExW,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32180
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA328AE NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA328AE
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA33912 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA33912
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA34500 RegEnumKeyExW,RegCloseKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA34500
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA330F4 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA330F4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA333CD RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA333CD
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FD0 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FD0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31FB0 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31FB0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31F41 NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31F41
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA40328 FindFirstFileExW,0_2_00007FF79FA40328
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31B7D RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31B7D
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA336F6 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA336F6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32ED8 RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32ED8
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31DB6 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31DB6
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D9A RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D9A
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA32940 RegSetValueExW,NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA32940
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA31D2B NtQueryKey,RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA31D2B
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3291F RegCloseKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,RegOpenKeyExW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,SHDeleteValueW,NtQueryKey,RegOpenKeyExW,NtQueryKey,GetTempPathW,SHGetFolderPathW,SHGetFolderPathW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLogicalDrives,wsprintfW,CreateFileW,ReadFile,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,wsprintfW,FindFirstFileW,wsprintfW,FindFirstFileW,StrStrW,wsprintfW,FindNextFileW,FindClose,FindNextFileW,FindClose,wsprintfW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF79FA3291F
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Local\Temp\LowJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msJump to behavior
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: vmci.sys
Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware20,1
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3C8BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79FA3C8BC
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA42848 GetProcessHeap,0_2_00007FF79FA42848
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA3C8BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79FA3C8BC
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA364B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF79FA364B4
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA36C68 SetUnhandledExceptionFilter,0_2_00007FF79FA36C68
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA36AC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79FA36AC0
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA35D70 PathFileExistsW,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,FreeSid,SetEntriesInAclW,FreeSid,FreeSid,SetNamedSecurityInfoW,SetNamedSecurityInfoW,SetFileAttributesW,DeleteFileW,SHFileOperationW,GetLastError,FreeSid,FreeSid,LocalFree,0_2_00007FF79FA35D70
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA490F0 cpuid 0_2_00007FF79FA490F0
Source: C:\Users\user\Desktop\Spoofer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Spoofer.exeCode function: 0_2_00007FF79FA369A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF79FA369A0
Source: C:\Users\user\Desktop\Spoofer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Windows Service		1
Windows Service		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Bootkit		1
Process Injection		1
Process Injection		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Bootkit		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials34
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Spoofer.exe68%ReversingLabsWin64.Ransomware.DelShad
Spoofer.exe77%VirustotalBrowse
Spoofer.exe100%AviraHEUR/AGEN.1318680
Spoofer.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.5.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545845
Start date and time:2024-10-31 06:50:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Spoofer.exe
Detection:MAL
Classification:mal68.rans.winEXE@3/7@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 52
  • Number of non-executed functions: 11
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.182.143.212
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
01:51:24API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:

Download File
Process:C:\Users\user\Desktop\Spoofer.exe
File Type:DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 239616, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 103512102, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0e6b81a761ae64d9a
Category:dropped
Size (bytes):512
Entropy (8bit):5.898304525321565
Encrypted:false
SSDEEP:12:vNwubma2Rzg3jDFp2rznDLtVOyOzrhYTRwpWmpIiX7SZ:vNwuCaAzs0FcyWtYm5miXuZ
MD5:2C8969EF5C8AFE638139387366005870
SHA1:28C7F8BFDE80DD8B4D4896F4184AD0265ECEA502
SHA-256:CA24536C9EC24CC1D1349F787F80929E60879F47906F192C1663973FCA80E845
SHA-512:E5F9E900C5F6A16332C6A5338AC178D7FFA41ADC2C5FA70E87EEED70ABBA4F03EFB4F493BFA080B25CA50DB328D1051D7E74CDE07538D2407BAA7CCEB40631E5
Malicious:true
Reputation:low
Preview:.R.NTFS .............?...............&x+..............................M..v........3....|.h....hf.....f.>..NTFSu..A..U..r...U.u.....u........h...H...............X.r.;...u.........Z3.. +.f...............K.+.w.....f#.u-f..TCPAu$....r..h...hR..h..fSfSfU...h..fa....3..............f`..f...f.....fh....fP.Sh..h...B..........fY[ZfYfY.....f..............u...fa.................<.t.............A disk read error occurred...BOOTMGR is compressed...Press Ctrl+Alt+Del to restart................................U.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Spoofer.exe_5ed0293ca218faa8dff17315f2dedc23bf426c7_70ccc5ba_7ceef89b-93f1-4bd1-8702-65623f27d4c0\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9200536783213388
Encrypted:false
SSDEEP:96:b5FnnyuvnsXhoSV7o/PS3QXIDcQNc6GcEdcw32P+HbHg/8BRTf3o8Fa9KENOyPmQ:t19nXxV0DCXCUjBPXezuiFe+74lO88
MD5:8153A9B2C907C8DCA766598759CC8558
SHA1:6A7EB2BD19E0B67CD0D4FDF1CA1803748A1D07BC
SHA-256:200AE4329AC32B1CA7F8BA124377F67DE7803C773515D147C11BD6C31E4DA601
SHA-512:5DB977B1DA9B1DB4EA99D35B8E8EF1F3A338286516BC9F375A9169A9C3EC0055A29A26F765ED28166915B98C1128C868E2551335272A33F534425B6A44A16001
Malicious:true
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.2.7.4.6.7.1.8.6.0.8.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.2.7.4.6.8.1.2.3.5.9.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.e.e.f.8.9.b.-.9.3.f.1.-.4.b.d.1.-.8.7.0.2.-.6.5.6.2.3.f.2.7.d.4.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.e.2.f.8.e.1.-.7.5.a.f.-.4.d.b.a.-.b.2.f.d.-.6.b.c.2.d.c.d.2.7.6.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.p.o.o.f.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.f.0.-.0.0.0.1.-.0.0.1.4.-.8.7.e.7.-.4.1.d.b.5.8.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.f.e.9.a.b.7.1.1.c.7.3.3.d.0.8.7.f.3.5.7.7.2.7.a.9.c.0.5.2.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.f.e.f.f.8.f.1.a.2.f.9.c.e.0.a.c.4.d.c.7.b.7.5.9.d.7.b.f.9.f.2.1.5.9.e.b.8.d.9.2.!.S.p.o.o.f.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.1.8.:.1.8.:.3.9.:.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F01.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 31 05:51:07 2024, 0x1205a4 type
Category:dropped
Size (bytes):331606
Entropy (8bit):1.0514769824800567
Encrypted:false
SSDEEP:384:7aUov6WlRLeVAuhgHofe2brpThl/x3M8s9kSrAHnowJ:7aNCWlRVuh0CeSpTjx3M8sD4o
MD5:3C2717BE7B3A345873362EC95A92D130
SHA1:A94F812AD13EF042F19F6753AB8F71FBDEADE135
SHA-256:EE36938714D2CA0937BFFE70246068DEB358A137AA245290C1D486FE5D580358
SHA-512:F7E1DC3412A788FBA17D3269DDD68CC164D247F8040AD5D803556679395E268B31B4FFA8D6464A985C14E81F598E5E557932B4FD729AAED4D1238C772852EB9A
Malicious:false
Reputation:low
Preview:MDMP..a..... .........#g........................(................\..........T.......8...........T............1..............D...........0...............................................................................eJ..............Lw......................T.............#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................d.a.2.f.2...b...1.m.8.5.c.a.r.b...v.7._.r.7.l.a.8.s.c...5.a.3.1.e.2.-.2.8.f.e...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41E0.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8508
Entropy (8bit):3.687726693683082
Encrypted:false
SSDEEP:192:R6l7vWeJsj7RQ26YEI01oPYgmfNGJpD089bvbCUf1Vjm:R6lL5JW7RQ26YEb1oPYgmfNGtvbZf36
MD5:80135ACF1BDE736D1D8DA2EE6246C48A
SHA1:896FC57577461552A6EB9494AEBFEDAE28C995D7
SHA-256:C7E68B2E487C47C22C56A6728280EB853DC456F14B9B90490882BD1469BF7DA0
SHA-512:C76845E30EA294E1FCC30213F85D096631F7B8F48347CD15F2DC66D0581C92488EB46A5CEF4839453144466C8383B38C188BFC93A0C2189BD09D8D20832A0FC8
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.d.a.2.f.2...b...1.m.8.5.c.a.r.b...v.7._.r.7.l.a.8.s.c...5.a.3.1.e.2.-.2.8.f.e.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.7.6.<./.P.i.d.>...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4210.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4732
Entropy (8bit):4.414160429019628
Encrypted:false
SSDEEP:48:cvIwWl8zs7JgdY6I9EiCWpW8hvYm8M4JYp6FoWdEyq8v7pK1TGRd:uIjfV0YyiD7YJahWdEWtK1TGRd
MD5:1BA3CABD2474BB883F1BCF0BDFC0F857
SHA1:144A38C32FC0B49752CFBB8F864A396D19A3646A
SHA-256:0BCEDE9A04FFBE6231CAF744EB429E74CC8961768AF2FA59C063FCC581867F13
SHA-512:EE63C144C7DC9B76DCB9F0FED4FBC0C99BBCEBBCCC80C476225CCD1377808A360BAC481883752B7B70FBEA4D33F2F5E73B594B22A5F49182601D77BCAE549AFF
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567173" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.421643561520963
Encrypted:false
SSDEEP:6144:uSvfpi6ceLP/9skLmb0OT6WSPHaJG8nAgeMZMMhA2fX4WABlEnNL0uhiTw:NvloT6W+EZMM6DFyl03w
MD5:74FE11226D26972011EFF1683AB473F1
SHA1:A780BF2D92F6B5B295FBF8E78FDE93C882033447
SHA-256:08EFCFA264CDEDC274BC929EAC088B90984F23FB1A2A4C7E7AE2F579AFC17F1E
SHA-512:38A9037F6D1206BD984B02940FCC3CB99DF8CC8D3435B3EB2F3687918831C85E2BD228CD9E33091805BA06CB901BAF9BC027666B2B2BF7A9A29100BC8960DA55
Malicious:false
Reputation:low
Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*...X+...............................................................................................................................................................................................................................................................................................................................................4..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\Spoofer.exe
File Type:ISO-8859 text, with CRLF line terminators
Category:dropped
Size (bytes):17556
Entropy (8bit):5.457717668315387
Encrypted:false
SSDEEP:384:MVDNlyNBmNo+ijDU6hlB5nRzpqUNSN9NU1lB/QwgG/KgNDNCNNN8N/NONJNYNhNP:wOWiNEnmC/OxknqVoLefTUFKaxhM7hVl
MD5:90E74E35CC59646030EFD96FC4C88918
SHA1:422FAE7950EE7C0B424CD079E7AF71A3221B9682
SHA-256:1AEA100F55B5C7BBBA01BDE0E912D9534B76D7F0DF0392A57657D9510F771B8C
SHA-512:ECE9A015035CB3C2C5BA2001EA6DBE1750682D5BDF31AB4C6BDE4C6BA046EE96D82EA9EC67406FBCC1EB4C1F92037C719813A019056FB48A08D12AFC828E993B
Malicious:false
Reputation:low
Preview:Failed to query size of: REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\1&8713bca&0&UID0\Device Parameters\EDID....Failed to query size of: REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\4&427137e&0&UID0\Device Parameters\EDID....\SYSTEM\CurrentControlSet\Services\mssmbios\Data\SMBiosData.... deleted....REGISTRY\MACHINE\SYSTEM\HardwareConfig\LastConfig.... {2ed92742-89dc-dd72-92e8-869fa5a66493} -> {c448340f-9fa7-aece-bb9e-5e111a13d127}....REGISTRY\MACHINE\SYSTEM\HardwareConfig\{2ed92742-89dc-dd72-92e8-869fa5a66493}.... renamed to {c448340f-9fa7-aece-bb9e-5e111a13d127}....Failed to open key: \SOFTWARE\NVIDIA Corporation\Global....Failed to open key: \SOFTWARE\NVIDIA Corporation\Global....Failed to open key: \SOFTWARE\NVIDIA Corporation\Global\CoProcManager....\SYSTEM\MountedDevices.... deleted....\SOFTWARE\Microsoft\Dfrg\Statistics.... deleted....\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume.... deleted....\SOFTWARE\Microsof

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):6.091844202650423
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Spoofer.exe
File size:167'912 bytes
MD5:ffcd50b0755fa610e1ae01815431d1cb
SHA1:feff8f1a2f9ce0ac4dc7b759d7bf9f2159eb8d92
SHA256:a4c7cd980edcf99283128cfa36dbabcda06410b202c5c69c5c9db05bb9856d12
SHA512:2c1da426c963abb145ce23a97a4de767c357f4cbc20ea4cb967a25fed217fb49e429ea51798b0d9b9b04cb8122ed61c93ccec322f6db9f006039b8fbf4b6c7d9
SSDEEP:3072:nx6a306MCf9MWvUH2YGvRV2KnNShMhJSNouU24tBego:x43CfCdWVXfn59u+a
TLSH:1CF34B5633E020F9E9738634CDA15542F776B83507209A6F0B64477A1F33B91EE3AB25
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........J...J...J...^...A...^...O...^...........o.......X.......C...^...A...J...1.......H.....K.K.......K...RichJ...........PE..d..

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x1400064a0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x625DB05A [Mon Apr 18 18:39:22 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:5a2a062ddca4c4768594288308aacfa8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB15481DC1Ch
dec eax
add esp, 28h
jmp 00007FB15481D597h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00013CE3h]
dec eax
mov ecx, ebx
call dword ptr [00013CD2h]
call dword ptr [00013BC4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00013C30h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00013CB4h]
test eax, eax
je 00007FB15481D729h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00021622h]
call 00007FB15481D8EEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00021709h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00021699h], eax
dec eax
mov eax, dword ptr [000216F2h]
dec eax
mov dword ptr [00021563h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00021667h], eax
mov dword ptr [0002153Dh], C0000409h
mov dword ptr [00021537h], 00000001h
mov dword ptr [00021541h], 00000001h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x260580x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x1e8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x290000x12f0.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x664.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x249b00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x24a200x138.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x388.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x18de00x18e00ae41488b379d4119bf4fda9077826eaeFalse0.549740891959799data6.434440656159259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1a0000xcc6c0xce002117ed065269e4db75130ee3847b5087False0.42136301577669905data4.880634417399588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x270000x1e800xc0017ae4173be0f32f9d93b57f4874504c4False0.14322916666666666data1.8519208806509708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x290000x12f00x1400fb703777f9433f606e891791408f9914False0.4705078125PEX Binary Archive5.004926840210423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x2b0000xfc0x2000bdfd7b13aab259d9f0cd03b900fceaeFalse0.30859375data1.9834041877315076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x2c0000x1e80x200755caa02e9677281b3dd5c55f7320473False0.54296875data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x2d0000x6640x80017b30bb5ab931822d7f005385f8b763dFalse0.5126953125data4.907650621148116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x2c0600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

Imports

DLLImport
KERNEL32.dllGetProcAddress, GetModuleHandleW, GetTickCount, GetCurrentProcess, SetFileAttributesW, LoadLibraryW, DeleteFileW, LocalFree, WriteConsoleW, HeapReAlloc, CloseHandle, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, OpenProcess, CreateFileW, FindClose, GetTempPathW, SetFilePointer, TerminateProcess, WriteFile, FindNextFileW, FindFirstFileW, GetLogicalDrives, GetLastError, ReadFile, HeapSize, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, GetProcessHeap, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetFileType, WaitForSingleObject, GetExitCodeProcess, CreateProcessW, GetFileAttributesExW, GetStringTypeW, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle
USER32.dllwsprintfW
ADVAPI32.dllLookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, SetEntriesInAclW, RegCreateKeyExW, SetNamedSecurityInfoW, RegSetValueExW, OpenProcessToken, FreeSid, RegCopyTreeW, RegCreateKeyW, RegQueryValueExW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW
SHELL32.dllSHGetFolderPathW, SHFileOperationW
SHLWAPI.dllPathFileExistsW, SHDeleteKeyW, SHDeleteValueW, StrStrW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:50:57
Start date:31/10/2024
Path:C:\Users\user\Desktop\Spoofer.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\Spoofer.exe"
Imagebase:0x7ff79fa30000
File size:167'912 bytes
MD5 hash:FFCD50B0755FA610E1AE01815431D1CB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:01:50:57
Start date:31/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:01:51:07
Start date:31/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284
Imagebase:0x7ff7a4e60000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:14.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:75.8%
    Total number of Nodes:2000
    Total number of Limit Nodes:58
    execution_graph 20446 7ff79fa31fd0 20447 7ff79fa382b8 34 API calls 20446->20447 20448 7ff79fa31fd5 20447->20448 20448->20446 20449 7ff79fa31ff4 RegSetValueExW 20448->20449 20450 7ff79fa3201e memcpy_s __vcrt_freefls 20449->20450 20451 7ff79fa32039 NtQueryKey 20450->20451 20452 7ff79fa31010 69 API calls 20451->20452 20453 7ff79fa3208d RegCloseKey 20452->20453 20454 7ff79fa32096 RegOpenKeyExW 20453->20454 20455 7ff79fa320ce memcpy_s 20454->20455 20456 7ff79fa320de NtQueryKey 20455->20456 20457 7ff79fa31010 69 API calls 20456->20457 20458 7ff79fa32120 RegOpenKeyExW 20457->20458 20460 7ff79fa322b0 memcpy_s 20458->20460 20461 7ff79fa322c0 NtQueryKey 20460->20461 20462 7ff79fa31010 69 API calls 20461->20462 20463 7ff79fa32302 RegOpenKeyExW 20462->20463 20465 7ff79fa32817 memcpy_s 20463->20465 20466 7ff79fa32833 NtQueryKey 20465->20466 20467 7ff79fa31010 69 API calls 20466->20467 20468 7ff79fa32876 RegOpenKeyExW 20467->20468 20470 7ff79fa32a40 memcpy_s 20468->20470 20471 7ff79fa32a51 NtQueryKey 20470->20471 20472 7ff79fa31010 69 API calls 20471->20472 20473 7ff79fa32a94 RegOpenKeyExW 20472->20473 20475 7ff79fa32af8 memcpy_s 20473->20475 20476 7ff79fa32b09 NtQueryKey 20475->20476 20477 7ff79fa31010 69 API calls 20476->20477 20478 7ff79fa32b4c RegOpenKeyExW 20477->20478 20480 7ff79fa32bb0 memcpy_s 20478->20480 20481 7ff79fa32bc1 NtQueryKey 20480->20481 20482 7ff79fa31010 69 API calls 20481->20482 20483 7ff79fa32c04 RegOpenKeyExW 20482->20483 20485 7ff79fa32c68 memcpy_s 20483->20485 20486 7ff79fa32c79 NtQueryKey 20485->20486 20487 7ff79fa31010 69 API calls 20486->20487 20488 7ff79fa32cbc RegOpenKeyExW 20487->20488 20490 7ff79fa32d20 memcpy_s 20488->20490 20491 7ff79fa32d31 NtQueryKey 20490->20491 20492 7ff79fa31010 69 API calls 20491->20492 20493 7ff79fa32d74 RegOpenKeyExW 20492->20493 20495 7ff79fa32dd0 memcpy_s 20493->20495 20496 7ff79fa32dec NtQueryKey 20495->20496 20497 7ff79fa31010 69 API calls 20496->20497 20498 7ff79fa32e2f RegOpenKeyExW 20497->20498 20500 7ff79fa32fec memcpy_s 20498->20500 20501 7ff79fa33008 NtQueryKey 20500->20501 20502 7ff79fa31010 69 API calls 20501->20502 20503 7ff79fa3304b RegOpenKeyExW 20502->20503 20505 7ff79fa33210 memcpy_s 20503->20505 20506 7ff79fa33221 NtQueryKey 20505->20506 20507 7ff79fa31010 69 API calls 20506->20507 20508 7ff79fa33264 20507->20508 20509 7ff79fa352a0 76 API calls 20508->20509 20510 7ff79fa33295 RegOpenKeyExW 20509->20510 20511 7ff79fa332c5 memcpy_s 20510->20511 20512 7ff79fa332e1 NtQueryKey 20511->20512 20513 7ff79fa31010 69 API calls 20512->20513 20514 7ff79fa33324 RegOpenKeyExW 20513->20514 20516 7ff79fa334f0 memcpy_s 20514->20516 20517 7ff79fa33501 NtQueryKey 20516->20517 20518 7ff79fa31010 69 API calls 20517->20518 20519 7ff79fa33544 20518->20519 20520 7ff79fa35560 75 API calls 20519->20520 20521 7ff79fa3358a 20520->20521 20522 7ff79fa35560 75 API calls 20521->20522 20523 7ff79fa335a4 20522->20523 20524 7ff79fa35560 75 API calls 20523->20524 20525 7ff79fa335be RegOpenKeyExW 20524->20525 20526 7ff79fa335ee memcpy_s 20525->20526 20527 7ff79fa3360a NtQueryKey 20526->20527 20528 7ff79fa31010 69 API calls 20527->20528 20529 7ff79fa3364d RegOpenKeyExW 20528->20529 20531 7ff79fa3380a memcpy_s 20529->20531 20532 7ff79fa33826 NtQueryKey 20531->20532 20533 7ff79fa31010 69 API calls 20532->20533 20534 7ff79fa33869 RegOpenKeyExW 20533->20534 20536 7ff79fa33a30 memcpy_s 20534->20536 20537 7ff79fa33a41 NtQueryKey 20536->20537 20538 7ff79fa31010 69 API calls 20537->20538 20539 7ff79fa33a84 RegOpenKeyExW 20538->20539 20541 7ff79fa33ae8 memcpy_s 20539->20541 20542 7ff79fa33af9 NtQueryKey 20541->20542 20543 7ff79fa31010 69 API calls 20542->20543 20544 7ff79fa33b3c RegOpenKeyExW 20543->20544 20546 7ff79fa33ba0 memcpy_s 20544->20546 20547 7ff79fa33bb1 NtQueryKey 20546->20547 20548 7ff79fa31010 69 API calls 20547->20548 20549 7ff79fa33bf4 RegOpenKeyExW 20548->20549 20551 7ff79fa33c58 memcpy_s 20549->20551 20552 7ff79fa33c69 NtQueryKey 20551->20552 20553 7ff79fa31010 69 API calls 20552->20553 20554 7ff79fa33cac RegOpenKeyExW 20553->20554 20556 7ff79fa33d10 memcpy_s 20554->20556 20557 7ff79fa33d21 NtQueryKey 20556->20557 20558 7ff79fa31010 69 API calls 20557->20558 25653 7ff79fa36240 25654 7ff79fa36250 25653->25654 25670 7ff79fa3b638 25654->25670 25656 7ff79fa3625c 25676 7ff79fa367d8 25656->25676 25658 7ff79fa36ac0 7 API calls 25659 7ff79fa362f5 25658->25659 25660 7ff79fa36274 _RTC_Initialize 25668 7ff79fa362c9 25660->25668 25681 7ff79fa36988 25660->25681 25662 7ff79fa36289 25684 7ff79fa3ad94 25662->25684 25668->25658 25669 7ff79fa362e5 25668->25669 25671 7ff79fa3b649 25670->25671 25672 7ff79fa3b651 25671->25672 25673 7ff79fa3cbf0 memcpy_s 14 API calls 25671->25673 25672->25656 25674 7ff79fa3b660 25673->25674 25675 7ff79fa3cad0 _invalid_parameter_noinfo 31 API calls 25674->25675 25675->25672 25677 7ff79fa367e9 25676->25677 25680 7ff79fa367ee __scrt_acquire_startup_lock 25676->25680 25678 7ff79fa36ac0 7 API calls 25677->25678 25677->25680 25679 7ff79fa36862 25678->25679 25680->25660 25714 7ff79fa3694c 25681->25714 25683 7ff79fa36991 25683->25662 25685 7ff79fa3adb4 25684->25685 25692 7ff79fa36295 25684->25692 25686 7ff79fa3adbc 25685->25686 25687 7ff79fa3add2 25685->25687 25688 7ff79fa3cbf0 memcpy_s 14 API calls 25686->25688 25729 7ff79fa408dc GetModuleFileNameW 25687->25729 25689 7ff79fa3adc1 25688->25689 25690 7ff79fa3cad0 _invalid_parameter_noinfo 31 API calls 25689->25690 25690->25692 25692->25668 25713 7ff79fa36a60 InitializeSListHead 25692->25713 25698 7ff79fa3ae49 25701 7ff79fa3cbf0 memcpy_s 14 API calls 25698->25701 25699 7ff79fa3ae61 25700 7ff79fa3ab74 34 API calls 25699->25700 25706 7ff79fa3ae7d 25700->25706 25702 7ff79fa3ae4e 25701->25702 25703 7ff79fa3cc88 __free_lconv_mon 14 API calls 25702->25703 25703->25692 25704 7ff79fa3ae83 25705 7ff79fa3cc88 __free_lconv_mon 14 API calls 25704->25705 25705->25692 25706->25704 25707 7ff79fa3aec8 25706->25707 25708 7ff79fa3aeaf 25706->25708 25710 7ff79fa3cc88 __free_lconv_mon 14 API calls 25707->25710 25709 7ff79fa3cc88 __free_lconv_mon 14 API calls 25708->25709 25711 7ff79fa3aeb8 25709->25711 25710->25704 25712 7ff79fa3cc88 __free_lconv_mon 14 API calls 25711->25712 25712->25692 25715 7ff79fa36966 25714->25715 25717 7ff79fa3695f 25714->25717 25718 7ff79fa3bbb8 25715->25718 25717->25683 25721 7ff79fa3b804 25718->25721 25728 7ff79fa41b50 EnterCriticalSection 25721->25728 25730 7ff79fa40922 GetLastError 25729->25730 25731 7ff79fa40936 25729->25731 25732 7ff79fa3cb80 14 API calls 25730->25732 25733 7ff79fa384a4 34 API calls 25731->25733 25734 7ff79fa4092f 25732->25734 25735 7ff79fa40964 25733->25735 25736 7ff79fa36220 _handle_error 8 API calls 25734->25736 25737 7ff79fa3cef0 5 API calls 25735->25737 25740 7ff79fa40975 25735->25740 25739 7ff79fa3adee 25736->25739 25737->25740 25741 7ff79fa3ab74 25739->25741 25753 7ff79fa407c8 25740->25753 25743 7ff79fa3abb2 25741->25743 25745 7ff79fa3ac18 25743->25745 25767 7ff79fa414d4 25743->25767 25744 7ff79fa3ad07 25747 7ff79fa3ad34 25744->25747 25745->25744 25746 7ff79fa414d4 34 API calls 25745->25746 25746->25745 25748 7ff79fa3ad4c 25747->25748 25749 7ff79fa3ad84 25747->25749 25748->25749 25750 7ff79fa3cc10 memcpy_s 14 API calls 25748->25750 25749->25698 25749->25699 25751 7ff79fa3ad7a 25750->25751 25752 7ff79fa3cc88 __free_lconv_mon 14 API calls 25751->25752 25752->25749 25754 7ff79fa40805 25753->25754 25757 7ff79fa407ec 25753->25757 25755 7ff79fa4080a 25754->25755 25756 7ff79fa41544 WideCharToMultiByte 25754->25756 25755->25757 25760 7ff79fa3cbf0 memcpy_s 14 API calls 25755->25760 25758 7ff79fa4085d 25756->25758 25757->25734 25758->25755 25759 7ff79fa40864 GetLastError 25758->25759 25762 7ff79fa4088d 25758->25762 25761 7ff79fa3cb80 14 API calls 25759->25761 25760->25757 25763 7ff79fa40871 25761->25763 25764 7ff79fa41544 WideCharToMultiByte 25762->25764 25765 7ff79fa3cbf0 memcpy_s 14 API calls 25763->25765 25766 7ff79fa408b4 25764->25766 25765->25757 25766->25757 25766->25759 25768 7ff79fa4145c 25767->25768 25769 7ff79fa384a4 34 API calls 25768->25769 25770 7ff79fa41480 25769->25770 25770->25743 28351 7ff79fa3b72c 28354 7ff79fa3b6b0 28351->28354 28361 7ff79fa41b50 EnterCriticalSection 28354->28361 25774 7ff79fa38430 25775 7ff79fa3843b 25774->25775 25783 7ff79fa3d33c 25775->25783 25796 7ff79fa41b50 EnterCriticalSection 25783->25796 20915 7ff79fa33f30 20916 7ff79fa38580 34 API calls 20915->20916 20926 7ff79fa33f43 memcpy_s 20916->20926 20917 7ff79fa3405f RegEnumKeyExW 20917->20915 20919 7ff79fa3409c RegCloseKey 20917->20919 20918 7ff79fa38580 34 API calls 20918->20926 20920 7ff79fa340a5 20919->20920 20922 7ff79fa35b70 72 API calls 20920->20922 20921 7ff79fa33f66 SHDeleteValueW 20921->20926 20923 7ff79fa340b8 20922->20923 20924 7ff79fa35560 75 API calls 20923->20924 20927 7ff79fa340d2 20924->20927 20925 7ff79fa35560 75 API calls 20925->20917 20926->20917 20926->20918 20926->20921 20926->20925 20928 7ff79fa33fa6 NtQueryKey 20926->20928 20929 7ff79fa34003 NtQueryKey 20926->20929 20930 7ff79fa35560 75 API calls 20927->20930 20931 7ff79fa31010 69 API calls 20928->20931 20932 7ff79fa31010 69 API calls 20929->20932 20933 7ff79fa340ec SHDeleteValueW 20930->20933 20931->20926 20932->20926 20934 7ff79fa341db SHDeleteValueW 20933->20934 20935 7ff79fa34110 20933->20935 20936 7ff79fa342ca SHDeleteValueW 20934->20936 20937 7ff79fa341ff 20934->20937 20938 7ff79fa3412b memcpy_s 20935->20938 20939 7ff79fa3418c memcpy_s 20935->20939 20942 7ff79fa342ee 20936->20942 20963 7ff79fa34368 20936->20963 20940 7ff79fa3421a memcpy_s 20937->20940 20941 7ff79fa3427b memcpy_s 20937->20941 20943 7ff79fa34130 NtQueryKey 20938->20943 20944 7ff79fa34191 NtQueryKey 20939->20944 20950 7ff79fa3421f NtQueryKey 20940->20950 20949 7ff79fa34280 NtQueryKey 20941->20949 20951 7ff79fa3436a memcpy_s 20942->20951 20952 7ff79fa34309 memcpy_s 20942->20952 20946 7ff79fa31010 69 API calls 20943->20946 20944->20934 20947 7ff79fa31010 69 API calls 20944->20947 20945 7ff79fa35b70 72 API calls 20948 7ff79fa343cc 20945->20948 20953 7ff79fa3418a 20946->20953 20947->20934 20954 7ff79fa35b70 72 API calls 20948->20954 20949->20936 20955 7ff79fa31010 69 API calls 20949->20955 20956 7ff79fa31010 69 API calls 20950->20956 20957 7ff79fa3436f NtQueryKey 20951->20957 20958 7ff79fa3430e NtQueryKey 20952->20958 20953->20934 20959 7ff79fa343df 20954->20959 20955->20936 20960 7ff79fa34279 20956->20960 20961 7ff79fa31010 69 API calls 20957->20961 20957->20963 20962 7ff79fa31010 69 API calls 20958->20962 20964 7ff79fa35b70 72 API calls 20959->20964 20960->20936 20961->20963 20962->20963 20963->20945 20965 7ff79fa343f2 RegOpenKeyExW 20964->20965 20966 7ff79fa34424 memcpy_s 20965->20966 20967 7ff79fa3443e NtQueryKey 20966->20967 20968 7ff79fa31010 69 API calls 20967->20968 20969 7ff79fa34481 memcpy_s 20968->20969 20970 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 20969->20970 20971 7ff79fa37440 memcpy_s 20970->20971 20972 7ff79fa34772 FindFirstFileW 20971->20972 20973 7ff79fa34790 20972->20973 20974 7ff79fa347b4 wsprintfW 20973->20974 20975 7ff79fa347df FindNextFileW 20973->20975 20976 7ff79fa35d70 87 API calls 20974->20976 20975->20973 20977 7ff79fa347f0 FindClose wsprintfW 20975->20977 20976->20975 20978 7ff79fa35d70 87 API calls 20977->20978 20979 7ff79fa34820 wsprintfW 20978->20979 20980 7ff79fa35d70 87 API calls 20979->20980 20981 7ff79fa34847 wsprintfW 20980->20981 20982 7ff79fa35d70 87 API calls 20981->20982 20983 7ff79fa3486e wsprintfW 20982->20983 20984 7ff79fa35d70 87 API calls 20983->20984 20985 7ff79fa34895 wsprintfW 20984->20985 20986 7ff79fa35d70 87 API calls 20985->20986 20987 7ff79fa348bc wsprintfW 20986->20987 20988 7ff79fa35d70 87 API calls 20987->20988 20989 7ff79fa348e3 wsprintfW 20988->20989 20990 7ff79fa35d70 87 API calls 20989->20990 20991 7ff79fa3490a wsprintfW 20990->20991 20992 7ff79fa35d70 87 API calls 20991->20992 20993 7ff79fa34931 GetLogicalDrives 20992->20993 20994 7ff79fa34f8c 20993->20994 21066 7ff79fa34947 memcpy_s 20993->21066 20995 7ff79fa34f98 CreateToolhelp32Snapshot 20994->20995 20997 7ff79fa34fcf memcpy_s 20995->20997 21001 7ff79fa3506a 20995->21001 20996 7ff79fa31010 69 API calls 20998 7ff79fa34968 wsprintfW CreateFileW 20996->20998 21000 7ff79fa34fe0 Process32FirstW 20997->21000 20999 7ff79fa34aa6 wsprintfW 20998->20999 21027 7ff79fa349ba memcpy_s 20998->21027 21002 7ff79fa35d70 87 API calls 20999->21002 21003 7ff79fa35061 CloseHandle 21000->21003 21011 7ff79fa34ff8 21000->21011 21009 7ff79fa36220 _handle_error 8 API calls 21001->21009 21004 7ff79fa34ac9 wsprintfW 21002->21004 21003->21001 21006 7ff79fa35d70 87 API calls 21004->21006 21005 7ff79fa349ce ReadFile 21007 7ff79fa34a9d CloseHandle 21005->21007 21005->21027 21010 7ff79fa34aec wsprintfW 21006->21010 21007->20999 21008 7ff79fa38580 34 API calls 21008->21011 21012 7ff79fa350a3 21009->21012 21013 7ff79fa35d70 87 API calls 21010->21013 21011->21008 21014 7ff79fa35027 OpenProcess 21011->21014 21015 7ff79fa35014 Process32NextW 21011->21015 21017 7ff79fa34b0f wsprintfW 21013->21017 21014->21003 21016 7ff79fa35041 21014->21016 21015->21011 21018 7ff79fa35025 21015->21018 21019 7ff79fa31010 69 API calls 21016->21019 21020 7ff79fa35d70 87 API calls 21017->21020 21018->21003 21021 7ff79fa3504d TerminateProcess CloseHandle 21019->21021 21022 7ff79fa34b32 wsprintfW 21020->21022 21021->21003 21023 7ff79fa35d70 87 API calls 21022->21023 21024 7ff79fa34b55 wsprintfW 21023->21024 21026 7ff79fa35d70 87 API calls 21024->21026 21025 7ff79fa382b8 34 API calls 21025->21027 21028 7ff79fa34b78 wsprintfW 21026->21028 21027->21005 21027->21007 21027->21025 21030 7ff79fa382b8 34 API calls 21027->21030 21029 7ff79fa35d70 87 API calls 21028->21029 21032 7ff79fa34b9b wsprintfW 21029->21032 21031 7ff79fa34a5c SetFilePointer 21030->21031 21031->21007 21033 7ff79fa34a7f WriteFile 21031->21033 21034 7ff79fa35d70 87 API calls 21032->21034 21033->21007 21035 7ff79fa34bbe wsprintfW 21034->21035 21036 7ff79fa35d70 87 API calls 21035->21036 21037 7ff79fa34be1 wsprintfW 21036->21037 21038 7ff79fa35d70 87 API calls 21037->21038 21039 7ff79fa34c04 wsprintfW 21038->21039 21040 7ff79fa35d70 87 API calls 21039->21040 21041 7ff79fa34c27 wsprintfW 21040->21041 21042 7ff79fa35d70 87 API calls 21041->21042 21043 7ff79fa34c4a wsprintfW 21042->21043 21044 7ff79fa35d70 87 API calls 21043->21044 21045 7ff79fa34c6d wsprintfW 21044->21045 21046 7ff79fa35d70 87 API calls 21045->21046 21047 7ff79fa34c90 wsprintfW 21046->21047 21048 7ff79fa35d70 87 API calls 21047->21048 21049 7ff79fa34cb3 wsprintfW 21048->21049 21052 7ff79fa34d00 memcpy_s 21049->21052 21050 7ff79fa34cde FindFirstFileW 21050->21052 21051 7ff79fa34d2d wsprintfW 21054 7ff79fa35d70 87 API calls 21051->21054 21052->21050 21052->21051 21053 7ff79fa34d57 FindNextFileW 21052->21053 21053->21052 21055 7ff79fa34d6b FindClose wsprintfW 21053->21055 21054->21053 21062 7ff79fa34dc0 memcpy_s 21055->21062 21056 7ff79fa34d9f FindFirstFileW 21056->21062 21057 7ff79fa34f07 FindNextFileW 21058 7ff79fa34f1f FindClose wsprintfW 21057->21058 21057->21062 21059 7ff79fa360b0 93 API calls 21058->21059 21059->21066 21060 7ff79fa34e39 wsprintfW 21060->21062 21061 7ff79fa34e68 FindFirstFileW 21061->21062 21062->21056 21062->21057 21062->21060 21062->21061 21063 7ff79fa34ea4 StrStrW 21062->21063 21065 7ff79fa34eed FindNextFileW 21062->21065 21064 7ff79fa34eba wsprintfW 21063->21064 21063->21065 21067 7ff79fa35d70 87 API calls 21064->21067 21065->21062 21068 7ff79fa34efe FindClose 21065->21068 21066->20994 21066->20996 21067->21065 21068->21057 21069 7ff79fa31730 21070 7ff79fa38580 34 API calls 21069->21070 21071 7ff79fa31743 21070->21071 21072 7ff79fa3174a RegEnumKeyExW 21071->21072 21073 7ff79fa31780 21071->21073 21072->21069 21074 7ff79fa3177e 21072->21074 21375 7ff79fa35950 RegCreateKeyW 21073->21375 21076 7ff79fa31793 RegCloseKey 21074->21076 21077 7ff79fa3179c RegOpenKeyExW 21076->21077 21078 7ff79fa317d4 memcpy_s 21077->21078 21079 7ff79fa317e4 NtQueryKey 21078->21079 21080 7ff79fa31010 69 API calls 21079->21080 21081 7ff79fa31826 RegOpenKeyExW 21080->21081 21083 7ff79fa31890 memcpy_s 21081->21083 21084 7ff79fa318a0 NtQueryKey 21083->21084 21085 7ff79fa31010 69 API calls 21084->21085 21086 7ff79fa318e2 RegOpenKeyExW 21085->21086 21088 7ff79fa3194c memcpy_s 21086->21088 21089 7ff79fa3195c NtQueryKey 21088->21089 21090 7ff79fa31010 69 API calls 21089->21090 21091 7ff79fa3199e 21090->21091 21092 7ff79fa35b70 72 API calls 21091->21092 21093 7ff79fa319e3 21092->21093 21094 7ff79fa35b70 72 API calls 21093->21094 21095 7ff79fa319f6 21094->21095 21096 7ff79fa35b70 72 API calls 21095->21096 21097 7ff79fa31a09 21096->21097 21098 7ff79fa35b70 72 API calls 21097->21098 21099 7ff79fa31a1c 21098->21099 21100 7ff79fa35b70 72 API calls 21099->21100 21101 7ff79fa31a2f 21100->21101 21397 7ff79fa35c70 SHDeleteValueW 21101->21397 21104 7ff79fa31a79 memcpy_s 21105 7ff79fa31a94 NtQueryKey 21104->21105 21106 7ff79fa31010 69 API calls 21105->21106 21107 7ff79fa31ad6 RegOpenKeyExW 21106->21107 21109 7ff79fa31c96 memcpy_s 21107->21109 21110 7ff79fa31cb1 NtQueryKey 21109->21110 21111 7ff79fa31010 69 API calls 21110->21111 21112 7ff79fa31cf3 RegOpenKeyExW 21111->21112 21114 7ff79fa31eac memcpy_s 21112->21114 21115 7ff79fa31ec7 NtQueryKey 21114->21115 21116 7ff79fa31010 69 API calls 21115->21116 21117 7ff79fa31f09 RegOpenKeyExW 21116->21117 21119 7ff79fa320ce memcpy_s 21117->21119 21120 7ff79fa320de NtQueryKey 21119->21120 21121 7ff79fa31010 69 API calls 21120->21121 21122 7ff79fa32120 RegOpenKeyExW 21121->21122 21124 7ff79fa322b0 memcpy_s 21122->21124 21125 7ff79fa322c0 NtQueryKey 21124->21125 21126 7ff79fa31010 69 API calls 21125->21126 21127 7ff79fa32302 RegOpenKeyExW 21126->21127 21129 7ff79fa32817 memcpy_s 21127->21129 21130 7ff79fa32833 NtQueryKey 21129->21130 21131 7ff79fa31010 69 API calls 21130->21131 21132 7ff79fa32876 RegOpenKeyExW 21131->21132 21134 7ff79fa32a40 memcpy_s 21132->21134 21135 7ff79fa32a51 NtQueryKey 21134->21135 21136 7ff79fa31010 69 API calls 21135->21136 21137 7ff79fa32a94 RegOpenKeyExW 21136->21137 21139 7ff79fa32af8 memcpy_s 21137->21139 21140 7ff79fa32b09 NtQueryKey 21139->21140 21141 7ff79fa31010 69 API calls 21140->21141 21142 7ff79fa32b4c RegOpenKeyExW 21141->21142 21144 7ff79fa32bb0 memcpy_s 21142->21144 21145 7ff79fa32bc1 NtQueryKey 21144->21145 21146 7ff79fa31010 69 API calls 21145->21146 21147 7ff79fa32c04 RegOpenKeyExW 21146->21147 21149 7ff79fa32c68 memcpy_s 21147->21149 21150 7ff79fa32c79 NtQueryKey 21149->21150 21151 7ff79fa31010 69 API calls 21150->21151 21152 7ff79fa32cbc RegOpenKeyExW 21151->21152 21154 7ff79fa32d20 memcpy_s 21152->21154 21155 7ff79fa32d31 NtQueryKey 21154->21155 21156 7ff79fa31010 69 API calls 21155->21156 21157 7ff79fa32d74 RegOpenKeyExW 21156->21157 21159 7ff79fa32dd0 memcpy_s 21157->21159 21160 7ff79fa32dec NtQueryKey 21159->21160 21161 7ff79fa31010 69 API calls 21160->21161 21162 7ff79fa32e2f RegOpenKeyExW 21161->21162 21164 7ff79fa32fec memcpy_s 21162->21164 21165 7ff79fa33008 NtQueryKey 21164->21165 21166 7ff79fa31010 69 API calls 21165->21166 21167 7ff79fa3304b RegOpenKeyExW 21166->21167 21169 7ff79fa33210 memcpy_s 21167->21169 21170 7ff79fa33221 NtQueryKey 21169->21170 21171 7ff79fa31010 69 API calls 21170->21171 21172 7ff79fa33264 21171->21172 21173 7ff79fa352a0 76 API calls 21172->21173 21174 7ff79fa33295 RegOpenKeyExW 21173->21174 21175 7ff79fa332c5 memcpy_s 21174->21175 21176 7ff79fa332e1 NtQueryKey 21175->21176 21177 7ff79fa31010 69 API calls 21176->21177 21178 7ff79fa33324 RegOpenKeyExW 21177->21178 21180 7ff79fa334f0 memcpy_s 21178->21180 21181 7ff79fa33501 NtQueryKey 21180->21181 21376 7ff79fa3598e RegCreateKeyExW 21375->21376 21377 7ff79fa359cc 21375->21377 21376->21377 21378 7ff79fa35a2c RegCopyTreeW 21377->21378 21379 7ff79fa359d0 memcpy_s 21377->21379 21380 7ff79fa35af7 memcpy_s 21378->21380 21381 7ff79fa35a45 SHDeleteKeyW 21378->21381 21382 7ff79fa359ec NtQueryKey 21379->21382 21386 7ff79fa35b13 NtQueryKey 21380->21386 21383 7ff79fa35a6c memcpy_s 21381->21383 21384 7ff79fa35ac4 memcpy_s 21381->21384 21385 7ff79fa31010 69 API calls 21382->21385 21389 7ff79fa35a71 NtQueryKey 21383->21389 21390 7ff79fa35ac9 NtQueryKey 21384->21390 21388 7ff79fa35a27 21385->21388 21387 7ff79fa35b3f 21386->21387 21391 7ff79fa31010 69 API calls 21387->21391 21394 7ff79fa36220 _handle_error 8 API calls 21388->21394 21392 7ff79fa31010 69 API calls 21389->21392 21390->21387 21393 7ff79fa35b4e RegCloseKey 21391->21393 21395 7ff79fa35abf 21392->21395 21393->21388 21396 7ff79fa35b66 21394->21396 21395->21393 21396->21076 21398 7ff79fa35c9f 21397->21398 21407 7ff79fa35d0d 21397->21407 21400 7ff79fa35cba memcpy_s 21398->21400 21401 7ff79fa35d0f memcpy_s 21398->21401 21399 7ff79fa36220 _handle_error 8 API calls 21402 7ff79fa31a49 RegOpenKeyExW 21399->21402 21403 7ff79fa35cbf NtQueryKey 21400->21403 21404 7ff79fa35d14 NtQueryKey 21401->21404 21402->21104 21405 7ff79fa31010 69 API calls 21403->21405 21406 7ff79fa31010 69 API calls 21404->21406 21405->21407 21406->21407 21407->21399 21408 7ff79fa33930 21409 7ff79fa382b8 34 API calls 21408->21409 21410 7ff79fa33935 21409->21410 21410->21408 21411 7ff79fa33954 RegSetValueExW 21410->21411 21412 7ff79fa3397e memcpy_s __vcrt_freefls 21411->21412 21413 7ff79fa3399a NtQueryKey 21412->21413 21414 7ff79fa339ef RegCloseKey 21413->21414 21415 7ff79fa31010 69 API calls 21413->21415 21416 7ff79fa339f8 RegOpenKeyExW 21414->21416 21415->21414 21417 7ff79fa33a30 memcpy_s 21416->21417 21418 7ff79fa33a41 NtQueryKey 21417->21418 21419 7ff79fa31010 69 API calls 21418->21419 21420 7ff79fa33a84 RegOpenKeyExW 21419->21420 21422 7ff79fa33ae8 memcpy_s 21420->21422 21423 7ff79fa33af9 NtQueryKey 21422->21423 21424 7ff79fa31010 69 API calls 21423->21424 21425 7ff79fa33b3c RegOpenKeyExW 21424->21425 21427 7ff79fa33ba0 memcpy_s 21425->21427 21428 7ff79fa33bb1 NtQueryKey 21427->21428 21429 7ff79fa31010 69 API calls 21428->21429 21430 7ff79fa33bf4 RegOpenKeyExW 21429->21430 21432 7ff79fa33c58 memcpy_s 21430->21432 21433 7ff79fa33c69 NtQueryKey 21432->21433 21434 7ff79fa31010 69 API calls 21433->21434 21435 7ff79fa33cac RegOpenKeyExW 21434->21435 21437 7ff79fa33d10 memcpy_s 21435->21437 21438 7ff79fa33d21 NtQueryKey 21437->21438 21439 7ff79fa31010 69 API calls 21438->21439 21440 7ff79fa33d64 RegOpenKeyExW 21439->21440 21442 7ff79fa33dc8 memcpy_s 21440->21442 21443 7ff79fa33dd9 NtQueryKey 21442->21443 21444 7ff79fa31010 69 API calls 21443->21444 21445 7ff79fa33e1c RegOpenKeyExW 21444->21445 21447 7ff79fa33e80 memcpy_s 21445->21447 21448 7ff79fa33e91 NtQueryKey 21447->21448 21449 7ff79fa31010 69 API calls 21448->21449 21450 7ff79fa33ed4 21449->21450 21451 7ff79fa35b70 72 API calls 21450->21451 21452 7ff79fa340b8 21451->21452 21453 7ff79fa35560 75 API calls 21452->21453 21454 7ff79fa340d2 21453->21454 21455 7ff79fa35560 75 API calls 21454->21455 21456 7ff79fa340ec SHDeleteValueW 21455->21456 21457 7ff79fa341db SHDeleteValueW 21456->21457 21458 7ff79fa34110 21456->21458 21459 7ff79fa342ca SHDeleteValueW 21457->21459 21460 7ff79fa341ff 21457->21460 21461 7ff79fa3412b memcpy_s 21458->21461 21462 7ff79fa3418c memcpy_s 21458->21462 21465 7ff79fa34368 21459->21465 21466 7ff79fa342ee 21459->21466 21463 7ff79fa3421a memcpy_s 21460->21463 21464 7ff79fa3427b memcpy_s 21460->21464 21467 7ff79fa34130 NtQueryKey 21461->21467 21468 7ff79fa34191 NtQueryKey 21462->21468 21476 7ff79fa3421f NtQueryKey 21463->21476 21475 7ff79fa34280 NtQueryKey 21464->21475 21469 7ff79fa35b70 72 API calls 21465->21469 21470 7ff79fa34309 memcpy_s 21466->21470 21471 7ff79fa3436a memcpy_s 21466->21471 21472 7ff79fa31010 69 API calls 21467->21472 21468->21457 21473 7ff79fa31010 69 API calls 21468->21473 21474 7ff79fa343cc 21469->21474 21482 7ff79fa3430e NtQueryKey 21470->21482 21481 7ff79fa3436f NtQueryKey 21471->21481 21477 7ff79fa3418a 21472->21477 21473->21457 21478 7ff79fa35b70 72 API calls 21474->21478 21475->21459 21479 7ff79fa31010 69 API calls 21475->21479 21480 7ff79fa31010 69 API calls 21476->21480 21477->21457 21483 7ff79fa343df 21478->21483 21479->21459 21484 7ff79fa34279 21480->21484 21481->21465 21485 7ff79fa31010 69 API calls 21481->21485 21486 7ff79fa31010 69 API calls 21482->21486 21487 7ff79fa35b70 72 API calls 21483->21487 21484->21459 21485->21465 21486->21465 21488 7ff79fa343f2 RegOpenKeyExW 21487->21488 21489 7ff79fa34424 memcpy_s 21488->21489 21490 7ff79fa3443e NtQueryKey 21489->21490 21491 7ff79fa31010 69 API calls 21490->21491 21492 7ff79fa34481 memcpy_s 21491->21492 21493 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 21492->21493 21494 7ff79fa37440 memcpy_s 21493->21494 21495 7ff79fa34772 FindFirstFileW 21494->21495 21496 7ff79fa34790 21495->21496 21497 7ff79fa347b4 wsprintfW 21496->21497 21498 7ff79fa347df FindNextFileW 21496->21498 21499 7ff79fa35d70 87 API calls 21497->21499 21498->21496 21500 7ff79fa347f0 FindClose wsprintfW 21498->21500 21499->21498 21501 7ff79fa35d70 87 API calls 21500->21501 21502 7ff79fa34820 wsprintfW 21501->21502 21503 7ff79fa35d70 87 API calls 21502->21503 21504 7ff79fa34847 wsprintfW 21503->21504 21505 7ff79fa35d70 87 API calls 21504->21505 21506 7ff79fa3486e wsprintfW 21505->21506 21507 7ff79fa35d70 87 API calls 21506->21507 21508 7ff79fa34895 wsprintfW 21507->21508 21509 7ff79fa35d70 87 API calls 21508->21509 21510 7ff79fa348bc wsprintfW 21509->21510 21511 7ff79fa35d70 87 API calls 21510->21511 21512 7ff79fa348e3 wsprintfW 21511->21512 21513 7ff79fa35d70 87 API calls 21512->21513 21514 7ff79fa3490a wsprintfW 21513->21514 21515 7ff79fa35d70 87 API calls 21514->21515 21516 7ff79fa34931 GetLogicalDrives 21515->21516 21517 7ff79fa34947 memcpy_s 21516->21517 21518 7ff79fa34f8c 21516->21518 21517->21518 21520 7ff79fa31010 69 API calls 21517->21520 21519 7ff79fa34f98 CreateToolhelp32Snapshot 21518->21519 21521 7ff79fa34fcf memcpy_s 21519->21521 21525 7ff79fa3506a 21519->21525 21522 7ff79fa34968 wsprintfW CreateFileW 21520->21522 21524 7ff79fa34fe0 Process32FirstW 21521->21524 21523 7ff79fa34aa6 wsprintfW 21522->21523 21551 7ff79fa349ba memcpy_s 21522->21551 21526 7ff79fa35d70 87 API calls 21523->21526 21527 7ff79fa35061 CloseHandle 21524->21527 21535 7ff79fa34ff8 21524->21535 21533 7ff79fa36220 _handle_error 8 API calls 21525->21533 21528 7ff79fa34ac9 wsprintfW 21526->21528 21527->21525 21530 7ff79fa35d70 87 API calls 21528->21530 21529 7ff79fa349ce ReadFile 21531 7ff79fa34a9d CloseHandle 21529->21531 21529->21551 21534 7ff79fa34aec wsprintfW 21530->21534 21531->21523 21532 7ff79fa38580 34 API calls 21532->21535 21536 7ff79fa350a3 21533->21536 21537 7ff79fa35d70 87 API calls 21534->21537 21535->21532 21538 7ff79fa35027 OpenProcess 21535->21538 21539 7ff79fa35014 Process32NextW 21535->21539 21541 7ff79fa34b0f wsprintfW 21537->21541 21538->21527 21540 7ff79fa35041 21538->21540 21539->21535 21542 7ff79fa35025 21539->21542 21543 7ff79fa31010 69 API calls 21540->21543 21544 7ff79fa35d70 87 API calls 21541->21544 21542->21527 21545 7ff79fa3504d TerminateProcess CloseHandle 21543->21545 21546 7ff79fa34b32 wsprintfW 21544->21546 21545->21527 21547 7ff79fa35d70 87 API calls 21546->21547 21548 7ff79fa34b55 wsprintfW 21547->21548 21550 7ff79fa35d70 87 API calls 21548->21550 21549 7ff79fa382b8 34 API calls 21549->21551 21552 7ff79fa34b78 wsprintfW 21550->21552 21551->21529 21551->21531 21551->21549 21554 7ff79fa382b8 34 API calls 21551->21554 21553 7ff79fa35d70 87 API calls 21552->21553 21556 7ff79fa34b9b wsprintfW 21553->21556 21555 7ff79fa34a5c SetFilePointer 21554->21555 21555->21531 21557 7ff79fa34a7f WriteFile 21555->21557 21558 7ff79fa35d70 87 API calls 21556->21558 21557->21531 21559 7ff79fa34bbe wsprintfW 21558->21559 21812 7ff79fa31ba0 21813 7ff79fa382b8 34 API calls 21812->21813 21814 7ff79fa31ba5 21813->21814 21814->21812 21815 7ff79fa31bc4 RegSetValueExW 21814->21815 21816 7ff79fa31bee memcpy_s __vcrt_freefls 21815->21816 21817 7ff79fa31c09 NtQueryKey 21816->21817 21818 7ff79fa31010 69 API calls 21817->21818 21819 7ff79fa31c5d RegCloseKey 21818->21819 21820 7ff79fa31c66 RegOpenKeyExW 21819->21820 21821 7ff79fa31c96 memcpy_s 21820->21821 21822 7ff79fa31cb1 NtQueryKey 21821->21822 21823 7ff79fa31010 69 API calls 21822->21823 21824 7ff79fa31cf3 RegOpenKeyExW 21823->21824 21826 7ff79fa31eac memcpy_s 21824->21826 21827 7ff79fa31ec7 NtQueryKey 21826->21827 21828 7ff79fa31010 69 API calls 21827->21828 21829 7ff79fa31f09 RegOpenKeyExW 21828->21829 21831 7ff79fa320ce memcpy_s 21829->21831 21832 7ff79fa320de NtQueryKey 21831->21832 21833 7ff79fa31010 69 API calls 21832->21833 21834 7ff79fa32120 RegOpenKeyExW 21833->21834 21836 7ff79fa322b0 memcpy_s 21834->21836 21837 7ff79fa322c0 NtQueryKey 21836->21837 21838 7ff79fa31010 69 API calls 21837->21838 21839 7ff79fa32302 RegOpenKeyExW 21838->21839 21841 7ff79fa32817 memcpy_s 21839->21841 21842 7ff79fa32833 NtQueryKey 21841->21842 21843 7ff79fa31010 69 API calls 21842->21843 21844 7ff79fa32876 RegOpenKeyExW 21843->21844 21846 7ff79fa32a40 memcpy_s 21844->21846 21847 7ff79fa32a51 NtQueryKey 21846->21847 21848 7ff79fa31010 69 API calls 21847->21848 21849 7ff79fa32a94 RegOpenKeyExW 21848->21849 21851 7ff79fa32af8 memcpy_s 21849->21851 21852 7ff79fa32b09 NtQueryKey 21851->21852 21853 7ff79fa31010 69 API calls 21852->21853 21854 7ff79fa32b4c RegOpenKeyExW 21853->21854 21856 7ff79fa32bb0 memcpy_s 21854->21856 21857 7ff79fa32bc1 NtQueryKey 21856->21857 21858 7ff79fa31010 69 API calls 21857->21858 21859 7ff79fa32c04 RegOpenKeyExW 21858->21859 21861 7ff79fa32c68 memcpy_s 21859->21861 21862 7ff79fa32c79 NtQueryKey 21861->21862 21863 7ff79fa31010 69 API calls 21862->21863 21864 7ff79fa32cbc RegOpenKeyExW 21863->21864 21866 7ff79fa32d20 memcpy_s 21864->21866 21867 7ff79fa32d31 NtQueryKey 21866->21867 21868 7ff79fa31010 69 API calls 21867->21868 21869 7ff79fa32d74 RegOpenKeyExW 21868->21869 21871 7ff79fa32dd0 memcpy_s 21869->21871 21872 7ff79fa32dec NtQueryKey 21871->21872 21873 7ff79fa31010 69 API calls 21872->21873 21874 7ff79fa32e2f RegOpenKeyExW 21873->21874 21876 7ff79fa32fec memcpy_s 21874->21876 21877 7ff79fa33008 NtQueryKey 21876->21877 21878 7ff79fa31010 69 API calls 21877->21878 21879 7ff79fa3304b RegOpenKeyExW 21878->21879 21881 7ff79fa33210 memcpy_s 21879->21881 21882 7ff79fa33221 NtQueryKey 21881->21882 21883 7ff79fa31010 69 API calls 21882->21883 21884 7ff79fa33264 21883->21884 21885 7ff79fa352a0 76 API calls 21884->21885 21886 7ff79fa33295 RegOpenKeyExW 21885->21886 21887 7ff79fa332c5 memcpy_s 21886->21887 21888 7ff79fa332e1 NtQueryKey 21887->21888 21889 7ff79fa31010 69 API calls 21888->21889 21890 7ff79fa33324 RegOpenKeyExW 21889->21890 21892 7ff79fa334f0 memcpy_s 21890->21892 21893 7ff79fa33501 NtQueryKey 21892->21893 21894 7ff79fa31010 69 API calls 21893->21894 21895 7ff79fa33544 21894->21895 21896 7ff79fa35560 75 API calls 21895->21896 21897 7ff79fa3358a 21896->21897 21898 7ff79fa35560 75 API calls 21897->21898 21899 7ff79fa335a4 21898->21899 21900 7ff79fa35560 75 API calls 21899->21900 21901 7ff79fa335be RegOpenKeyExW 21900->21901 21902 7ff79fa335ee memcpy_s 21901->21902 21903 7ff79fa3360a NtQueryKey 21902->21903 21904 7ff79fa31010 69 API calls 21903->21904 21905 7ff79fa3364d RegOpenKeyExW 21904->21905 21907 7ff79fa3380a memcpy_s 21905->21907 21908 7ff79fa33826 NtQueryKey 21907->21908 21909 7ff79fa31010 69 API calls 21908->21909 21910 7ff79fa33869 RegOpenKeyExW 21909->21910 21912 7ff79fa33a30 memcpy_s 21910->21912 21913 7ff79fa33a41 NtQueryKey 21912->21913 21914 7ff79fa31010 69 API calls 21913->21914 21915 7ff79fa33a84 RegOpenKeyExW 21914->21915 21917 7ff79fa33ae8 memcpy_s 21915->21917 21918 7ff79fa33af9 NtQueryKey 21917->21918 21919 7ff79fa31010 69 API calls 21918->21919 21920 7ff79fa33b3c RegOpenKeyExW 21919->21920 21922 7ff79fa33ba0 memcpy_s 21920->21922 21923 7ff79fa33bb1 NtQueryKey 21922->21923 21924 7ff79fa31010 69 API calls 21923->21924 22985 7ff79fa36324 23005 7ff79fa3678c 22985->23005 22988 7ff79fa3647b 23028 7ff79fa36ac0 IsProcessorFeaturePresent 22988->23028 22989 7ff79fa36345 __scrt_acquire_startup_lock 22991 7ff79fa36485 22989->22991 22996 7ff79fa36363 __scrt_release_startup_lock 22989->22996 22992 7ff79fa36ac0 7 API calls 22991->22992 22994 7ff79fa36490 22992->22994 22993 7ff79fa36388 22995 7ff79fa3640e 23013 7ff79fa3b254 22995->23013 22996->22993 22996->22995 23017 7ff79fa3b5f0 22996->23017 22999 7ff79fa36413 23000 7ff79fa36430 22999->23000 23022 7ff79fa36c14 GetModuleHandleW 23000->23022 23002 7ff79fa36437 23002->22994 23024 7ff79fa36920 23002->23024 23035 7ff79fa36d4c 23005->23035 23008 7ff79fa3633d 23008->22988 23008->22989 23009 7ff79fa367bb 23037 7ff79fa3bd2c 23009->23037 23014 7ff79fa3b264 23013->23014 23016 7ff79fa3b279 23013->23016 23014->23016 23080 7ff79fa3b0d4 23014->23080 23016->22999 23018 7ff79fa3b626 23017->23018 23019 7ff79fa3b614 23017->23019 23088 7ff79fa3bd78 23018->23088 23019->22995 23023 7ff79fa36c25 23022->23023 23023->23002 23026 7ff79fa36931 23024->23026 23025 7ff79fa3644e 23025->22993 23026->23025 23027 7ff79fa3734c __scrt_initialize_crt 7 API calls 23026->23027 23027->23025 23029 7ff79fa36ae6 _invalid_parameter_noinfo memcpy_s 23028->23029 23030 7ff79fa36b05 RtlCaptureContext RtlLookupFunctionEntry 23029->23030 23031 7ff79fa36b6a memcpy_s 23030->23031 23032 7ff79fa36b2e RtlVirtualUnwind 23030->23032 23033 7ff79fa36b9c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 23031->23033 23032->23031 23034 7ff79fa36bee _invalid_parameter_noinfo 23033->23034 23034->22991 23036 7ff79fa367ae __scrt_dllmain_crt_thread_attach 23035->23036 23036->23008 23036->23009 23038 7ff79fa42870 23037->23038 23039 7ff79fa367c0 23038->23039 23047 7ff79fa3d8d8 23038->23047 23039->23008 23041 7ff79fa3734c 23039->23041 23042 7ff79fa3735e 23041->23042 23043 7ff79fa37354 23041->23043 23042->23008 23059 7ff79fa37790 23043->23059 23058 7ff79fa41b50 EnterCriticalSection 23047->23058 23060 7ff79fa3779f 23059->23060 23062 7ff79fa37359 23059->23062 23067 7ff79fa379b8 23060->23067 23063 7ff79fa377e8 23062->23063 23064 7ff79fa37813 23063->23064 23065 7ff79fa37817 23064->23065 23066 7ff79fa377f6 DeleteCriticalSection 23064->23066 23065->23042 23066->23064 23071 7ff79fa37820 23067->23071 23072 7ff79fa3793a TlsFree 23071->23072 23073 7ff79fa37864 try_get_function 23071->23073 23073->23072 23074 7ff79fa37892 LoadLibraryExW 23073->23074 23075 7ff79fa37929 GetProcAddress 23073->23075 23079 7ff79fa378d5 LoadLibraryExW 23073->23079 23076 7ff79fa37909 23074->23076 23077 7ff79fa378b3 GetLastError 23074->23077 23075->23072 23076->23075 23078 7ff79fa37920 FreeLibrary 23076->23078 23077->23073 23078->23075 23079->23073 23079->23076 23081 7ff79fa3b0f3 23080->23081 23082 7ff79fa3b106 23080->23082 23081->23016 23082->23081 23083 7ff79fa3cc10 memcpy_s 14 API calls 23082->23083 23084 7ff79fa3b198 23082->23084 23086 7ff79fa41544 WideCharToMultiByte 23082->23086 23087 7ff79fa3cc88 __free_lconv_mon 14 API calls 23082->23087 23083->23082 23085 7ff79fa3cc88 __free_lconv_mon 14 API calls 23084->23085 23085->23081 23086->23082 23087->23082 23089 7ff79fa3c614 34 API calls 23088->23089 23091 7ff79fa3bd81 23089->23091 23090 7ff79fa3bdf8 34 API calls 23092 7ff79fa3bd97 23090->23092 23091->23090 19673 7ff79fa33712 19944 7ff79fa382b8 19673->19944 19676 7ff79fa33736 RegSetValueExW 19677 7ff79fa33760 memcpy_s __vcrt_freefls 19676->19677 19678 7ff79fa3377c NtQueryKey 19677->19678 19862 7ff79fa31010 19678->19862 19681 7ff79fa337da RegOpenKeyExW 19682 7ff79fa3380a memcpy_s 19681->19682 19683 7ff79fa33826 NtQueryKey 19682->19683 19684 7ff79fa31010 69 API calls 19683->19684 19685 7ff79fa33869 RegOpenKeyExW 19684->19685 19687 7ff79fa33a30 memcpy_s 19685->19687 19688 7ff79fa33a41 NtQueryKey 19687->19688 19689 7ff79fa31010 69 API calls 19688->19689 19690 7ff79fa33a84 RegOpenKeyExW 19689->19690 19692 7ff79fa33ae8 memcpy_s 19690->19692 19693 7ff79fa33af9 NtQueryKey 19692->19693 19694 7ff79fa31010 69 API calls 19693->19694 19695 7ff79fa33b3c RegOpenKeyExW 19694->19695 19697 7ff79fa33ba0 memcpy_s 19695->19697 19698 7ff79fa33bb1 NtQueryKey 19697->19698 19699 7ff79fa31010 69 API calls 19698->19699 19700 7ff79fa33bf4 RegOpenKeyExW 19699->19700 19702 7ff79fa33c58 memcpy_s 19700->19702 19703 7ff79fa33c69 NtQueryKey 19702->19703 19704 7ff79fa31010 69 API calls 19703->19704 19705 7ff79fa33cac RegOpenKeyExW 19704->19705 19707 7ff79fa33d10 memcpy_s 19705->19707 19708 7ff79fa33d21 NtQueryKey 19707->19708 19709 7ff79fa31010 69 API calls 19708->19709 19710 7ff79fa33d64 RegOpenKeyExW 19709->19710 19712 7ff79fa33dc8 memcpy_s 19710->19712 19713 7ff79fa33dd9 NtQueryKey 19712->19713 19714 7ff79fa31010 69 API calls 19713->19714 19715 7ff79fa33e1c RegOpenKeyExW 19714->19715 19717 7ff79fa33e80 memcpy_s 19715->19717 19718 7ff79fa33e91 NtQueryKey 19717->19718 19719 7ff79fa31010 69 API calls 19718->19719 19720 7ff79fa33ed4 19719->19720 19866 7ff79fa35b70 SHDeleteKeyW 19720->19866 19725 7ff79fa35560 75 API calls 19726 7ff79fa340ec SHDeleteValueW 19725->19726 19727 7ff79fa341db SHDeleteValueW 19726->19727 19728 7ff79fa34110 19726->19728 19729 7ff79fa342ca SHDeleteValueW 19727->19729 19730 7ff79fa341ff 19727->19730 19731 7ff79fa3412b memcpy_s 19728->19731 19732 7ff79fa3418c memcpy_s 19728->19732 19735 7ff79fa34368 19729->19735 19736 7ff79fa342ee 19729->19736 19733 7ff79fa3421a memcpy_s 19730->19733 19734 7ff79fa3427b memcpy_s 19730->19734 19737 7ff79fa34130 NtQueryKey 19731->19737 19738 7ff79fa34191 NtQueryKey 19732->19738 19746 7ff79fa3421f NtQueryKey 19733->19746 19745 7ff79fa34280 NtQueryKey 19734->19745 19739 7ff79fa35b70 72 API calls 19735->19739 19740 7ff79fa34309 memcpy_s 19736->19740 19741 7ff79fa3436a memcpy_s 19736->19741 19742 7ff79fa31010 69 API calls 19737->19742 19738->19727 19743 7ff79fa31010 69 API calls 19738->19743 19744 7ff79fa343cc 19739->19744 19752 7ff79fa3430e NtQueryKey 19740->19752 19751 7ff79fa3436f NtQueryKey 19741->19751 19747 7ff79fa3418a 19742->19747 19743->19727 19748 7ff79fa35b70 72 API calls 19744->19748 19745->19729 19749 7ff79fa31010 69 API calls 19745->19749 19750 7ff79fa31010 69 API calls 19746->19750 19747->19727 19753 7ff79fa343df 19748->19753 19749->19729 19754 7ff79fa34279 19750->19754 19751->19735 19755 7ff79fa31010 69 API calls 19751->19755 19756 7ff79fa31010 69 API calls 19752->19756 19757 7ff79fa35b70 72 API calls 19753->19757 19754->19729 19755->19735 19756->19735 19758 7ff79fa343f2 RegOpenKeyExW 19757->19758 19759 7ff79fa34424 memcpy_s 19758->19759 19760 7ff79fa3443e NtQueryKey 19759->19760 19761 7ff79fa31010 69 API calls 19760->19761 19762 7ff79fa34481 memcpy_s 19761->19762 19763 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 19762->19763 19897 7ff79fa37440 19763->19897 19766 7ff79fa34790 19767 7ff79fa347b4 wsprintfW 19766->19767 19768 7ff79fa347df FindNextFileW 19766->19768 19899 7ff79fa35d70 PathFileExistsW 19767->19899 19768->19766 19770 7ff79fa347f0 FindClose wsprintfW 19768->19770 19771 7ff79fa35d70 87 API calls 19770->19771 19772 7ff79fa34820 wsprintfW 19771->19772 19773 7ff79fa35d70 87 API calls 19772->19773 19774 7ff79fa34847 wsprintfW 19773->19774 19775 7ff79fa35d70 87 API calls 19774->19775 19776 7ff79fa3486e wsprintfW 19775->19776 19863 7ff79fa3103d 19862->19863 19973 7ff79fa3a708 19863->19973 19867 7ff79fa35b9e 19866->19867 19876 7ff79fa35c07 19866->19876 19868 7ff79fa35c09 memcpy_s 19867->19868 19869 7ff79fa35bb9 memcpy_s 19867->19869 19873 7ff79fa35c0e NtQueryKey 19868->19873 19872 7ff79fa35bbe NtQueryKey 19869->19872 19870 7ff79fa36220 _handle_error 8 API calls 19871 7ff79fa340b8 19870->19871 19877 7ff79fa35560 RegOpenKeyExW 19871->19877 19874 7ff79fa31010 69 API calls 19872->19874 19875 7ff79fa31010 69 API calls 19873->19875 19874->19876 19875->19876 19876->19870 19878 7ff79fa35602 19877->19878 19879 7ff79fa355a6 memcpy_s 19877->19879 19880 7ff79fa382b8 34 API calls 19878->19880 19881 7ff79fa355c2 NtQueryKey 19879->19881 19882 7ff79fa3560c 19880->19882 19883 7ff79fa31010 69 API calls 19881->19883 19884 7ff79fa382b8 34 API calls 19882->19884 19885 7ff79fa355fd 19883->19885 19886 7ff79fa35615 RegSetValueExW 19884->19886 19889 7ff79fa36220 _handle_error 8 API calls 19885->19889 19887 7ff79fa356ab memcpy_s 19886->19887 19888 7ff79fa3565b memcpy_s 19886->19888 19891 7ff79fa356b0 NtQueryKey 19887->19891 19890 7ff79fa35660 NtQueryKey 19888->19890 19892 7ff79fa340d2 19889->19892 19893 7ff79fa31010 69 API calls 19890->19893 19894 7ff79fa31010 69 API calls 19891->19894 19892->19725 19895 7ff79fa356a9 19893->19895 19896 7ff79fa356eb RegCloseKey 19894->19896 19895->19896 19896->19885 19898 7ff79fa34772 FindFirstFileW 19897->19898 19898->19766 19900 7ff79fa35e0e 19899->19900 19901 7ff79fa35da1 AllocateAndInitializeSid 19899->19901 19902 7ff79fa36220 _handle_error 8 API calls 19900->19902 19903 7ff79fa35df6 GetLastError 19901->19903 19904 7ff79fa35e13 AllocateAndInitializeSid 19901->19904 19905 7ff79fa36097 19902->19905 19906 7ff79fa31010 69 API calls 19903->19906 19907 7ff79fa35e5a GetLastError 19904->19907 19908 7ff79fa35e82 SetEntriesInAclW 19904->19908 19905->19768 19906->19900 19911 7ff79fa31010 69 API calls 19907->19911 19909 7ff79fa35f2d SetNamedSecurityInfoW 19908->19909 19910 7ff79fa35f00 19908->19910 19914 7ff79fa35f6d SetNamedSecurityInfoW 19909->19914 19915 7ff79fa35f56 19909->19915 19913 7ff79fa31010 69 API calls 19910->19913 19912 7ff79fa35e72 FreeSid 19911->19912 19912->19900 19916 7ff79fa35f12 FreeSid FreeSid 19913->19916 19918 7ff79fa35f99 19914->19918 19919 7ff79fa35fb0 SetFileAttributesW 19914->19919 19917 7ff79fa31010 69 API calls 19915->19917 19916->19900 20098 7ff79fa3c614 GetLastError 19944->20098 19974 7ff79fa3a72e 19973->19974 19975 7ff79fa3a743 19973->19975 19989 7ff79fa3cbf0 19974->19989 19975->19974 19977 7ff79fa3a748 19975->19977 19982 7ff79fa386f0 19977->19982 19981 7ff79fa3105b RegCloseKey 19981->19681 19995 7ff79fa3848c EnterCriticalSection 19982->19995 19996 7ff79fa3c790 GetLastError 19989->19996 19991 7ff79fa3a733 19992 7ff79fa3cad0 19991->19992 20078 7ff79fa3ca20 19992->20078 19997 7ff79fa3c7b2 19996->19997 19998 7ff79fa3c7b7 19996->19998 20019 7ff79fa3d098 19997->20019 20002 7ff79fa3c7bf SetLastError 19998->20002 20023 7ff79fa3d0e0 19998->20023 20002->19991 20006 7ff79fa3c80b 20008 7ff79fa3d0e0 memcpy_s 6 API calls 20006->20008 20007 7ff79fa3c7fb 20009 7ff79fa3d0e0 memcpy_s 6 API calls 20007->20009 20010 7ff79fa3c813 20008->20010 20011 7ff79fa3c802 20009->20011 20012 7ff79fa3c829 20010->20012 20013 7ff79fa3c817 20010->20013 20035 7ff79fa3cc88 20011->20035 20041 7ff79fa3c3c4 20012->20041 20015 7ff79fa3d0e0 memcpy_s 6 API calls 20013->20015 20015->20011 20046 7ff79fa3ccc8 20019->20046 20021 7ff79fa3d0bf TlsGetValue 20024 7ff79fa3ccc8 try_get_function 5 API calls 20023->20024 20025 7ff79fa3d10e 20024->20025 20026 7ff79fa3c7da 20025->20026 20027 7ff79fa3d120 TlsSetValue 20025->20027 20026->20002 20028 7ff79fa3cc10 20026->20028 20027->20026 20033 7ff79fa3cc21 memcpy_s 20028->20033 20029 7ff79fa3cc72 20032 7ff79fa3cbf0 memcpy_s 13 API calls 20029->20032 20030 7ff79fa3cc56 HeapAlloc 20031 7ff79fa3c7ed 20030->20031 20030->20033 20031->20006 20031->20007 20032->20031 20033->20029 20033->20030 20055 7ff79fa42934 20033->20055 20036 7ff79fa3cc8d HeapFree 20035->20036 20038 7ff79fa3ccbd __free_lconv_mon 20035->20038 20037 7ff79fa3cca8 20036->20037 20036->20038 20039 7ff79fa3cbf0 memcpy_s 12 API calls 20037->20039 20038->20002 20040 7ff79fa3ccad GetLastError 20039->20040 20040->20038 20064 7ff79fa3c29c 20041->20064 20047 7ff79fa3cd29 20046->20047 20053 7ff79fa3cd24 try_get_function 20046->20053 20047->20021 20048 7ff79fa3ce0c 20048->20047 20051 7ff79fa3ce1a GetProcAddress 20048->20051 20049 7ff79fa3cd58 LoadLibraryExW 20050 7ff79fa3cd79 GetLastError 20049->20050 20049->20053 20050->20053 20051->20047 20052 7ff79fa3cdf1 FreeLibrary 20052->20053 20053->20047 20053->20048 20053->20049 20053->20052 20054 7ff79fa3cdb3 LoadLibraryExW 20053->20054 20054->20053 20058 7ff79fa42964 20055->20058 20063 7ff79fa41b50 EnterCriticalSection 20058->20063 20076 7ff79fa41b50 EnterCriticalSection 20064->20076 20079 7ff79fa3c790 memcpy_s 14 API calls 20078->20079 20080 7ff79fa3ca45 20079->20080 20081 7ff79fa3ca56 20080->20081 20086 7ff79fa3caf0 IsProcessorFeaturePresent 20080->20086 20081->19981 20087 7ff79fa3cb03 20086->20087 20090 7ff79fa3c8bc 20087->20090 20091 7ff79fa3c8f6 _invalid_parameter_noinfo memcpy_s 20090->20091 20092 7ff79fa3c91e RtlCaptureContext RtlLookupFunctionEntry 20091->20092 20093 7ff79fa3c958 RtlVirtualUnwind 20092->20093 20094 7ff79fa3c98e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20092->20094 20093->20094 20095 7ff79fa3c9e0 _invalid_parameter_noinfo 20094->20095 20096 7ff79fa36220 _handle_error 8 API calls 20095->20096 20097 7ff79fa3c9ff GetCurrentProcess TerminateProcess 20096->20097 20099 7ff79fa3c636 20098->20099 20100 7ff79fa3c63b 20098->20100 20101 7ff79fa3d098 memcpy_s 6 API calls 20099->20101 20102 7ff79fa3d0e0 memcpy_s 6 API calls 20100->20102 20105 7ff79fa3c643 20100->20105 20101->20100 20103 7ff79fa3c65e 20102->20103 20104 7ff79fa3cc10 memcpy_s 14 API calls 20103->20104 20103->20105 20107 7ff79fa3c671 20104->20107 20106 7ff79fa3c6bf SetLastError 20105->20106 20108 7ff79fa3c6e2 20106->20108 20109 7ff79fa33717 20106->20109 20110 7ff79fa3c68f 20107->20110 20111 7ff79fa3c67f 20107->20111 20125 7ff79fa3bdf8 20108->20125 20109->19673 20109->19676 20115 7ff79fa3d0e0 memcpy_s 6 API calls 20110->20115 20113 7ff79fa3d0e0 memcpy_s 6 API calls 20111->20113 20123 7ff79fa3c686 20113->20123 20116 7ff79fa3c697 20115->20116 20117 7ff79fa3c6ad 20116->20117 20118 7ff79fa3c69b 20116->20118 20119 7ff79fa3c3c4 memcpy_s 14 API calls 20117->20119 20121 7ff79fa3d0e0 memcpy_s 6 API calls 20118->20121 20122 7ff79fa3c6b5 20119->20122 20120 7ff79fa3cc88 __free_lconv_mon 14 API calls 20120->20105 20121->20123 20124 7ff79fa3cc88 __free_lconv_mon 14 API calls 20122->20124 20123->20120 20124->20105 20134 7ff79fa429e0 20125->20134 20160 7ff79fa42998 20134->20160 20165 7ff79fa41b50 EnterCriticalSection 20160->20165 20206 7ff79fa33110 20207 7ff79fa382b8 34 API calls 20206->20207 20208 7ff79fa33115 20207->20208 20208->20206 20209 7ff79fa33134 RegSetValueExW 20208->20209 20210 7ff79fa3315e memcpy_s __vcrt_freefls 20209->20210 20211 7ff79fa3317a NtQueryKey 20210->20211 20212 7ff79fa31010 69 API calls 20211->20212 20213 7ff79fa331cf RegCloseKey 20212->20213 20214 7ff79fa331d8 RegOpenKeyExW 20213->20214 20215 7ff79fa33210 memcpy_s 20214->20215 20216 7ff79fa33221 NtQueryKey 20215->20216 20217 7ff79fa31010 69 API calls 20216->20217 20218 7ff79fa33264 20217->20218 20421 7ff79fa352a0 20218->20421 20221 7ff79fa332c5 memcpy_s 20222 7ff79fa332e1 NtQueryKey 20221->20222 20223 7ff79fa31010 69 API calls 20222->20223 20224 7ff79fa33324 RegOpenKeyExW 20223->20224 20226 7ff79fa334f0 memcpy_s 20224->20226 20227 7ff79fa33501 NtQueryKey 20226->20227 20228 7ff79fa31010 69 API calls 20227->20228 20229 7ff79fa33544 20228->20229 20230 7ff79fa35560 75 API calls 20229->20230 20231 7ff79fa3358a 20230->20231 20232 7ff79fa35560 75 API calls 20231->20232 20233 7ff79fa335a4 20232->20233 20234 7ff79fa35560 75 API calls 20233->20234 20235 7ff79fa335be RegOpenKeyExW 20234->20235 20236 7ff79fa335ee memcpy_s 20235->20236 20237 7ff79fa3360a NtQueryKey 20236->20237 20238 7ff79fa31010 69 API calls 20237->20238 20239 7ff79fa3364d RegOpenKeyExW 20238->20239 20241 7ff79fa3380a memcpy_s 20239->20241 20242 7ff79fa33826 NtQueryKey 20241->20242 20243 7ff79fa31010 69 API calls 20242->20243 20244 7ff79fa33869 RegOpenKeyExW 20243->20244 20246 7ff79fa33a30 memcpy_s 20244->20246 20247 7ff79fa33a41 NtQueryKey 20246->20247 20248 7ff79fa31010 69 API calls 20247->20248 20249 7ff79fa33a84 RegOpenKeyExW 20248->20249 20251 7ff79fa33ae8 memcpy_s 20249->20251 20252 7ff79fa33af9 NtQueryKey 20251->20252 20253 7ff79fa31010 69 API calls 20252->20253 20254 7ff79fa33b3c RegOpenKeyExW 20253->20254 20256 7ff79fa33ba0 memcpy_s 20254->20256 20257 7ff79fa33bb1 NtQueryKey 20256->20257 20258 7ff79fa31010 69 API calls 20257->20258 20259 7ff79fa33bf4 RegOpenKeyExW 20258->20259 20261 7ff79fa33c58 memcpy_s 20259->20261 20262 7ff79fa33c69 NtQueryKey 20261->20262 20263 7ff79fa31010 69 API calls 20262->20263 20264 7ff79fa33cac RegOpenKeyExW 20263->20264 20266 7ff79fa33d10 memcpy_s 20264->20266 20267 7ff79fa33d21 NtQueryKey 20266->20267 20268 7ff79fa31010 69 API calls 20267->20268 20269 7ff79fa33d64 RegOpenKeyExW 20268->20269 20271 7ff79fa33dc8 memcpy_s 20269->20271 20272 7ff79fa33dd9 NtQueryKey 20271->20272 20273 7ff79fa31010 69 API calls 20272->20273 20274 7ff79fa33e1c RegOpenKeyExW 20273->20274 20276 7ff79fa33e80 memcpy_s 20274->20276 20277 7ff79fa33e91 NtQueryKey 20276->20277 20278 7ff79fa31010 69 API calls 20277->20278 20279 7ff79fa33ed4 20278->20279 20280 7ff79fa35b70 72 API calls 20279->20280 20281 7ff79fa340b8 20280->20281 20282 7ff79fa35560 75 API calls 20281->20282 20283 7ff79fa340d2 20282->20283 20284 7ff79fa35560 75 API calls 20283->20284 20285 7ff79fa340ec SHDeleteValueW 20284->20285 20286 7ff79fa341db SHDeleteValueW 20285->20286 20287 7ff79fa34110 20285->20287 20288 7ff79fa342ca SHDeleteValueW 20286->20288 20289 7ff79fa341ff 20286->20289 20290 7ff79fa3412b memcpy_s 20287->20290 20291 7ff79fa3418c memcpy_s 20287->20291 20294 7ff79fa34368 20288->20294 20295 7ff79fa342ee 20288->20295 20292 7ff79fa3421a memcpy_s 20289->20292 20293 7ff79fa3427b memcpy_s 20289->20293 20296 7ff79fa34130 NtQueryKey 20290->20296 20297 7ff79fa34191 NtQueryKey 20291->20297 20305 7ff79fa3421f NtQueryKey 20292->20305 20304 7ff79fa34280 NtQueryKey 20293->20304 20298 7ff79fa35b70 72 API calls 20294->20298 20299 7ff79fa34309 memcpy_s 20295->20299 20300 7ff79fa3436a memcpy_s 20295->20300 20301 7ff79fa31010 69 API calls 20296->20301 20297->20286 20302 7ff79fa31010 69 API calls 20297->20302 20303 7ff79fa343cc 20298->20303 20311 7ff79fa3430e NtQueryKey 20299->20311 20310 7ff79fa3436f NtQueryKey 20300->20310 20306 7ff79fa3418a 20301->20306 20302->20286 20307 7ff79fa35b70 72 API calls 20303->20307 20304->20288 20308 7ff79fa31010 69 API calls 20304->20308 20309 7ff79fa31010 69 API calls 20305->20309 20306->20286 20312 7ff79fa343df 20307->20312 20308->20288 20313 7ff79fa34279 20309->20313 20310->20294 20314 7ff79fa31010 69 API calls 20310->20314 20315 7ff79fa31010 69 API calls 20311->20315 20316 7ff79fa35b70 72 API calls 20312->20316 20313->20288 20314->20294 20315->20294 20317 7ff79fa343f2 RegOpenKeyExW 20316->20317 20318 7ff79fa34424 memcpy_s 20317->20318 20319 7ff79fa3443e NtQueryKey 20318->20319 20320 7ff79fa31010 69 API calls 20319->20320 20321 7ff79fa34481 memcpy_s 20320->20321 20322 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 20321->20322 20323 7ff79fa37440 memcpy_s 20322->20323 20324 7ff79fa34772 FindFirstFileW 20323->20324 20325 7ff79fa34790 20324->20325 20326 7ff79fa347b4 wsprintfW 20325->20326 20327 7ff79fa347df FindNextFileW 20325->20327 20328 7ff79fa35d70 87 API calls 20326->20328 20327->20325 20329 7ff79fa347f0 FindClose wsprintfW 20327->20329 20328->20327 20444 7ff79fa49820 20421->20444 20424 7ff79fa35355 memcpy_s 20427 7ff79fa35372 RegQueryValueExW 20424->20427 20425 7ff79fa352f5 memcpy_s 20426 7ff79fa3530f NtQueryKey 20425->20426 20428 7ff79fa31010 69 API calls 20426->20428 20429 7ff79fa354cf memcpy_s 20427->20429 20443 7ff79fa353ac 20427->20443 20431 7ff79fa35350 20428->20431 20432 7ff79fa354eb NtQueryKey 20429->20432 20430 7ff79fa35435 RegSetValueExW 20433 7ff79fa37440 memcpy_s 20430->20433 20435 7ff79fa36220 _handle_error 8 API calls 20431->20435 20434 7ff79fa31010 69 API calls 20432->20434 20436 7ff79fa35478 NtQueryKey 20433->20436 20437 7ff79fa3552a RegCloseKey 20434->20437 20438 7ff79fa33295 RegOpenKeyExW 20435->20438 20439 7ff79fa31010 69 API calls 20436->20439 20437->20431 20438->20221 20440 7ff79fa354cd 20439->20440 20440->20437 20441 7ff79fa382b8 34 API calls 20441->20443 20442 7ff79fa35425 20442->20430 20443->20430 20443->20441 20443->20442 20445 7ff79fa352ac RegOpenKeyExW 20444->20445 20445->20424 20445->20425 29402 7ff79fa40f8f 29403 7ff79fa40f96 29402->29403 29406 7ff79fa40fbb 29402->29406 29404 7ff79fa3cbf0 memcpy_s 14 API calls 29403->29404 29410 7ff79fa40f9b 29404->29410 29405 7ff79fa40ff8 29405->29410 29412 7ff79fa409fc 29405->29412 29406->29405 29409 7ff79fa3cc88 __free_lconv_mon 14 API calls 29406->29409 29408 7ff79fa3cc88 __free_lconv_mon 14 API calls 29411 7ff79fa40fac 29408->29411 29409->29405 29410->29408 29427 7ff79fa41b50 EnterCriticalSection 29412->29427 25817 7ff79fa3c494 25818 7ff79fa3c499 25817->25818 25822 7ff79fa3c4ae 25817->25822 25823 7ff79fa3c4b4 25818->25823 25824 7ff79fa3c4fe 25823->25824 25825 7ff79fa3c4f6 25823->25825 25827 7ff79fa3cc88 __free_lconv_mon 14 API calls 25824->25827 25826 7ff79fa3cc88 __free_lconv_mon 14 API calls 25825->25826 25826->25824 25828 7ff79fa3c50b 25827->25828 25829 7ff79fa3cc88 __free_lconv_mon 14 API calls 25828->25829 25830 7ff79fa3c518 25829->25830 25831 7ff79fa3cc88 __free_lconv_mon 14 API calls 25830->25831 25832 7ff79fa3c525 25831->25832 25833 7ff79fa3cc88 __free_lconv_mon 14 API calls 25832->25833 25834 7ff79fa3c532 25833->25834 25835 7ff79fa3cc88 __free_lconv_mon 14 API calls 25834->25835 25836 7ff79fa3c53f 25835->25836 25837 7ff79fa3cc88 __free_lconv_mon 14 API calls 25836->25837 25838 7ff79fa3c54c 25837->25838 25839 7ff79fa3cc88 __free_lconv_mon 14 API calls 25838->25839 25840 7ff79fa3c559 25839->25840 25841 7ff79fa3cc88 __free_lconv_mon 14 API calls 25840->25841 25842 7ff79fa3c569 25841->25842 25843 7ff79fa3cc88 __free_lconv_mon 14 API calls 25842->25843 25844 7ff79fa3c579 25843->25844 25849 7ff79fa3c364 25844->25849 25863 7ff79fa41b50 EnterCriticalSection 25849->25863 24444 7ff79fa416f8 24445 7ff79fa4171c 24444->24445 24449 7ff79fa41730 24444->24449 24446 7ff79fa3cbf0 memcpy_s 14 API calls 24445->24446 24447 7ff79fa41721 24446->24447 24448 7ff79fa419ca 24450 7ff79fa3cbf0 memcpy_s 14 API calls 24448->24450 24449->24448 24451 7ff79fa41773 24449->24451 24493 7ff79fa41a18 24449->24493 24464 7ff79fa417ff 24450->24464 24453 7ff79fa417cf 24451->24453 24454 7ff79fa41799 24451->24454 24463 7ff79fa417c3 24451->24463 24456 7ff79fa3cc10 memcpy_s 14 API calls 24453->24456 24453->24464 24454->24448 24460 7ff79fa417a7 24454->24460 24455 7ff79fa4187d 24459 7ff79fa4189a 24455->24459 24466 7ff79fa418ec 24455->24466 24458 7ff79fa417e5 24456->24458 24457 7ff79fa45ac4 38 API calls 24457->24463 24462 7ff79fa3cc88 __free_lconv_mon 14 API calls 24458->24462 24465 7ff79fa3cc88 __free_lconv_mon 14 API calls 24459->24465 24460->24463 24467 7ff79fa41a18 34 API calls 24460->24467 24461 7ff79fa3cc88 __free_lconv_mon 14 API calls 24461->24447 24468 7ff79fa417f3 24462->24468 24463->24455 24463->24457 24463->24464 24464->24461 24470 7ff79fa418a3 24465->24470 24466->24464 24469 7ff79fa427b0 34 API calls 24466->24469 24467->24463 24468->24463 24468->24464 24471 7ff79fa3cc10 memcpy_s 14 API calls 24468->24471 24472 7ff79fa41927 24469->24472 24478 7ff79fa418a8 24470->24478 24508 7ff79fa427b0 24470->24508 24473 7ff79fa4181e 24471->24473 24474 7ff79fa3cc88 __free_lconv_mon 14 API calls 24472->24474 24476 7ff79fa3cc88 __free_lconv_mon 14 API calls 24473->24476 24474->24478 24476->24463 24477 7ff79fa418d4 24479 7ff79fa3cc88 __free_lconv_mon 14 API calls 24477->24479 24478->24464 24478->24478 24480 7ff79fa3cc10 memcpy_s 14 API calls 24478->24480 24479->24478 24481 7ff79fa41971 24480->24481 24482 7ff79fa419b8 24481->24482 24483 7ff79fa3bd98 31 API calls 24481->24483 24484 7ff79fa3cc88 __free_lconv_mon 14 API calls 24482->24484 24485 7ff79fa41988 24483->24485 24484->24464 24486 7ff79fa4198c 24485->24486 24487 7ff79fa41a03 24485->24487 24517 7ff79fa4716c 24486->24517 24489 7ff79fa3caf0 _invalid_parameter_noinfo 17 API calls 24487->24489 24491 7ff79fa41a17 24489->24491 24492 7ff79fa3cbf0 memcpy_s 14 API calls 24492->24482 24494 7ff79fa41a4d 24493->24494 24495 7ff79fa41a35 24493->24495 24496 7ff79fa3cc10 memcpy_s 14 API calls 24494->24496 24495->24451 24502 7ff79fa41a71 24496->24502 24497 7ff79fa41ad2 24499 7ff79fa3cc88 __free_lconv_mon 14 API calls 24497->24499 24498 7ff79fa3bdf8 34 API calls 24500 7ff79fa41afc 24498->24500 24499->24495 24501 7ff79fa3cc10 memcpy_s 14 API calls 24501->24502 24502->24497 24502->24501 24503 7ff79fa3cc88 __free_lconv_mon 14 API calls 24502->24503 24504 7ff79fa3bd98 31 API calls 24502->24504 24505 7ff79fa41ae1 24502->24505 24507 7ff79fa41af6 24502->24507 24503->24502 24504->24502 24506 7ff79fa3caf0 _invalid_parameter_noinfo 17 API calls 24505->24506 24506->24507 24507->24498 24509 7ff79fa427d2 24508->24509 24510 7ff79fa427ef 24508->24510 24509->24510 24511 7ff79fa427e0 24509->24511 24514 7ff79fa427f9 24510->24514 24536 7ff79fa47350 24510->24536 24512 7ff79fa3cbf0 memcpy_s 14 API calls 24511->24512 24516 7ff79fa427e5 memcpy_s 24512->24516 24543 7ff79fa4738c 24514->24543 24516->24477 24518 7ff79fa384a4 34 API calls 24517->24518 24519 7ff79fa471d2 24518->24519 24521 7ff79fa471e0 24519->24521 24562 7ff79fa3cef0 24519->24562 24565 7ff79fa3fd10 24521->24565 24524 7ff79fa472c4 24527 7ff79fa472d5 24524->24527 24528 7ff79fa3cc88 __free_lconv_mon 14 API calls 24524->24528 24525 7ff79fa384a4 34 API calls 24526 7ff79fa4724b 24525->24526 24530 7ff79fa3cef0 5 API calls 24526->24530 24533 7ff79fa47254 24526->24533 24529 7ff79fa419af 24527->24529 24531 7ff79fa3cc88 __free_lconv_mon 14 API calls 24527->24531 24528->24527 24529->24482 24529->24492 24530->24533 24531->24529 24532 7ff79fa3fd10 17 API calls 24534 7ff79fa472ab 24532->24534 24533->24532 24534->24524 24535 7ff79fa472b3 SetEnvironmentVariableW 24534->24535 24535->24524 24537 7ff79fa47359 24536->24537 24538 7ff79fa47372 HeapSize 24536->24538 24539 7ff79fa3cbf0 memcpy_s 14 API calls 24537->24539 24540 7ff79fa4735e 24539->24540 24541 7ff79fa3cad0 _invalid_parameter_noinfo 31 API calls 24540->24541 24542 7ff79fa47369 24541->24542 24542->24514 24544 7ff79fa473ab 24543->24544 24545 7ff79fa473a1 24543->24545 24547 7ff79fa473b0 24544->24547 24553 7ff79fa473b7 memcpy_s 24544->24553 24555 7ff79fa3daa8 24545->24555 24550 7ff79fa3cc88 __free_lconv_mon 14 API calls 24547->24550 24548 7ff79fa473ea HeapReAlloc 24552 7ff79fa473a9 24548->24552 24548->24553 24549 7ff79fa473bd 24551 7ff79fa3cbf0 memcpy_s 14 API calls 24549->24551 24550->24552 24551->24552 24552->24516 24553->24548 24553->24549 24554 7ff79fa42934 memcpy_s 2 API calls 24553->24554 24554->24553 24556 7ff79fa3daf3 24555->24556 24561 7ff79fa3dab7 memcpy_s 24555->24561 24558 7ff79fa3cbf0 memcpy_s 14 API calls 24556->24558 24557 7ff79fa3dada HeapAlloc 24559 7ff79fa3daf1 24557->24559 24557->24561 24558->24559 24559->24552 24560 7ff79fa42934 memcpy_s 2 API calls 24560->24561 24561->24556 24561->24557 24561->24560 24563 7ff79fa3ccc8 try_get_function 5 API calls 24562->24563 24564 7ff79fa3cf10 24563->24564 24564->24521 24566 7ff79fa3fd39 24565->24566 24567 7ff79fa3fd5b 24565->24567 24568 7ff79fa3fd47 24566->24568 24571 7ff79fa3cc88 __free_lconv_mon 14 API calls 24566->24571 24569 7ff79fa3fd5f 24567->24569 24570 7ff79fa3fdb4 24567->24570 24568->24524 24568->24525 24569->24568 24573 7ff79fa3fd73 24569->24573 24575 7ff79fa3cc88 __free_lconv_mon 14 API calls 24569->24575 24572 7ff79fa414e8 MultiByteToWideChar 24570->24572 24571->24568 24580 7ff79fa3fdcf 24572->24580 24576 7ff79fa3daa8 15 API calls 24573->24576 24574 7ff79fa3fdd6 GetLastError 24587 7ff79fa3cb80 24574->24587 24575->24573 24576->24568 24578 7ff79fa414e8 MultiByteToWideChar 24582 7ff79fa3fe57 24578->24582 24579 7ff79fa3fde3 24583 7ff79fa3cbf0 memcpy_s 14 API calls 24579->24583 24580->24574 24581 7ff79fa3fe03 24580->24581 24584 7ff79fa3cc88 __free_lconv_mon 14 API calls 24580->24584 24586 7ff79fa3fe0f 24580->24586 24585 7ff79fa3daa8 15 API calls 24581->24585 24582->24568 24582->24574 24583->24568 24584->24581 24585->24586 24586->24568 24586->24578 24588 7ff79fa3c790 memcpy_s 14 API calls 24587->24588 24589 7ff79fa3cb91 24588->24589 24590 7ff79fa3c790 memcpy_s 14 API calls 24589->24590 24591 7ff79fa3cbaa __free_lconv_mon 24590->24591 24591->24579 27654 7ff79fa475fc 27655 7ff79fa4763d 27654->27655 27656 7ff79fa47625 27654->27656 27658 7ff79fa476b7 27655->27658 27663 7ff79fa4766e 27655->27663 27657 7ff79fa3cbd0 14 API calls 27656->27657 27659 7ff79fa4762a 27657->27659 27660 7ff79fa3cbd0 14 API calls 27658->27660 27661 7ff79fa3cbf0 memcpy_s 14 API calls 27659->27661 27662 7ff79fa476bc 27660->27662 27677 7ff79fa47632 27661->27677 27664 7ff79fa3cbf0 memcpy_s 14 API calls 27662->27664 27678 7ff79fa41d9c EnterCriticalSection 27663->27678 27666 7ff79fa476c4 27664->27666 27668 7ff79fa3cad0 _invalid_parameter_noinfo 31 API calls 27666->27668 27668->27677 22087 7ff79fa32180 RegOpenKeyExW 22088 7ff79fa321b4 memcpy_s 22087->22088 22089 7ff79fa321c4 NtQueryKey 22088->22089 22348 7ff79fa350b0 RegQueryValueExW 22088->22348 22090 7ff79fa31010 69 API calls 22089->22090 22092 7ff79fa32202 22090->22092 22094 7ff79fa32234 RegEnumKeyExW 22092->22094 22094->22087 22095 7ff79fa3226f RegCloseKey 22094->22095 22096 7ff79fa32278 RegOpenKeyExW 22095->22096 22097 7ff79fa322b0 memcpy_s 22096->22097 22098 7ff79fa322c0 NtQueryKey 22097->22098 22099 7ff79fa31010 69 API calls 22098->22099 22100 7ff79fa32302 RegOpenKeyExW 22099->22100 22102 7ff79fa32817 memcpy_s 22100->22102 22103 7ff79fa32833 NtQueryKey 22102->22103 22104 7ff79fa31010 69 API calls 22103->22104 22105 7ff79fa32876 RegOpenKeyExW 22104->22105 22107 7ff79fa32a40 memcpy_s 22105->22107 22108 7ff79fa32a51 NtQueryKey 22107->22108 22109 7ff79fa31010 69 API calls 22108->22109 22110 7ff79fa32a94 RegOpenKeyExW 22109->22110 22112 7ff79fa32af8 memcpy_s 22110->22112 22113 7ff79fa32b09 NtQueryKey 22112->22113 22114 7ff79fa31010 69 API calls 22113->22114 22115 7ff79fa32b4c RegOpenKeyExW 22114->22115 22117 7ff79fa32bb0 memcpy_s 22115->22117 22118 7ff79fa32bc1 NtQueryKey 22117->22118 22119 7ff79fa31010 69 API calls 22118->22119 22120 7ff79fa32c04 RegOpenKeyExW 22119->22120 22122 7ff79fa32c68 memcpy_s 22120->22122 22123 7ff79fa32c79 NtQueryKey 22122->22123 22124 7ff79fa31010 69 API calls 22123->22124 22125 7ff79fa32cbc RegOpenKeyExW 22124->22125 22127 7ff79fa32d20 memcpy_s 22125->22127 22128 7ff79fa32d31 NtQueryKey 22127->22128 22129 7ff79fa31010 69 API calls 22128->22129 22130 7ff79fa32d74 RegOpenKeyExW 22129->22130 22132 7ff79fa32dd0 memcpy_s 22130->22132 22133 7ff79fa32dec NtQueryKey 22132->22133 22134 7ff79fa31010 69 API calls 22133->22134 22135 7ff79fa32e2f RegOpenKeyExW 22134->22135 22137 7ff79fa32fec memcpy_s 22135->22137 22138 7ff79fa33008 NtQueryKey 22137->22138 22139 7ff79fa31010 69 API calls 22138->22139 22140 7ff79fa3304b RegOpenKeyExW 22139->22140 22142 7ff79fa33210 memcpy_s 22140->22142 22143 7ff79fa33221 NtQueryKey 22142->22143 22144 7ff79fa31010 69 API calls 22143->22144 22145 7ff79fa33264 22144->22145 22146 7ff79fa352a0 76 API calls 22145->22146 22147 7ff79fa33295 RegOpenKeyExW 22146->22147 22148 7ff79fa332c5 memcpy_s 22147->22148 22149 7ff79fa332e1 NtQueryKey 22148->22149 22150 7ff79fa31010 69 API calls 22149->22150 22151 7ff79fa33324 RegOpenKeyExW 22150->22151 22153 7ff79fa334f0 memcpy_s 22151->22153 22154 7ff79fa33501 NtQueryKey 22153->22154 22155 7ff79fa31010 69 API calls 22154->22155 22156 7ff79fa33544 22155->22156 22157 7ff79fa35560 75 API calls 22156->22157 22158 7ff79fa3358a 22157->22158 22159 7ff79fa35560 75 API calls 22158->22159 22160 7ff79fa335a4 22159->22160 22161 7ff79fa35560 75 API calls 22160->22161 22162 7ff79fa335be RegOpenKeyExW 22161->22162 22163 7ff79fa335ee memcpy_s 22162->22163 22164 7ff79fa3360a NtQueryKey 22163->22164 22165 7ff79fa31010 69 API calls 22164->22165 22166 7ff79fa3364d RegOpenKeyExW 22165->22166 22168 7ff79fa3380a memcpy_s 22166->22168 22169 7ff79fa33826 NtQueryKey 22168->22169 22170 7ff79fa31010 69 API calls 22169->22170 22171 7ff79fa33869 RegOpenKeyExW 22170->22171 22173 7ff79fa33a30 memcpy_s 22171->22173 22174 7ff79fa33a41 NtQueryKey 22173->22174 22175 7ff79fa31010 69 API calls 22174->22175 22176 7ff79fa33a84 RegOpenKeyExW 22175->22176 22178 7ff79fa33ae8 memcpy_s 22176->22178 22179 7ff79fa33af9 NtQueryKey 22178->22179 22180 7ff79fa31010 69 API calls 22179->22180 22181 7ff79fa33b3c RegOpenKeyExW 22180->22181 22183 7ff79fa33ba0 memcpy_s 22181->22183 22184 7ff79fa33bb1 NtQueryKey 22183->22184 22185 7ff79fa31010 69 API calls 22184->22185 22186 7ff79fa33bf4 RegOpenKeyExW 22185->22186 22188 7ff79fa33c58 memcpy_s 22186->22188 22189 7ff79fa33c69 NtQueryKey 22188->22189 22190 7ff79fa31010 69 API calls 22189->22190 22191 7ff79fa33cac RegOpenKeyExW 22190->22191 22193 7ff79fa33d10 memcpy_s 22191->22193 22194 7ff79fa33d21 NtQueryKey 22193->22194 22195 7ff79fa31010 69 API calls 22194->22195 22196 7ff79fa33d64 RegOpenKeyExW 22195->22196 22198 7ff79fa33dc8 memcpy_s 22196->22198 22199 7ff79fa33dd9 NtQueryKey 22198->22199 22200 7ff79fa31010 69 API calls 22199->22200 22201 7ff79fa33e1c RegOpenKeyExW 22200->22201 22349 7ff79fa3523a memcpy_s 22348->22349 22350 7ff79fa3510b memcpy_s 22348->22350 22351 7ff79fa35247 NtQueryKey 22349->22351 22352 7ff79fa3511a NtQueryKey 22350->22352 22353 7ff79fa31010 69 API calls 22351->22353 22354 7ff79fa31010 69 API calls 22352->22354 22355 7ff79fa35233 22353->22355 22359 7ff79fa35168 22354->22359 22356 7ff79fa36220 _handle_error 8 API calls 22355->22356 22357 7ff79fa3222b RegCloseKey 22356->22357 22357->22094 22358 7ff79fa35202 RegSetValueExW 22360 7ff79fa31010 69 API calls 22358->22360 22359->22358 22361 7ff79fa382b8 34 API calls 22359->22361 22362 7ff79fa351f5 22359->22362 22360->22355 22361->22359 22362->22358 26548 7ff79fa4106c 26549 7ff79fa4108f 26548->26549 26550 7ff79fa41099 26549->26550 26561 7ff79fa41b50 EnterCriticalSection 26549->26561 26552 7ff79fa4110b 26550->26552 26555 7ff79fa3bdf8 34 API calls 26550->26555 26556 7ff79fa41123 26555->26556 26560 7ff79fa41160 26556->26560 26562 7ff79fa3c6e8 26556->26562 26563 7ff79fa3c6f9 26562->26563 26564 7ff79fa3c6fe 26562->26564 26565 7ff79fa3d098 memcpy_s 6 API calls 26563->26565 26566 7ff79fa3d0e0 memcpy_s 6 API calls 26564->26566 26568 7ff79fa3c706 26564->26568 26565->26564 26567 7ff79fa3c71d 26566->26567 26567->26568 26570 7ff79fa3cc10 memcpy_s 14 API calls 26567->26570 26569 7ff79fa3bdf8 34 API calls 26568->26569 26575 7ff79fa3c780 26568->26575 26571 7ff79fa3c78e 26569->26571 26572 7ff79fa3c730 26570->26572 26573 7ff79fa3c74e 26572->26573 26574 7ff79fa3c73e 26572->26574 26576 7ff79fa3d0e0 memcpy_s 6 API calls 26573->26576 26577 7ff79fa3d0e0 memcpy_s 6 API calls 26574->26577 26575->26560 26578 7ff79fa3c756 26576->26578 26579 7ff79fa3c745 26577->26579 26580 7ff79fa3c75a 26578->26580 26581 7ff79fa3c76c 26578->26581 26582 7ff79fa3cc88 __free_lconv_mon 14 API calls 26579->26582 26583 7ff79fa3d0e0 memcpy_s 6 API calls 26580->26583 26584 7ff79fa3c3c4 memcpy_s 14 API calls 26581->26584 26582->26568 26583->26579 26585 7ff79fa3c774 26584->26585 26586 7ff79fa3cc88 __free_lconv_mon 14 API calls 26585->26586 26586->26568 20711 7ff79fa333f0 20712 7ff79fa382b8 34 API calls 20711->20712 20713 7ff79fa333f5 20712->20713 20713->20711 20714 7ff79fa33414 RegSetValueExW 20713->20714 20715 7ff79fa3343e memcpy_s __vcrt_freefls 20714->20715 20716 7ff79fa3345a NtQueryKey 20715->20716 20717 7ff79fa334af RegCloseKey 20716->20717 20718 7ff79fa31010 69 API calls 20716->20718 20719 7ff79fa334b8 RegOpenKeyExW 20717->20719 20718->20717 20720 7ff79fa334f0 memcpy_s 20719->20720 20721 7ff79fa33501 NtQueryKey 20720->20721 20722 7ff79fa31010 69 API calls 20721->20722 20723 7ff79fa33544 20722->20723 20724 7ff79fa35560 75 API calls 20723->20724 20725 7ff79fa3358a 20724->20725 20726 7ff79fa35560 75 API calls 20725->20726 20727 7ff79fa335a4 20726->20727 20728 7ff79fa35560 75 API calls 20727->20728 20729 7ff79fa335be RegOpenKeyExW 20728->20729 20730 7ff79fa335ee memcpy_s 20729->20730 20731 7ff79fa3360a NtQueryKey 20730->20731 20732 7ff79fa31010 69 API calls 20731->20732 20733 7ff79fa3364d RegOpenKeyExW 20732->20733 20735 7ff79fa3380a memcpy_s 20733->20735 20736 7ff79fa33826 NtQueryKey 20735->20736 20737 7ff79fa31010 69 API calls 20736->20737 20738 7ff79fa33869 RegOpenKeyExW 20737->20738 20740 7ff79fa33a30 memcpy_s 20738->20740 20741 7ff79fa33a41 NtQueryKey 20740->20741 20742 7ff79fa31010 69 API calls 20741->20742 20743 7ff79fa33a84 RegOpenKeyExW 20742->20743 20745 7ff79fa33ae8 memcpy_s 20743->20745 20746 7ff79fa33af9 NtQueryKey 20745->20746 20747 7ff79fa31010 69 API calls 20746->20747 20748 7ff79fa33b3c RegOpenKeyExW 20747->20748 20750 7ff79fa33ba0 memcpy_s 20748->20750 20751 7ff79fa33bb1 NtQueryKey 20750->20751 20752 7ff79fa31010 69 API calls 20751->20752 20753 7ff79fa33bf4 RegOpenKeyExW 20752->20753 20755 7ff79fa33c58 memcpy_s 20753->20755 20756 7ff79fa33c69 NtQueryKey 20755->20756 20757 7ff79fa31010 69 API calls 20756->20757 20758 7ff79fa33cac RegOpenKeyExW 20757->20758 20760 7ff79fa33d10 memcpy_s 20758->20760 20761 7ff79fa33d21 NtQueryKey 20760->20761 20762 7ff79fa31010 69 API calls 20761->20762 20763 7ff79fa33d64 RegOpenKeyExW 20762->20763 20765 7ff79fa33dc8 memcpy_s 20763->20765 20766 7ff79fa33dd9 NtQueryKey 20765->20766 20767 7ff79fa31010 69 API calls 20766->20767 20768 7ff79fa33e1c RegOpenKeyExW 20767->20768 20770 7ff79fa33e80 memcpy_s 20768->20770 20771 7ff79fa33e91 NtQueryKey 20770->20771 20772 7ff79fa31010 69 API calls 20771->20772 20773 7ff79fa33ed4 20772->20773 20774 7ff79fa35b70 72 API calls 20773->20774 20775 7ff79fa340b8 20774->20775 20776 7ff79fa35560 75 API calls 20775->20776 20777 7ff79fa340d2 20776->20777 20778 7ff79fa35560 75 API calls 20777->20778 20779 7ff79fa340ec SHDeleteValueW 20778->20779 20780 7ff79fa341db SHDeleteValueW 20779->20780 20781 7ff79fa34110 20779->20781 20782 7ff79fa342ca SHDeleteValueW 20780->20782 20783 7ff79fa341ff 20780->20783 20784 7ff79fa3412b memcpy_s 20781->20784 20785 7ff79fa3418c memcpy_s 20781->20785 20788 7ff79fa34368 20782->20788 20789 7ff79fa342ee 20782->20789 20786 7ff79fa3421a memcpy_s 20783->20786 20787 7ff79fa3427b memcpy_s 20783->20787 20790 7ff79fa34130 NtQueryKey 20784->20790 20791 7ff79fa34191 NtQueryKey 20785->20791 20799 7ff79fa3421f NtQueryKey 20786->20799 20798 7ff79fa34280 NtQueryKey 20787->20798 20792 7ff79fa35b70 72 API calls 20788->20792 20793 7ff79fa34309 memcpy_s 20789->20793 20794 7ff79fa3436a memcpy_s 20789->20794 20795 7ff79fa31010 69 API calls 20790->20795 20791->20780 20796 7ff79fa31010 69 API calls 20791->20796 20797 7ff79fa343cc 20792->20797 20805 7ff79fa3430e NtQueryKey 20793->20805 20804 7ff79fa3436f NtQueryKey 20794->20804 20800 7ff79fa3418a 20795->20800 20796->20780 20801 7ff79fa35b70 72 API calls 20797->20801 20798->20782 20802 7ff79fa31010 69 API calls 20798->20802 20803 7ff79fa31010 69 API calls 20799->20803 20800->20780 20806 7ff79fa343df 20801->20806 20802->20782 20807 7ff79fa34279 20803->20807 20804->20788 20808 7ff79fa31010 69 API calls 20804->20808 20809 7ff79fa31010 69 API calls 20805->20809 20810 7ff79fa35b70 72 API calls 20806->20810 20807->20782 20808->20788 20809->20788 20811 7ff79fa343f2 RegOpenKeyExW 20810->20811 20812 7ff79fa34424 memcpy_s 20811->20812 20813 7ff79fa3443e NtQueryKey 20812->20813 20814 7ff79fa31010 69 API calls 20813->20814 20815 7ff79fa34481 memcpy_s 20814->20815 20816 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 20815->20816 20817 7ff79fa37440 memcpy_s 20816->20817 20818 7ff79fa34772 FindFirstFileW 20817->20818 20819 7ff79fa34790 20818->20819 20820 7ff79fa347b4 wsprintfW 20819->20820 20821 7ff79fa347df FindNextFileW 20819->20821 20822 7ff79fa35d70 87 API calls 20820->20822 20821->20819 20823 7ff79fa347f0 FindClose wsprintfW 20821->20823 20822->20821 20824 7ff79fa35d70 87 API calls 20823->20824 20825 7ff79fa34820 wsprintfW 20824->20825 20826 7ff79fa35d70 87 API calls 20825->20826 20827 7ff79fa34847 wsprintfW 20826->20827 20828 7ff79fa35d70 87 API calls 20827->20828 20829 7ff79fa3486e wsprintfW 20828->20829 20830 7ff79fa35d70 87 API calls 20829->20830 20831 7ff79fa34895 wsprintfW 20830->20831 20832 7ff79fa35d70 87 API calls 20831->20832 20833 7ff79fa348bc wsprintfW 20832->20833 20834 7ff79fa35d70 87 API calls 20833->20834 20835 7ff79fa348e3 wsprintfW 20834->20835 20836 7ff79fa35d70 87 API calls 20835->20836 20837 7ff79fa3490a wsprintfW 20836->20837 20838 7ff79fa35d70 87 API calls 20837->20838 20839 7ff79fa34931 GetLogicalDrives 20838->20839 20840 7ff79fa34f8c 20839->20840 20912 7ff79fa34947 memcpy_s 20839->20912 20912->20840 21592 7ff79fa32ef4 21593 7ff79fa382b8 34 API calls 21592->21593 21594 7ff79fa32ef9 21593->21594 21594->21592 21595 7ff79fa32f18 RegSetValueExW 21594->21595 21596 7ff79fa32f42 memcpy_s __vcrt_freefls 21595->21596 21597 7ff79fa32f5e NtQueryKey 21596->21597 21598 7ff79fa31010 69 API calls 21597->21598 21599 7ff79fa32fb3 RegCloseKey 21598->21599 21600 7ff79fa32fbc RegOpenKeyExW 21599->21600 21601 7ff79fa32fec memcpy_s 21600->21601 21602 7ff79fa33008 NtQueryKey 21601->21602 21603 7ff79fa31010 69 API calls 21602->21603 21604 7ff79fa3304b RegOpenKeyExW 21603->21604 21606 7ff79fa33210 memcpy_s 21604->21606 21607 7ff79fa33221 NtQueryKey 21606->21607 21608 7ff79fa31010 69 API calls 21607->21608 21609 7ff79fa33264 21608->21609 21610 7ff79fa352a0 76 API calls 21609->21610 21611 7ff79fa33295 RegOpenKeyExW 21610->21611 21612 7ff79fa332c5 memcpy_s 21611->21612 21613 7ff79fa332e1 NtQueryKey 21612->21613 21614 7ff79fa31010 69 API calls 21613->21614 21615 7ff79fa33324 RegOpenKeyExW 21614->21615 21617 7ff79fa334f0 memcpy_s 21615->21617 21618 7ff79fa33501 NtQueryKey 21617->21618 21619 7ff79fa31010 69 API calls 21618->21619 21620 7ff79fa33544 21619->21620 21621 7ff79fa35560 75 API calls 21620->21621 21622 7ff79fa3358a 21621->21622 21623 7ff79fa35560 75 API calls 21622->21623 21624 7ff79fa335a4 21623->21624 21625 7ff79fa35560 75 API calls 21624->21625 21626 7ff79fa335be RegOpenKeyExW 21625->21626 21627 7ff79fa335ee memcpy_s 21626->21627 21628 7ff79fa3360a NtQueryKey 21627->21628 21629 7ff79fa31010 69 API calls 21628->21629 21630 7ff79fa3364d RegOpenKeyExW 21629->21630 21632 7ff79fa3380a memcpy_s 21630->21632 21633 7ff79fa33826 NtQueryKey 21632->21633 21634 7ff79fa31010 69 API calls 21633->21634 21635 7ff79fa33869 RegOpenKeyExW 21634->21635 21637 7ff79fa33a30 memcpy_s 21635->21637 21638 7ff79fa33a41 NtQueryKey 21637->21638 21639 7ff79fa31010 69 API calls 21638->21639 21640 7ff79fa33a84 RegOpenKeyExW 21639->21640 21642 7ff79fa33ae8 memcpy_s 21640->21642 21643 7ff79fa33af9 NtQueryKey 21642->21643 21644 7ff79fa31010 69 API calls 21643->21644 21645 7ff79fa33b3c RegOpenKeyExW 21644->21645 21647 7ff79fa33ba0 memcpy_s 21645->21647 21648 7ff79fa33bb1 NtQueryKey 21647->21648 21649 7ff79fa31010 69 API calls 21648->21649 21650 7ff79fa33bf4 RegOpenKeyExW 21649->21650 21652 7ff79fa33c58 memcpy_s 21650->21652 21653 7ff79fa33c69 NtQueryKey 21652->21653 21654 7ff79fa31010 69 API calls 21653->21654 21655 7ff79fa33cac RegOpenKeyExW 21654->21655 21657 7ff79fa33d10 memcpy_s 21655->21657 21658 7ff79fa33d21 NtQueryKey 21657->21658 21659 7ff79fa31010 69 API calls 21658->21659 21660 7ff79fa33d64 RegOpenKeyExW 21659->21660 21662 7ff79fa33dc8 memcpy_s 21660->21662 21663 7ff79fa33dd9 NtQueryKey 21662->21663 21664 7ff79fa31010 69 API calls 21663->21664 21665 7ff79fa33e1c RegOpenKeyExW 21664->21665 21667 7ff79fa33e80 memcpy_s 21665->21667 21668 7ff79fa33e91 NtQueryKey 21667->21668 21669 7ff79fa31010 69 API calls 21668->21669 21670 7ff79fa33ed4 21669->21670 21671 7ff79fa35b70 72 API calls 21670->21671 21672 7ff79fa340b8 21671->21672 21673 7ff79fa35560 75 API calls 21672->21673 21674 7ff79fa340d2 21673->21674 21675 7ff79fa35560 75 API calls 21674->21675 21676 7ff79fa340ec SHDeleteValueW 21675->21676 21677 7ff79fa341db SHDeleteValueW 21676->21677 21678 7ff79fa34110 21676->21678 21679 7ff79fa342ca SHDeleteValueW 21677->21679 21680 7ff79fa341ff 21677->21680 21681 7ff79fa3412b memcpy_s 21678->21681 21682 7ff79fa3418c memcpy_s 21678->21682 21685 7ff79fa34368 21679->21685 21686 7ff79fa342ee 21679->21686 21683 7ff79fa3421a memcpy_s 21680->21683 21684 7ff79fa3427b memcpy_s 21680->21684 21687 7ff79fa34130 NtQueryKey 21681->21687 21688 7ff79fa34191 NtQueryKey 21682->21688 21696 7ff79fa3421f NtQueryKey 21683->21696 21695 7ff79fa34280 NtQueryKey 21684->21695 21689 7ff79fa35b70 72 API calls 21685->21689 21690 7ff79fa34309 memcpy_s 21686->21690 21691 7ff79fa3436a memcpy_s 21686->21691 21692 7ff79fa31010 69 API calls 21687->21692 21688->21677 21693 7ff79fa31010 69 API calls 21688->21693 21694 7ff79fa343cc 21689->21694 21702 7ff79fa3430e NtQueryKey 21690->21702 21701 7ff79fa3436f NtQueryKey 21691->21701 21697 7ff79fa3418a 21692->21697 21693->21677 21698 7ff79fa35b70 72 API calls 21694->21698 21695->21679 21699 7ff79fa31010 69 API calls 21695->21699 21700 7ff79fa31010 69 API calls 21696->21700 21697->21677 21703 7ff79fa343df 21698->21703 21699->21679 21704 7ff79fa34279 21700->21704 21701->21685 21705 7ff79fa31010 69 API calls 21701->21705 21706 7ff79fa31010 69 API calls 21702->21706 21707 7ff79fa35b70 72 API calls 21703->21707 21704->21679 21705->21685 21706->21685 21708 7ff79fa343f2 RegOpenKeyExW 21707->21708 21709 7ff79fa34424 memcpy_s 21708->21709 21710 7ff79fa3443e NtQueryKey 21709->21710 21711 7ff79fa31010 69 API calls 21710->21711 21712 7ff79fa34481 memcpy_s 21711->21712 21713 7ff79fa346f2 GetTempPathW SHGetFolderPathW SHGetFolderPathW wsprintfW 21712->21713 21714 7ff79fa37440 memcpy_s 21713->21714 21715 7ff79fa34772 FindFirstFileW 21714->21715 21716 7ff79fa34790 21715->21716 21717 7ff79fa347b4 wsprintfW 21716->21717 21718 7ff79fa347df FindNextFileW 21716->21718 21719 7ff79fa35d70 87 API calls 21717->21719 21718->21716 21720 7ff79fa347f0 FindClose wsprintfW 21718->21720 21719->21718 21721 7ff79fa35d70 87 API calls 21720->21721 21722 7ff79fa34820 wsprintfW 21721->21722 22363 7ff79fa31360 RegOpenKeyExW 22385 7ff79fa31394 memcpy_s 22363->22385 22364 7ff79fa313a4 NtQueryKey 22366 7ff79fa31010 69 API calls 22364->22366 22365 7ff79fa313f8 RegEnumKeyExW 22367 7ff79fa315bd RegCloseKey 22365->22367 22365->22385 22370 7ff79fa313e2 22366->22370 22369 7ff79fa315c6 RegEnumKeyExW 22367->22369 22368 7ff79fa31440 RegOpenKeyExW 22368->22385 22369->22363 22371 7ff79fa31603 RegCloseKey 22369->22371 22370->22369 22372 7ff79fa3160c 22371->22372 22374 7ff79fa35c70 72 API calls 22372->22374 22373 7ff79fa31484 NtQueryKey 22376 7ff79fa31010 69 API calls 22373->22376 22377 7ff79fa31626 RegOpenKeyExW 22374->22377 22375 7ff79fa314d8 RegEnumKeyExW 22378 7ff79fa31577 RegCloseKey 22375->22378 22375->22385 22380 7ff79fa314c2 22376->22380 22381 7ff79fa3165e memcpy_s 22377->22381 22379 7ff79fa31580 RegEnumKeyExW 22378->22379 22379->22367 22379->22368 22380->22379 22383 7ff79fa3166e NtQueryKey 22381->22383 22382 7ff79fa38580 34 API calls 22382->22385 22386 7ff79fa31010 69 API calls 22383->22386 22384 7ff79fa3152c RegEnumKeyExW 22384->22385 22385->22364 22385->22365 22385->22368 22385->22373 22385->22375 22385->22378 22385->22382 22385->22384 22687 7ff79fa35710 RegOpenKeyExW 22385->22687 22388 7ff79fa316b0 RegOpenKeyExW 22386->22388 22390 7ff79fa317d4 memcpy_s 22388->22390 22391 7ff79fa317e4 NtQueryKey 22390->22391 22392 7ff79fa31010 69 API calls 22391->22392 22393 7ff79fa31826 RegOpenKeyExW 22392->22393 22395 7ff79fa31890 memcpy_s 22393->22395 22396 7ff79fa318a0 NtQueryKey 22395->22396 22397 7ff79fa31010 69 API calls 22396->22397 22398 7ff79fa318e2 RegOpenKeyExW 22397->22398 22400 7ff79fa3194c memcpy_s 22398->22400 22401 7ff79fa3195c NtQueryKey 22400->22401 22402 7ff79fa31010 69 API calls 22401->22402 22403 7ff79fa3199e 22402->22403 22404 7ff79fa35b70 72 API calls 22403->22404 22405 7ff79fa319e3 22404->22405 22406 7ff79fa35b70 72 API calls 22405->22406 22407 7ff79fa319f6 22406->22407 22408 7ff79fa35b70 72 API calls 22407->22408 22409 7ff79fa31a09 22408->22409 22410 7ff79fa35b70 72 API calls 22409->22410 22411 7ff79fa31a1c 22410->22411 22412 7ff79fa35b70 72 API calls 22411->22412 22413 7ff79fa31a2f 22412->22413 22414 7ff79fa35c70 72 API calls 22413->22414 22415 7ff79fa31a49 RegOpenKeyExW 22414->22415 22416 7ff79fa31a79 memcpy_s 22415->22416 22417 7ff79fa31a94 NtQueryKey 22416->22417 22418 7ff79fa31010 69 API calls 22417->22418 22419 7ff79fa31ad6 RegOpenKeyExW 22418->22419 22421 7ff79fa31c96 memcpy_s 22419->22421 22422 7ff79fa31cb1 NtQueryKey 22421->22422 22423 7ff79fa31010 69 API calls 22422->22423 22424 7ff79fa31cf3 RegOpenKeyExW 22423->22424 22426 7ff79fa31eac memcpy_s 22424->22426 22427 7ff79fa31ec7 NtQueryKey 22426->22427 22428 7ff79fa31010 69 API calls 22427->22428 22429 7ff79fa31f09 RegOpenKeyExW 22428->22429 22431 7ff79fa320ce memcpy_s 22429->22431 22432 7ff79fa320de NtQueryKey 22431->22432 22433 7ff79fa31010 69 API calls 22432->22433 22434 7ff79fa32120 RegOpenKeyExW 22433->22434 22436 7ff79fa322b0 memcpy_s 22434->22436 22437 7ff79fa322c0 NtQueryKey 22436->22437 22438 7ff79fa31010 69 API calls 22437->22438 22439 7ff79fa32302 RegOpenKeyExW 22438->22439 22441 7ff79fa32817 memcpy_s 22439->22441 22442 7ff79fa32833 NtQueryKey 22441->22442 22443 7ff79fa31010 69 API calls 22442->22443 22444 7ff79fa32876 RegOpenKeyExW 22443->22444 22446 7ff79fa32a40 memcpy_s 22444->22446 22447 7ff79fa32a51 NtQueryKey 22446->22447 22448 7ff79fa31010 69 API calls 22447->22448 22449 7ff79fa32a94 RegOpenKeyExW 22448->22449 22451 7ff79fa32af8 memcpy_s 22449->22451 22452 7ff79fa32b09 NtQueryKey 22451->22452 22453 7ff79fa31010 69 API calls 22452->22453 22454 7ff79fa32b4c RegOpenKeyExW 22453->22454 22456 7ff79fa32bb0 memcpy_s 22454->22456 22457 7ff79fa32bc1 NtQueryKey 22456->22457 22458 7ff79fa31010 69 API calls 22457->22458 22459 7ff79fa32c04 RegOpenKeyExW 22458->22459 22461 7ff79fa32c68 memcpy_s 22459->22461 22462 7ff79fa32c79 NtQueryKey 22461->22462 22463 7ff79fa31010 69 API calls 22462->22463 22464 7ff79fa32cbc RegOpenKeyExW 22463->22464 22466 7ff79fa32d20 memcpy_s 22464->22466 22467 7ff79fa32d31 NtQueryKey 22466->22467 22468 7ff79fa31010 69 API calls 22467->22468 22469 7ff79fa32d74 RegOpenKeyExW 22468->22469 22471 7ff79fa32dd0 memcpy_s 22469->22471 22472 7ff79fa32dec NtQueryKey 22471->22472 22473 7ff79fa31010 69 API calls 22472->22473 22474 7ff79fa32e2f RegOpenKeyExW 22473->22474 22476 7ff79fa32fec memcpy_s 22474->22476 22477 7ff79fa33008 NtQueryKey 22476->22477 22478 7ff79fa31010 69 API calls 22477->22478 22479 7ff79fa3304b RegOpenKeyExW 22478->22479 22481 7ff79fa33210 memcpy_s 22479->22481 22482 7ff79fa33221 NtQueryKey 22481->22482 22483 7ff79fa31010 69 API calls 22482->22483 22484 7ff79fa33264 22483->22484 22485 7ff79fa352a0 76 API calls 22484->22485 22486 7ff79fa33295 RegOpenKeyExW 22485->22486 22487 7ff79fa332c5 memcpy_s 22486->22487 22488 7ff79fa332e1 NtQueryKey 22487->22488 22688 7ff79fa35758 memcpy_s 22687->22688 22689 7ff79fa357b2 RegQueryValueExW 22687->22689 22692 7ff79fa35774 NtQueryKey 22688->22692 22690 7ff79fa357e0 memcpy_s 22689->22690 22691 7ff79fa3583c 22689->22691 22693 7ff79fa357fc NtQueryKey 22690->22693 22696 7ff79fa3584d 22691->22696 22706 7ff79fa3585e 22691->22706 22694 7ff79fa31010 69 API calls 22692->22694 22695 7ff79fa31010 69 API calls 22693->22695 22697 7ff79fa357ad 22694->22697 22698 7ff79fa35837 22695->22698 22699 7ff79fa31010 69 API calls 22696->22699 22703 7ff79fa36220 _handle_error 8 API calls 22697->22703 22702 7ff79fa3591d RegCloseKey 22698->22702 22699->22698 22700 7ff79fa3588a RegSetValueExW 22701 7ff79fa358b0 memcpy_s __vcrt_freefls 22700->22701 22707 7ff79fa358cc NtQueryKey 22701->22707 22702->22697 22705 7ff79fa35933 22703->22705 22704 7ff79fa382b8 34 API calls 22704->22706 22705->22378 22706->22700 22706->22704 22708 7ff79fa31010 69 API calls 22707->22708 22708->22702 22709 7ff79fa32360 RegOpenKeyExW 22743 7ff79fa32394 memcpy_s 22709->22743 22710 7ff79fa323a4 NtQueryKey 22712 7ff79fa31010 69 API calls 22710->22712 22711 7ff79fa323f8 RegEnumKeyExW 22713 7ff79fa32792 RegCloseKey 22711->22713 22711->22743 22715 7ff79fa323e2 22712->22715 22714 7ff79fa3279e RegEnumKeyExW 22713->22714 22714->22709 22717 7ff79fa327de RegCloseKey 22714->22717 22715->22714 22716 7ff79fa32440 RegOpenKeyExW 22716->22743 22718 7ff79fa327e7 RegOpenKeyExW 22717->22718 22720 7ff79fa32817 memcpy_s 22718->22720 22719 7ff79fa324d8 RegEnumKeyExW 22722 7ff79fa32743 RegCloseKey 22719->22722 22719->22743 22726 7ff79fa32833 NtQueryKey 22720->22726 22721 7ff79fa32484 NtQueryKey 22723 7ff79fa31010 69 API calls 22721->22723 22725 7ff79fa3274c RegEnumKeyExW 22722->22725 22724 7ff79fa324c2 22723->22724 22724->22713 22724->22725 22725->22716 22725->22724 22727 7ff79fa31010 69 API calls 22726->22727 22728 7ff79fa32876 RegOpenKeyExW 22727->22728 22732 7ff79fa32a40 memcpy_s 22728->22732 22729 7ff79fa3253c RegOpenKeyExW 22729->22743 22730 7ff79fa32706 RegEnumKeyExW 22730->22722 22730->22743 22735 7ff79fa32a51 NtQueryKey 22732->22735 22733 7ff79fa325d4 RegEnumKeyExW 22737 7ff79fa326fd RegCloseKey 22733->22737 22733->22743 22734 7ff79fa32580 NtQueryKey 22738 7ff79fa31010 69 API calls 22734->22738 22736 7ff79fa31010 69 API calls 22735->22736 22739 7ff79fa32a94 RegOpenKeyExW 22736->22739 22737->22730 22738->22743 22742 7ff79fa32af8 memcpy_s 22739->22742 22740 7ff79fa32610 RegOpenKeyExW 22740->22743 22745 7ff79fa32b09 NtQueryKey 22742->22745 22743->22710 22743->22711 22743->22716 22743->22719 22743->22721 22743->22729 22743->22730 22743->22733 22743->22734 22743->22740 22744 7ff79fa32655 NtQueryKey 22743->22744 22747 7ff79fa350b0 73 API calls 22743->22747 22746 7ff79fa31010 69 API calls 22744->22746 22748 7ff79fa31010 69 API calls 22745->22748 22749 7ff79fa32694 22746->22749 22750 7ff79fa326b7 RegCloseKey 22747->22750 22751 7ff79fa32b4c RegOpenKeyExW 22748->22751 22752 7ff79fa326c2 RegEnumKeyExW 22749->22752 22750->22752 22754 7ff79fa32bb0 memcpy_s 22751->22754 22752->22737 22752->22740 22755 7ff79fa32bc1 NtQueryKey 22754->22755 22756 7ff79fa31010 69 API calls 22755->22756 22757 7ff79fa32c04 RegOpenKeyExW 22756->22757 22759 7ff79fa32c68 memcpy_s 22757->22759 22760 7ff79fa32c79 NtQueryKey 22759->22760 22761 7ff79fa31010 69 API calls 22760->22761 22762 7ff79fa32cbc RegOpenKeyExW 22761->22762 22764 7ff79fa32d20 memcpy_s 22762->22764 22765 7ff79fa32d31 NtQueryKey 22764->22765 22766 7ff79fa31010 69 API calls 22765->22766 22767 7ff79fa32d74 RegOpenKeyExW 22766->22767 22769 7ff79fa32dd0 memcpy_s 22767->22769 22770 7ff79fa32dec NtQueryKey 22769->22770 22771 7ff79fa31010 69 API calls 22770->22771 22772 7ff79fa32e2f RegOpenKeyExW 22771->22772 22774 7ff79fa32fec memcpy_s 22772->22774 22775 7ff79fa33008 NtQueryKey 22774->22775 22776 7ff79fa31010 69 API calls 22775->22776 22777 7ff79fa3304b RegOpenKeyExW 22776->22777 22779 7ff79fa33210 memcpy_s 22777->22779 22780 7ff79fa33221 NtQueryKey 22779->22780 22781 7ff79fa31010 69 API calls 22780->22781 22782 7ff79fa33264 22781->22782 22783 7ff79fa352a0 76 API calls 22782->22783 22784 7ff79fa33295 RegOpenKeyExW 22783->22784 22785 7ff79fa332c5 memcpy_s 22784->22785 22786 7ff79fa332e1 NtQueryKey 22785->22786 22787 7ff79fa31010 69 API calls 22786->22787 22788 7ff79fa33324 RegOpenKeyExW 22787->22788 22790 7ff79fa334f0 memcpy_s 22788->22790 22791 7ff79fa33501 NtQueryKey 22790->22791 22792 7ff79fa31010 69 API calls 22791->22792 22793 7ff79fa33544 22792->22793 22794 7ff79fa35560 75 API calls 22793->22794 22795 7ff79fa3358a 22794->22795 22796 7ff79fa35560 75 API calls 22795->22796 22797 7ff79fa335a4 22796->22797 22798 7ff79fa35560 75 API calls 22797->22798 22799 7ff79fa335be RegOpenKeyExW 22798->22799 22800 7ff79fa335ee memcpy_s 22799->22800 22801 7ff79fa3360a NtQueryKey 22800->22801 22802 7ff79fa31010 69 API calls 22801->22802 22803 7ff79fa3364d RegOpenKeyExW 22802->22803 22805 7ff79fa3380a memcpy_s 22803->22805 22806 7ff79fa33826 NtQueryKey 22805->22806 22807 7ff79fa31010 69 API calls 22806->22807 22808 7ff79fa33869 RegOpenKeyExW 22807->22808 22810 7ff79fa33a30 memcpy_s 22808->22810 22811 7ff79fa33a41 NtQueryKey 22810->22811 22812 7ff79fa31010 69 API calls 22811->22812 22813 7ff79fa33a84 RegOpenKeyExW 22812->22813 22815 7ff79fa33ae8 memcpy_s 22813->22815 22816 7ff79fa33af9 NtQueryKey 22815->22816 22817 7ff79fa31010 69 API calls 22816->22817 22818 7ff79fa33b3c RegOpenKeyExW 22817->22818 22820 7ff79fa33ba0 memcpy_s 22818->22820 22821 7ff79fa33bb1 NtQueryKey 22820->22821 22822 7ff79fa31010 69 API calls 22821->22822 22823 7ff79fa33bf4 RegOpenKeyExW 22822->22823 22825 7ff79fa33c58 memcpy_s 22823->22825 22826 7ff79fa33c69 NtQueryKey 22825->22826 22827 7ff79fa31010 69 API calls 22826->22827 22828 7ff79fa33cac RegOpenKeyExW 22827->22828 22830 7ff79fa33d10 memcpy_s 22828->22830 22831 7ff79fa33d21 NtQueryKey 22830->22831 22832 7ff79fa31010 69 API calls 22831->22832 22833 7ff79fa33d64 RegOpenKeyExW 22832->22833 22835 7ff79fa33dc8 memcpy_s 22833->22835 22836 7ff79fa33dd9 NtQueryKey 22835->22836 22837 7ff79fa31010 69 API calls 22836->22837 22838 7ff79fa33e1c RegOpenKeyExW 22837->22838 22840 7ff79fa33e80 memcpy_s 22838->22840 22841 7ff79fa33e91 NtQueryKey 22840->22841 22842 7ff79fa31010 69 API calls 22841->22842 22843 7ff79fa33ed4 22842->22843 22844 7ff79fa35b70 72 API calls 22843->22844 22845 7ff79fa340b8 22844->22845

    Executed Functions

    Function 00007FF79FA31360 Relevance: 404.1, APIs: 134, Strings: 96, Instructions: 1566nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$CloseEnum
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$EDID$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEnum$LastEventlogWrittenTime$ProductActivationTime$SMBiosData$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Dfrg\Statistics$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SOFTWARE\NVIDIA Corporation\Global$SOFTWARE\NVIDIA Corporation\Global\CoProcManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\TPM\WMI$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$SYSTEM\CurrentControlSet\Services\mssmbios\Data$SYSTEM\HardwareConfig$SYSTEM\MountedDevices$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$device parameters$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$'B$AA$JF$N-$TA$b-$gA$v-$zA
    • API String ID: 2151403804-1942622762
    • Opcode ID: 011178d55986d74f676c4db6be8d2e498868a3a8847ec7ec5836db1f47acdafe
    • Instruction ID: 023a89ad8911f1988f674f66386f7a96f0eb34c3e65014abaf672c4db0e14401
    • Opcode Fuzzy Hash: 011178d55986d74f676c4db6be8d2e498868a3a8847ec7ec5836db1f47acdafe
    • Instruction Fuzzy Hash: 3C036D65A18AC391EB30EF35E840AE9A365FF96758FC04231D95D436A9DF7CE209C720
    Function 00007FF79FA312AD Relevance: 400.5, APIs: 131, Strings: 97, Instructions: 1512nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 441 7ff79fa312ad-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35c70 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 * 5 call 7ff79fa35c70 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 649 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 441->649 650 7ff79fa34110-7ff79fa34129 441->650 651 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 649->651 652 7ff79fa341ff-7ff79fa34218 649->652 653 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 650->653 654 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 650->654 658 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 651->658 659 7ff79fa342ee-7ff79fa34307 651->659 656 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 652->656 657 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 652->657 653->649 654->649 669 7ff79fa341d6 call 7ff79fa31010 654->669 656->651 657->651 677 7ff79fa342c5 call 7ff79fa31010 657->677 704 7ff79fa34790-7ff79fa3479c 658->704 666 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 659->666 667 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 659->667 666->658 667->658 683 7ff79fa343b4 call 7ff79fa31010 667->683 669->649 677->651 683->658 705 7ff79fa3479e-7ff79fa347a1 704->705 706 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 704->706 707 7ff79fa347df-7ff79fa347ee FindNextFileW 705->707 708 7ff79fa347a3-7ff79fa347a6 705->708 706->707 707->704 710 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 707->710 708->706 711 7ff79fa347a8-7ff79fa347ab 708->711 729 7ff79fa34947-7ff79fa3494e 710->729 730 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 710->730 711->706 713 7ff79fa347ad-7ff79fa347b2 711->713 713->706 713->707 731 7ff79fa34950-7ff79fa34954 729->731 737 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 730->737 738 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 730->738 733 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 731->733 734 7ff79fa34f83-7ff79fa34f86 731->734 743 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 733->743 744 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 733->744 734->730 734->731 749 7ff79fa34ff8 738->749 750 7ff79fa35061-7ff79fa35064 CloseHandle 738->750 757 7ff79fa349f9-7ff79fa34a00 743->757 758 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 743->758 812 7ff79fa34d00-7ff79fa34d12 744->812 754 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 749->754 750->737 767 7ff79fa35027-7ff79fa3503f OpenProcess 754->767 768 7ff79fa35014-7ff79fa35023 Process32NextW 754->768 757->758 762 7ff79fa34a06-7ff79fa34a0c 757->762 758->744 766 7ff79fa34a10-7ff79fa34a1a 762->766 771 7ff79fa34a20-7ff79fa34a28 766->771 767->750 769 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 767->769 768->754 772 7ff79fa35025 768->772 769->750 771->771 775 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 771->775 772->750 781 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 775->781 782 7ff79fa34a40-7ff79fa34a49 775->782 781->758 793 7ff79fa34a7f-7ff79fa34a97 WriteFile 781->793 782->766 784 7ff79fa34a4b 782->784 784->758 793->758 813 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 812->813 814 7ff79fa34d14-7ff79fa34d17 812->814 816 7ff79fa34d57-7ff79fa34d69 FindNextFileW 813->816 815 7ff79fa34d19-7ff79fa34d1c 814->815 814->816 815->813 818 7ff79fa34d1e-7ff79fa34d21 815->818 816->812 819 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 816->819 818->813 820 7ff79fa34d23-7ff79fa34d2b 818->820 823 7ff79fa34dc0-7ff79fa34dd2 819->823 820->813 820->816 824 7ff79fa34df5-7ff79fa34dfc 823->824 825 7ff79fa34dd4-7ff79fa34dd7 823->825 826 7ff79fa34f07-7ff79fa34f19 FindNextFileW 824->826 828 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 824->828 825->826 827 7ff79fa34ddd-7ff79fa34de0 825->827 826->823 831 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 826->831 827->824 829 7ff79fa34de2-7ff79fa34de5 827->829 835 7ff79fa34e20-7ff79fa34e37 828->835 829->824 832 7ff79fa34de7-7ff79fa34def 829->832 831->734 832->824 832->826 835->835 837 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 835->837 843 7ff79fa34e80-7ff79fa34e8c 837->843 845 7ff79fa34e8e-7ff79fa34e91 843->845 846 7ff79fa34ea4-7ff79fa34eb8 StrStrW 843->846 849 7ff79fa34eed-7ff79fa34efc FindNextFileW 845->849 850 7ff79fa34e93-7ff79fa34e96 845->850 848 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 846->848 846->849 848->849 849->843 853 7ff79fa34efe-7ff79fa34f01 FindClose 849->853 850->846 854 7ff79fa34e98-7ff79fa34e9b 850->854 853->826 854->846 855 7ff79fa34e9d-7ff79fa34ea2 854->855 855->846 855->849
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to delete value: %ws\%ws\%ws$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$Killed Winmgmt$LastEnum$LastEventlogWrittenTime$ProductActivationTime$SMBiosData$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Dfrg\Statistics$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SOFTWARE\NVIDIA Corporation\Global$SOFTWARE\NVIDIA Corporation\Global\CoProcManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Enum\DISPLAY$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\TPM\WMI$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$SYSTEM\CurrentControlSet\Services\mssmbios\Data$SYSTEM\HardwareConfig$SYSTEM\MountedDevices$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$'B$AA$JF$N-$TA$b-$gA$v-$zA
    • API String ID: 2438856394-2710053498
    • Opcode ID: bdff909699275be76bf3eeb324d068cecea6190eb5992d04d0ea73af52d1f1b9
    • Instruction ID: 61c375a79b7b64fc72e8f1fac17b63acf3abfa5b6c7a94a55223eb5459f6c2e3
    • Opcode Fuzzy Hash: bdff909699275be76bf3eeb324d068cecea6190eb5992d04d0ea73af52d1f1b9
    • Instruction Fuzzy Hash: 70035B65A18AC391EB30EB35E840AE9A365FF96758FC04231D95D436E9DF7CE209C360
    Function 00007FF79FA31730 Relevance: 374.2, APIs: 122, Strings: 91, Instructions: 1417registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseEnum_invalid_parameter_noinfo
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEnum$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Dfrg\Statistics$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SOFTWARE\NVIDIA Corporation\Global$SOFTWARE\NVIDIA Corporation\Global\CoProcManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\TPM\WMI$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$SYSTEM\MountedDevices$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$current$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$'B$AA$N-$TA$b-$gA$v-$zA
    • API String ID: 2570672917-3093837561
    • Opcode ID: c0993761d04a2b144cbb3060a4e0e93dc867e36eac02ed6e9e834ee6d2754e3d
    • Instruction ID: bb23fdbc2f0ecc5ca549914f60681a2b39601719345741da8670093573637f11
    • Opcode Fuzzy Hash: c0993761d04a2b144cbb3060a4e0e93dc867e36eac02ed6e9e834ee6d2754e3d
    • Instruction Fuzzy Hash: C5F25C65A18AC391EB30EB35E840AE9A365FF96758FC04231D95D436E9DF7CE209C360
    Function 00007FF79FA32360 Relevance: 346.1, APIs: 124, Strings: 73, Instructions: 1398nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$CloseEnum
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$Identifier$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$arget$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2151403804-918286398
    • Opcode ID: 6bb6cb8c21cf45f45b62b1420dd50b7c140ec28eb4ae9433c11d0bcd1bc884ea
    • Instruction ID: fea42466165be43ce1a7bd4ad93d89f686dd076cf6358499779f929c9d056361
    • Opcode Fuzzy Hash: 6bb6cb8c21cf45f45b62b1420dd50b7c140ec28eb4ae9433c11d0bcd1bc884ea
    • Instruction Fuzzy Hash: 4CF26C65A18AC391EB30EF35E840AE9A365FF86758FC04131DA4D476A9DF7CE209C720
    Function 00007FF79FA31BA0 Relevance: 339.1, APIs: 115, Strings: 78, Instructions: 1309registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WindowsAIKHash$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$7X$N-$b-$v-
    • API String ID: 1479153340-3907317689
    • Opcode ID: 3a7382b7e35d957bb99d70d6a82a8c94eb678c64a216733fd79bdf59e6fb197a
    • Instruction ID: 4589047f9cfdb4cecdd70530e8a48245b98899a82e185984c52a1c511ef19ee6
    • Opcode Fuzzy Hash: 3a7382b7e35d957bb99d70d6a82a8c94eb678c64a216733fd79bdf59e6fb197a
    • Instruction Fuzzy Hash: D6E25D65A18AC391EB30EF35E840AE9A361FF96758FC04231D95D436A9DF7CE209C760
    Function 00007FF79FA31B0E Relevance: 335.5, APIs: 114, Strings: 77, Instructions: 1285nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2039 7ff79fa31b0e-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 2204 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 2039->2204 2205 7ff79fa34110-7ff79fa34129 2039->2205 2206 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 2204->2206 2207 7ff79fa341ff-7ff79fa34218 2204->2207 2208 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2205->2208 2209 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 2205->2209 2213 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 2206->2213 2214 7ff79fa342ee-7ff79fa34307 2206->2214 2211 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2207->2211 2212 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 2207->2212 2208->2204 2209->2204 2224 7ff79fa341d6 call 7ff79fa31010 2209->2224 2211->2206 2212->2206 2232 7ff79fa342c5 call 7ff79fa31010 2212->2232 2259 7ff79fa34790-7ff79fa3479c 2213->2259 2221 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2214->2221 2222 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 2214->2222 2221->2213 2222->2213 2238 7ff79fa343b4 call 7ff79fa31010 2222->2238 2224->2204 2232->2206 2238->2213 2260 7ff79fa3479e-7ff79fa347a1 2259->2260 2261 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 2259->2261 2262 7ff79fa347df-7ff79fa347ee FindNextFileW 2260->2262 2263 7ff79fa347a3-7ff79fa347a6 2260->2263 2261->2262 2262->2259 2265 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 2262->2265 2263->2261 2266 7ff79fa347a8-7ff79fa347ab 2263->2266 2284 7ff79fa34947-7ff79fa3494e 2265->2284 2285 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 2265->2285 2266->2261 2268 7ff79fa347ad-7ff79fa347b2 2266->2268 2268->2261 2268->2262 2286 7ff79fa34950-7ff79fa34954 2284->2286 2292 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 2285->2292 2293 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 2285->2293 2288 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 2286->2288 2289 7ff79fa34f83-7ff79fa34f86 2286->2289 2298 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 2288->2298 2299 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 2288->2299 2289->2285 2289->2286 2304 7ff79fa34ff8 2293->2304 2305 7ff79fa35061-7ff79fa35064 CloseHandle 2293->2305 2312 7ff79fa349f9-7ff79fa34a00 2298->2312 2313 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 2298->2313 2367 7ff79fa34d00-7ff79fa34d12 2299->2367 2309 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 2304->2309 2305->2292 2322 7ff79fa35027-7ff79fa3503f OpenProcess 2309->2322 2323 7ff79fa35014-7ff79fa35023 Process32NextW 2309->2323 2312->2313 2317 7ff79fa34a06-7ff79fa34a0c 2312->2317 2313->2299 2321 7ff79fa34a10-7ff79fa34a1a 2317->2321 2326 7ff79fa34a20-7ff79fa34a28 2321->2326 2322->2305 2324 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 2322->2324 2323->2309 2327 7ff79fa35025 2323->2327 2324->2305 2326->2326 2330 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 2326->2330 2327->2305 2336 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 2330->2336 2337 7ff79fa34a40-7ff79fa34a49 2330->2337 2336->2313 2348 7ff79fa34a7f-7ff79fa34a97 WriteFile 2336->2348 2337->2321 2339 7ff79fa34a4b 2337->2339 2339->2313 2348->2313 2368 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 2367->2368 2369 7ff79fa34d14-7ff79fa34d17 2367->2369 2371 7ff79fa34d57-7ff79fa34d69 FindNextFileW 2368->2371 2370 7ff79fa34d19-7ff79fa34d1c 2369->2370 2369->2371 2370->2368 2373 7ff79fa34d1e-7ff79fa34d21 2370->2373 2371->2367 2374 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 2371->2374 2373->2368 2375 7ff79fa34d23-7ff79fa34d2b 2373->2375 2378 7ff79fa34dc0-7ff79fa34dd2 2374->2378 2375->2368 2375->2371 2379 7ff79fa34df5-7ff79fa34dfc 2378->2379 2380 7ff79fa34dd4-7ff79fa34dd7 2378->2380 2381 7ff79fa34f07-7ff79fa34f19 FindNextFileW 2379->2381 2383 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 2379->2383 2380->2381 2382 7ff79fa34ddd-7ff79fa34de0 2380->2382 2381->2378 2386 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 2381->2386 2382->2379 2384 7ff79fa34de2-7ff79fa34de5 2382->2384 2390 7ff79fa34e20-7ff79fa34e37 2383->2390 2384->2379 2387 7ff79fa34de7-7ff79fa34def 2384->2387 2386->2289 2387->2379 2387->2381 2390->2390 2392 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 2390->2392 2398 7ff79fa34e80-7ff79fa34e8c 2392->2398 2400 7ff79fa34e8e-7ff79fa34e91 2398->2400 2401 7ff79fa34ea4-7ff79fa34eb8 StrStrW 2398->2401 2404 7ff79fa34eed-7ff79fa34efc FindNextFileW 2400->2404 2405 7ff79fa34e93-7ff79fa34e96 2400->2405 2403 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 2401->2403 2401->2404 2403->2404 2404->2398 2408 7ff79fa34efe-7ff79fa34f01 FindClose 2404->2408 2405->2401 2409 7ff79fa34e98-7ff79fa34e9b 2405->2409 2408->2381 2409->2401 2410 7ff79fa34e9d-7ff79fa34ea2 2409->2410 2410->2401 2410->2404
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WindowsAIKHash$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1868047541
    • Opcode ID: 84163c07054ef4d5d271c132606bb1e07ed1a5ce4b0dc5f0e90dffbb519f9962
    • Instruction ID: 8cbe91b3cc74d0438bc0f5367cef30e60dcd5010864bb69a5f143f8b34884126
    • Opcode Fuzzy Hash: 84163c07054ef4d5d271c132606bb1e07ed1a5ce4b0dc5f0e90dffbb519f9962
    • Instruction Fuzzy Hash: 44E25D65A18AC391EB30EF35E840AE9A365FF96758FC04231D95D436A9DF7CE209C360
    Function 00007FF79FA31DB6 Relevance: 333.8, APIs: 113, Strings: 77, Instructions: 1282registrynativeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2411 7ff79fa31db6-7ff79fa31dc0 call 7ff79fa382b8 2414 7ff79fa31dcb-7ff79fa31dd8 2411->2414 2415 7ff79fa31dc2-7ff79fa31dc9 2411->2415 2414->2411 2416 7ff79fa31dda-7ff79fa3410a RegSetValueExW call 7ff79fa3a944 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 2414->2416 2415->2414 2576 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 2416->2576 2577 7ff79fa34110-7ff79fa34129 2416->2577 2578 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 2576->2578 2579 7ff79fa341ff-7ff79fa34218 2576->2579 2580 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2577->2580 2581 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 2577->2581 2585 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 2578->2585 2586 7ff79fa342ee-7ff79fa34307 2578->2586 2583 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2579->2583 2584 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 2579->2584 2580->2576 2581->2576 2596 7ff79fa341d6 call 7ff79fa31010 2581->2596 2583->2578 2584->2578 2604 7ff79fa342c5 call 7ff79fa31010 2584->2604 2631 7ff79fa34790-7ff79fa3479c 2585->2631 2593 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2586->2593 2594 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 2586->2594 2593->2585 2594->2585 2610 7ff79fa343b4 call 7ff79fa31010 2594->2610 2596->2576 2604->2578 2610->2585 2632 7ff79fa3479e-7ff79fa347a1 2631->2632 2633 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 2631->2633 2634 7ff79fa347df-7ff79fa347ee FindNextFileW 2632->2634 2635 7ff79fa347a3-7ff79fa347a6 2632->2635 2633->2634 2634->2631 2637 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 2634->2637 2635->2633 2638 7ff79fa347a8-7ff79fa347ab 2635->2638 2656 7ff79fa34947-7ff79fa3494e 2637->2656 2657 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 2637->2657 2638->2633 2640 7ff79fa347ad-7ff79fa347b2 2638->2640 2640->2633 2640->2634 2658 7ff79fa34950-7ff79fa34954 2656->2658 2664 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 2657->2664 2665 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 2657->2665 2660 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 2658->2660 2661 7ff79fa34f83-7ff79fa34f86 2658->2661 2670 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 2660->2670 2671 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 2660->2671 2661->2657 2661->2658 2676 7ff79fa34ff8 2665->2676 2677 7ff79fa35061-7ff79fa35064 CloseHandle 2665->2677 2684 7ff79fa349f9-7ff79fa34a00 2670->2684 2685 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 2670->2685 2739 7ff79fa34d00-7ff79fa34d12 2671->2739 2681 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 2676->2681 2677->2664 2694 7ff79fa35027-7ff79fa3503f OpenProcess 2681->2694 2695 7ff79fa35014-7ff79fa35023 Process32NextW 2681->2695 2684->2685 2689 7ff79fa34a06-7ff79fa34a0c 2684->2689 2685->2671 2693 7ff79fa34a10-7ff79fa34a1a 2689->2693 2698 7ff79fa34a20-7ff79fa34a28 2693->2698 2694->2677 2696 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 2694->2696 2695->2681 2699 7ff79fa35025 2695->2699 2696->2677 2698->2698 2702 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 2698->2702 2699->2677 2708 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 2702->2708 2709 7ff79fa34a40-7ff79fa34a49 2702->2709 2708->2685 2720 7ff79fa34a7f-7ff79fa34a97 WriteFile 2708->2720 2709->2693 2711 7ff79fa34a4b 2709->2711 2711->2685 2720->2685 2740 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 2739->2740 2741 7ff79fa34d14-7ff79fa34d17 2739->2741 2743 7ff79fa34d57-7ff79fa34d69 FindNextFileW 2740->2743 2742 7ff79fa34d19-7ff79fa34d1c 2741->2742 2741->2743 2742->2740 2745 7ff79fa34d1e-7ff79fa34d21 2742->2745 2743->2739 2746 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 2743->2746 2745->2740 2747 7ff79fa34d23-7ff79fa34d2b 2745->2747 2750 7ff79fa34dc0-7ff79fa34dd2 2746->2750 2747->2740 2747->2743 2751 7ff79fa34df5-7ff79fa34dfc 2750->2751 2752 7ff79fa34dd4-7ff79fa34dd7 2750->2752 2753 7ff79fa34f07-7ff79fa34f19 FindNextFileW 2751->2753 2755 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 2751->2755 2752->2753 2754 7ff79fa34ddd-7ff79fa34de0 2752->2754 2753->2750 2758 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 2753->2758 2754->2751 2756 7ff79fa34de2-7ff79fa34de5 2754->2756 2762 7ff79fa34e20-7ff79fa34e37 2755->2762 2756->2751 2759 7ff79fa34de7-7ff79fa34def 2756->2759 2758->2661 2759->2751 2759->2753 2762->2762 2764 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 2762->2764 2770 7ff79fa34e80-7ff79fa34e8c 2764->2770 2772 7ff79fa34e8e-7ff79fa34e91 2770->2772 2773 7ff79fa34ea4-7ff79fa34eb8 StrStrW 2770->2773 2776 7ff79fa34eed-7ff79fa34efc FindNextFileW 2772->2776 2777 7ff79fa34e93-7ff79fa34e96 2772->2777 2775 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 2773->2775 2773->2776 2775->2776 2776->2770 2780 7ff79fa34efe-7ff79fa34f01 FindClose 2776->2780 2777->2773 2781 7ff79fa34e98-7ff79fa34e9b 2777->2781 2780->2753 2781->2773 2782 7ff79fa34e9d-7ff79fa34ea2 2781->2782 2782->2773 2782->2776
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WHQLClass$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$!V$N-$b-$v-
    • API String ID: 1479153340-1072686700
    • Opcode ID: 3fea92191496b6fdfc35dae58368fbec0ba35ff66504d382fa416ca60c7359e4
    • Instruction ID: d0884a744c10046fb4dc414d816816799dcf4313fcebc8a0ccd16f7986e542b8
    • Opcode Fuzzy Hash: 3fea92191496b6fdfc35dae58368fbec0ba35ff66504d382fa416ca60c7359e4
    • Instruction Fuzzy Hash: 07E25E65A18AC391EB30EF35E840AE9A361FF96758FC04231D95D436A9DF7CE209C720
    Function 00007FF79FA31B7D Relevance: 332.0, APIs: 113, Strings: 76, Instructions: 1271nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2783 7ff79fa31b7d-7ff79fa3410a call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 2946 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 2783->2946 2947 7ff79fa34110-7ff79fa34129 2783->2947 2948 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 2946->2948 2949 7ff79fa341ff-7ff79fa34218 2946->2949 2950 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2947->2950 2951 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 2947->2951 2955 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 2948->2955 2956 7ff79fa342ee-7ff79fa34307 2948->2956 2953 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2949->2953 2954 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 2949->2954 2950->2946 2951->2946 2966 7ff79fa341d6 call 7ff79fa31010 2951->2966 2953->2948 2954->2948 2974 7ff79fa342c5 call 7ff79fa31010 2954->2974 3001 7ff79fa34790-7ff79fa3479c 2955->3001 2963 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 2956->2963 2964 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 2956->2964 2963->2955 2964->2955 2980 7ff79fa343b4 call 7ff79fa31010 2964->2980 2966->2946 2974->2948 2980->2955 3002 7ff79fa3479e-7ff79fa347a1 3001->3002 3003 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 3001->3003 3004 7ff79fa347df-7ff79fa347ee FindNextFileW 3002->3004 3005 7ff79fa347a3-7ff79fa347a6 3002->3005 3003->3004 3004->3001 3007 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 3004->3007 3005->3003 3008 7ff79fa347a8-7ff79fa347ab 3005->3008 3026 7ff79fa34947-7ff79fa3494e 3007->3026 3027 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 3007->3027 3008->3003 3010 7ff79fa347ad-7ff79fa347b2 3008->3010 3010->3003 3010->3004 3028 7ff79fa34950-7ff79fa34954 3026->3028 3034 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 3027->3034 3035 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 3027->3035 3030 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 3028->3030 3031 7ff79fa34f83-7ff79fa34f86 3028->3031 3040 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 3030->3040 3041 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 3030->3041 3031->3027 3031->3028 3046 7ff79fa34ff8 3035->3046 3047 7ff79fa35061-7ff79fa35064 CloseHandle 3035->3047 3054 7ff79fa349f9-7ff79fa34a00 3040->3054 3055 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 3040->3055 3109 7ff79fa34d00-7ff79fa34d12 3041->3109 3051 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 3046->3051 3047->3034 3064 7ff79fa35027-7ff79fa3503f OpenProcess 3051->3064 3065 7ff79fa35014-7ff79fa35023 Process32NextW 3051->3065 3054->3055 3059 7ff79fa34a06-7ff79fa34a0c 3054->3059 3055->3041 3063 7ff79fa34a10-7ff79fa34a1a 3059->3063 3068 7ff79fa34a20-7ff79fa34a28 3063->3068 3064->3047 3066 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 3064->3066 3065->3051 3069 7ff79fa35025 3065->3069 3066->3047 3068->3068 3072 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 3068->3072 3069->3047 3078 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 3072->3078 3079 7ff79fa34a40-7ff79fa34a49 3072->3079 3078->3055 3090 7ff79fa34a7f-7ff79fa34a97 WriteFile 3078->3090 3079->3063 3081 7ff79fa34a4b 3079->3081 3081->3055 3090->3055 3110 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 3109->3110 3111 7ff79fa34d14-7ff79fa34d17 3109->3111 3113 7ff79fa34d57-7ff79fa34d69 FindNextFileW 3110->3113 3112 7ff79fa34d19-7ff79fa34d1c 3111->3112 3111->3113 3112->3110 3115 7ff79fa34d1e-7ff79fa34d21 3112->3115 3113->3109 3116 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 3113->3116 3115->3110 3117 7ff79fa34d23-7ff79fa34d2b 3115->3117 3120 7ff79fa34dc0-7ff79fa34dd2 3116->3120 3117->3110 3117->3113 3121 7ff79fa34df5-7ff79fa34dfc 3120->3121 3122 7ff79fa34dd4-7ff79fa34dd7 3120->3122 3123 7ff79fa34f07-7ff79fa34f19 FindNextFileW 3121->3123 3125 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 3121->3125 3122->3123 3124 7ff79fa34ddd-7ff79fa34de0 3122->3124 3123->3120 3128 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 3123->3128 3124->3121 3126 7ff79fa34de2-7ff79fa34de5 3124->3126 3132 7ff79fa34e20-7ff79fa34e37 3125->3132 3126->3121 3129 7ff79fa34de7-7ff79fa34def 3126->3129 3128->3031 3129->3121 3129->3123 3132->3132 3134 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 3132->3134 3140 7ff79fa34e80-7ff79fa34e8c 3134->3140 3142 7ff79fa34e8e-7ff79fa34e91 3140->3142 3143 7ff79fa34ea4-7ff79fa34eb8 StrStrW 3140->3143 3146 7ff79fa34eed-7ff79fa34efc FindNextFileW 3142->3146 3147 7ff79fa34e93-7ff79fa34e96 3142->3147 3145 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 3143->3145 3143->3146 3145->3146 3146->3140 3150 7ff79fa34efe-7ff79fa34f01 FindClose 3146->3150 3147->3143 3151 7ff79fa34e98-7ff79fa34e9b 3147->3151 3150->3123 3151->3143 3152 7ff79fa34e9d-7ff79fa34ea2 3151->3152 3152->3143 3152->3146
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Direct3D$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-2595966675
    • Opcode ID: 7c8c63282ad58711d462e3852dbd3a7f5b4c28b4f1487b95fef5943f901f4aed
    • Instruction ID: 0ef8d0c682e31ec2047da3529c0807bc8f38209134f7764f7120e94db1e74fda
    • Opcode Fuzzy Hash: 7c8c63282ad58711d462e3852dbd3a7f5b4c28b4f1487b95fef5943f901f4aed
    • Instruction Fuzzy Hash: B1E25D65A18AC391EB30EF35E840AE9A365FF96758FC04231D95D436A9DF7CE209C360
    Function 00007FF79FA31D2B Relevance: 330.3, APIs: 112, Strings: 76, Instructions: 1258nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3153 7ff79fa31d2b-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 3312 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 3153->3312 3313 7ff79fa34110-7ff79fa34129 3153->3313 3314 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 3312->3314 3315 7ff79fa341ff-7ff79fa34218 3312->3315 3316 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 3313->3316 3317 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 3313->3317 3321 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 3314->3321 3322 7ff79fa342ee-7ff79fa34307 3314->3322 3319 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 3315->3319 3320 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 3315->3320 3316->3312 3317->3312 3332 7ff79fa341d6 call 7ff79fa31010 3317->3332 3319->3314 3320->3314 3340 7ff79fa342c5 call 7ff79fa31010 3320->3340 3367 7ff79fa34790-7ff79fa3479c 3321->3367 3329 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 3322->3329 3330 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 3322->3330 3329->3321 3330->3321 3346 7ff79fa343b4 call 7ff79fa31010 3330->3346 3332->3312 3340->3314 3346->3321 3368 7ff79fa3479e-7ff79fa347a1 3367->3368 3369 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 3367->3369 3370 7ff79fa347df-7ff79fa347ee FindNextFileW 3368->3370 3371 7ff79fa347a3-7ff79fa347a6 3368->3371 3369->3370 3370->3367 3373 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 3370->3373 3371->3369 3374 7ff79fa347a8-7ff79fa347ab 3371->3374 3392 7ff79fa34947-7ff79fa3494e 3373->3392 3393 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 3373->3393 3374->3369 3376 7ff79fa347ad-7ff79fa347b2 3374->3376 3376->3369 3376->3370 3394 7ff79fa34950-7ff79fa34954 3392->3394 3400 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 3393->3400 3401 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 3393->3401 3396 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 3394->3396 3397 7ff79fa34f83-7ff79fa34f86 3394->3397 3406 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 3396->3406 3407 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 3396->3407 3397->3393 3397->3394 3412 7ff79fa34ff8 3401->3412 3413 7ff79fa35061-7ff79fa35064 CloseHandle 3401->3413 3420 7ff79fa349f9-7ff79fa34a00 3406->3420 3421 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 3406->3421 3475 7ff79fa34d00-7ff79fa34d12 3407->3475 3417 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 3412->3417 3413->3400 3430 7ff79fa35027-7ff79fa3503f OpenProcess 3417->3430 3431 7ff79fa35014-7ff79fa35023 Process32NextW 3417->3431 3420->3421 3425 7ff79fa34a06-7ff79fa34a0c 3420->3425 3421->3407 3429 7ff79fa34a10-7ff79fa34a1a 3425->3429 3434 7ff79fa34a20-7ff79fa34a28 3429->3434 3430->3413 3432 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 3430->3432 3431->3417 3435 7ff79fa35025 3431->3435 3432->3413 3434->3434 3438 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 3434->3438 3435->3413 3444 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 3438->3444 3445 7ff79fa34a40-7ff79fa34a49 3438->3445 3444->3421 3456 7ff79fa34a7f-7ff79fa34a97 WriteFile 3444->3456 3445->3429 3447 7ff79fa34a4b 3445->3447 3447->3421 3456->3421 3476 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 3475->3476 3477 7ff79fa34d14-7ff79fa34d17 3475->3477 3479 7ff79fa34d57-7ff79fa34d69 FindNextFileW 3476->3479 3478 7ff79fa34d19-7ff79fa34d1c 3477->3478 3477->3479 3478->3476 3481 7ff79fa34d1e-7ff79fa34d21 3478->3481 3479->3475 3482 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 3479->3482 3481->3476 3483 7ff79fa34d23-7ff79fa34d2b 3481->3483 3486 7ff79fa34dc0-7ff79fa34dd2 3482->3486 3483->3476 3483->3479 3487 7ff79fa34df5-7ff79fa34dfc 3486->3487 3488 7ff79fa34dd4-7ff79fa34dd7 3486->3488 3489 7ff79fa34f07-7ff79fa34f19 FindNextFileW 3487->3489 3491 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 3487->3491 3488->3489 3490 7ff79fa34ddd-7ff79fa34de0 3488->3490 3489->3486 3494 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 3489->3494 3490->3487 3492 7ff79fa34de2-7ff79fa34de5 3490->3492 3498 7ff79fa34e20-7ff79fa34e37 3491->3498 3492->3487 3495 7ff79fa34de7-7ff79fa34def 3492->3495 3494->3397 3495->3487 3495->3489 3498->3498 3500 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 3498->3500 3506 7ff79fa34e80-7ff79fa34e8c 3500->3506 3508 7ff79fa34e8e-7ff79fa34e91 3506->3508 3509 7ff79fa34ea4-7ff79fa34eb8 StrStrW 3506->3509 3512 7ff79fa34eed-7ff79fa34efc FindNextFileW 3508->3512 3513 7ff79fa34e93-7ff79fa34e96 3508->3513 3511 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 3509->3511 3509->3512 3511->3512 3512->3506 3516 7ff79fa34efe-7ff79fa34f01 FindClose 3512->3516 3513->3509 3517 7ff79fa34e98-7ff79fa34e9b 3513->3517 3516->3489 3517->3509 3518 7ff79fa34e9d-7ff79fa34ea2 3517->3518 3518->3509 3518->3512
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WHQLClass$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-498307498
    • Opcode ID: 888ab60dd3bef6ffded9b974c765ed56c572e5513e5cb457cd15bf65617970fd
    • Instruction ID: e818e06cdb54d323be25957b86a36aa247132d33ed92a8ee945f0f556c00549e
    • Opcode Fuzzy Hash: 888ab60dd3bef6ffded9b974c765ed56c572e5513e5cb457cd15bf65617970fd
    • Instruction Fuzzy Hash: 86E25D65A18AC391EB30EF35E840AE9A361FF96758FC04231D95D476A9DF7CE209C320
    Function 00007FF79FA31FD0 Relevance: 326.8, APIs: 111, Strings: 75, Instructions: 1255registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$MSICache$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 1479153340-3591321375
    • Opcode ID: 49261e9ae2479461c02087bcd6fff765ec26041f9004257ece68bbd7cf9add9f
    • Instruction ID: 7bd8b97a818d4576d9ecb5a08958180752a004352ca66ee0f390a4113e2b1ef8
    • Opcode Fuzzy Hash: 49261e9ae2479461c02087bcd6fff765ec26041f9004257ece68bbd7cf9add9f
    • Instruction Fuzzy Hash: 94E25E65A18AC391EB30EF35E840AE9A361FF96758FC04231D95D476A9DF7CE209C720
    Function 00007FF79FA31D9A Relevance: 326.7, APIs: 111, Strings: 75, Instructions: 1244nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3885 7ff79fa31d9a-7ff79fa3410a call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 4042 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 3885->4042 4043 7ff79fa34110-7ff79fa34129 3885->4043 4044 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 4042->4044 4045 7ff79fa341ff-7ff79fa34218 4042->4045 4046 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4043->4046 4047 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 4043->4047 4051 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 4044->4051 4052 7ff79fa342ee-7ff79fa34307 4044->4052 4049 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4045->4049 4050 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 4045->4050 4046->4042 4047->4042 4062 7ff79fa341d6 call 7ff79fa31010 4047->4062 4049->4044 4050->4044 4070 7ff79fa342c5 call 7ff79fa31010 4050->4070 4097 7ff79fa34790-7ff79fa3479c 4051->4097 4059 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4052->4059 4060 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 4052->4060 4059->4051 4060->4051 4076 7ff79fa343b4 call 7ff79fa31010 4060->4076 4062->4042 4070->4044 4076->4051 4098 7ff79fa3479e-7ff79fa347a1 4097->4098 4099 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 4097->4099 4100 7ff79fa347df-7ff79fa347ee FindNextFileW 4098->4100 4101 7ff79fa347a3-7ff79fa347a6 4098->4101 4099->4100 4100->4097 4103 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 4100->4103 4101->4099 4104 7ff79fa347a8-7ff79fa347ab 4101->4104 4122 7ff79fa34947-7ff79fa3494e 4103->4122 4123 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 4103->4123 4104->4099 4106 7ff79fa347ad-7ff79fa347b2 4104->4106 4106->4099 4106->4100 4124 7ff79fa34950-7ff79fa34954 4122->4124 4130 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 4123->4130 4131 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 4123->4131 4126 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 4124->4126 4127 7ff79fa34f83-7ff79fa34f86 4124->4127 4136 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 4126->4136 4137 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 4126->4137 4127->4123 4127->4124 4142 7ff79fa34ff8 4131->4142 4143 7ff79fa35061-7ff79fa35064 CloseHandle 4131->4143 4150 7ff79fa349f9-7ff79fa34a00 4136->4150 4151 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 4136->4151 4205 7ff79fa34d00-7ff79fa34d12 4137->4205 4147 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 4142->4147 4143->4130 4160 7ff79fa35027-7ff79fa3503f OpenProcess 4147->4160 4161 7ff79fa35014-7ff79fa35023 Process32NextW 4147->4161 4150->4151 4155 7ff79fa34a06-7ff79fa34a0c 4150->4155 4151->4137 4159 7ff79fa34a10-7ff79fa34a1a 4155->4159 4164 7ff79fa34a20-7ff79fa34a28 4159->4164 4160->4143 4162 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 4160->4162 4161->4147 4165 7ff79fa35025 4161->4165 4162->4143 4164->4164 4168 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 4164->4168 4165->4143 4174 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 4168->4174 4175 7ff79fa34a40-7ff79fa34a49 4168->4175 4174->4151 4186 7ff79fa34a7f-7ff79fa34a97 WriteFile 4174->4186 4175->4159 4177 7ff79fa34a4b 4175->4177 4177->4151 4186->4151 4206 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 4205->4206 4207 7ff79fa34d14-7ff79fa34d17 4205->4207 4209 7ff79fa34d57-7ff79fa34d69 FindNextFileW 4206->4209 4208 7ff79fa34d19-7ff79fa34d1c 4207->4208 4207->4209 4208->4206 4211 7ff79fa34d1e-7ff79fa34d21 4208->4211 4209->4205 4212 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 4209->4212 4211->4206 4213 7ff79fa34d23-7ff79fa34d2b 4211->4213 4216 7ff79fa34dc0-7ff79fa34dd2 4212->4216 4213->4206 4213->4209 4217 7ff79fa34df5-7ff79fa34dfc 4216->4217 4218 7ff79fa34dd4-7ff79fa34dd7 4216->4218 4219 7ff79fa34f07-7ff79fa34f19 FindNextFileW 4217->4219 4221 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 4217->4221 4218->4219 4220 7ff79fa34ddd-7ff79fa34de0 4218->4220 4219->4216 4224 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 4219->4224 4220->4217 4222 7ff79fa34de2-7ff79fa34de5 4220->4222 4228 7ff79fa34e20-7ff79fa34e37 4221->4228 4222->4217 4225 7ff79fa34de7-7ff79fa34def 4222->4225 4224->4127 4225->4217 4225->4219 4228->4228 4230 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 4228->4230 4236 7ff79fa34e80-7ff79fa34e8c 4230->4236 4238 7ff79fa34e8e-7ff79fa34e91 4236->4238 4239 7ff79fa34ea4-7ff79fa34eb8 StrStrW 4236->4239 4242 7ff79fa34eed-7ff79fa34efc FindNextFileW 4238->4242 4243 7ff79fa34e93-7ff79fa34e96 4238->4243 4241 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 4239->4241 4239->4242 4241->4242 4242->4236 4246 7ff79fa34efe-7ff79fa34f01 FindClose 4242->4246 4243->4239 4247 7ff79fa34e98-7ff79fa34e9b 4243->4247 4246->4219 4247->4239 4248 7ff79fa34e9d-7ff79fa34ea2 4247->4248 4248->4239 4248->4242
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Classes\Installer\Dependencies$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1769914591
    • Opcode ID: e7737c477dab04371f25de41324786169ab0ed033c9cb21541993cf6d2e21afd
    • Instruction ID: 98f0d1f48ad3beef69986bbe26c65fc3620f0cdfc5b072c0c29daf32ea97e680
    • Opcode Fuzzy Hash: e7737c477dab04371f25de41324786169ab0ed033c9cb21541993cf6d2e21afd
    • Instruction Fuzzy Hash: C2E25E65A18AC391EB30EF35E840AE9A365FF96758FC04231D95D476A9DF7CE209C320
    Function 00007FF79FA31F41 Relevance: 325.0, APIs: 110, Strings: 75, Instructions: 1231nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4249 7ff79fa31f41-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 4402 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 4249->4402 4403 7ff79fa34110-7ff79fa34129 4249->4403 4404 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 4402->4404 4405 7ff79fa341ff-7ff79fa34218 4402->4405 4406 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4403->4406 4407 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 4403->4407 4411 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 4404->4411 4412 7ff79fa342ee-7ff79fa34307 4404->4412 4409 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4405->4409 4410 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 4405->4410 4406->4402 4407->4402 4422 7ff79fa341d6 call 7ff79fa31010 4407->4422 4409->4404 4410->4404 4430 7ff79fa342c5 call 7ff79fa31010 4410->4430 4457 7ff79fa34790-7ff79fa3479c 4411->4457 4419 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 4412->4419 4420 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 4412->4420 4419->4411 4420->4411 4436 7ff79fa343b4 call 7ff79fa31010 4420->4436 4422->4402 4430->4404 4436->4411 4458 7ff79fa3479e-7ff79fa347a1 4457->4458 4459 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 4457->4459 4460 7ff79fa347df-7ff79fa347ee FindNextFileW 4458->4460 4461 7ff79fa347a3-7ff79fa347a6 4458->4461 4459->4460 4460->4457 4463 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 4460->4463 4461->4459 4464 7ff79fa347a8-7ff79fa347ab 4461->4464 4482 7ff79fa34947-7ff79fa3494e 4463->4482 4483 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 4463->4483 4464->4459 4466 7ff79fa347ad-7ff79fa347b2 4464->4466 4466->4459 4466->4460 4484 7ff79fa34950-7ff79fa34954 4482->4484 4490 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 4483->4490 4491 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 4483->4491 4486 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 4484->4486 4487 7ff79fa34f83-7ff79fa34f86 4484->4487 4496 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 4486->4496 4497 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 4486->4497 4487->4483 4487->4484 4502 7ff79fa34ff8 4491->4502 4503 7ff79fa35061-7ff79fa35064 CloseHandle 4491->4503 4510 7ff79fa349f9-7ff79fa34a00 4496->4510 4511 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 4496->4511 4565 7ff79fa34d00-7ff79fa34d12 4497->4565 4507 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 4502->4507 4503->4490 4520 7ff79fa35027-7ff79fa3503f OpenProcess 4507->4520 4521 7ff79fa35014-7ff79fa35023 Process32NextW 4507->4521 4510->4511 4515 7ff79fa34a06-7ff79fa34a0c 4510->4515 4511->4497 4519 7ff79fa34a10-7ff79fa34a1a 4515->4519 4524 7ff79fa34a20-7ff79fa34a28 4519->4524 4520->4503 4522 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 4520->4522 4521->4507 4525 7ff79fa35025 4521->4525 4522->4503 4524->4524 4528 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 4524->4528 4525->4503 4534 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 4528->4534 4535 7ff79fa34a40-7ff79fa34a49 4528->4535 4534->4511 4546 7ff79fa34a7f-7ff79fa34a97 WriteFile 4534->4546 4535->4519 4537 7ff79fa34a4b 4535->4537 4537->4511 4546->4511 4566 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 4565->4566 4567 7ff79fa34d14-7ff79fa34d17 4565->4567 4569 7ff79fa34d57-7ff79fa34d69 FindNextFileW 4566->4569 4568 7ff79fa34d19-7ff79fa34d1c 4567->4568 4567->4569 4568->4566 4571 7ff79fa34d1e-7ff79fa34d21 4568->4571 4569->4565 4572 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 4569->4572 4571->4566 4573 7ff79fa34d23-7ff79fa34d2b 4571->4573 4576 7ff79fa34dc0-7ff79fa34dd2 4572->4576 4573->4566 4573->4569 4577 7ff79fa34df5-7ff79fa34dfc 4576->4577 4578 7ff79fa34dd4-7ff79fa34dd7 4576->4578 4579 7ff79fa34f07-7ff79fa34f19 FindNextFileW 4577->4579 4581 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 4577->4581 4578->4579 4580 7ff79fa34ddd-7ff79fa34de0 4578->4580 4579->4576 4584 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 4579->4584 4580->4577 4582 7ff79fa34de2-7ff79fa34de5 4580->4582 4588 7ff79fa34e20-7ff79fa34e37 4581->4588 4582->4577 4585 7ff79fa34de7-7ff79fa34def 4582->4585 4584->4487 4585->4577 4585->4579 4588->4588 4590 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 4588->4590 4596 7ff79fa34e80-7ff79fa34e8c 4590->4596 4598 7ff79fa34e8e-7ff79fa34e91 4596->4598 4599 7ff79fa34ea4-7ff79fa34eb8 StrStrW 4596->4599 4602 7ff79fa34eed-7ff79fa34efc FindNextFileW 4598->4602 4603 7ff79fa34e93-7ff79fa34e96 4598->4603 4601 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 4599->4601 4599->4602 4601->4602 4602->4596 4606 7ff79fa34efe-7ff79fa34f01 FindClose 4602->4606 4603->4599 4607 7ff79fa34e98-7ff79fa34e9b 4603->4607 4606->4579 4607->4599 4608 7ff79fa34e9d-7ff79fa34ea2 4607->4608 4608->4599 4608->4602
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$MSICache$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-3121326749
    • Opcode ID: b191324c449862ff15a1544401e646422b327a76ee82f3f12e265bea02c999eb
    • Instruction ID: fce0a9b895cfc730d97507090e082408c48bdcdda2dce9263139c3f750997bee
    • Opcode Fuzzy Hash: b191324c449862ff15a1544401e646422b327a76ee82f3f12e265bea02c999eb
    • Instruction Fuzzy Hash: 11E25E65A18AC391EB30EF35E840AE9A365FF96758FC04131D95D476A9DF7CE209C320
    Function 00007FF79FA32180 Relevance: 323.2, APIs: 111, Strings: 73, Instructions: 1236registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$Close$Enum
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$Identifier$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 4181180710-915950041
    • Opcode ID: 6a7f9b750b484ee63e386e01163f1e3ed6940a72dcc01bdbe2756316f91d507f
    • Instruction ID: 73973ae71c6c450dffafb85ce80fc54b7b594f3a6eec6fcc0bfce9fc2ef86700
    • Opcode Fuzzy Hash: 6a7f9b750b484ee63e386e01163f1e3ed6940a72dcc01bdbe2756316f91d507f
    • Instruction Fuzzy Hash: 48E25D65A18AC391EB30EF35E840AE9A361FF96758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA31FB0 Relevance: 321.5, APIs: 109, Strings: 74, Instructions: 1217nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4970 7ff79fa31fb0-7ff79fa3410a call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 5121 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 4970->5121 5122 7ff79fa34110-7ff79fa34129 4970->5122 5123 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 5121->5123 5124 7ff79fa341ff-7ff79fa34218 5121->5124 5125 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5122->5125 5126 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 5122->5126 5130 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 5123->5130 5131 7ff79fa342ee-7ff79fa34307 5123->5131 5128 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5124->5128 5129 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 5124->5129 5125->5121 5126->5121 5141 7ff79fa341d6 call 7ff79fa31010 5126->5141 5128->5123 5129->5123 5149 7ff79fa342c5 call 7ff79fa31010 5129->5149 5176 7ff79fa34790-7ff79fa3479c 5130->5176 5138 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5131->5138 5139 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 5131->5139 5138->5130 5139->5130 5155 7ff79fa343b4 call 7ff79fa31010 5139->5155 5141->5121 5149->5123 5155->5130 5177 7ff79fa3479e-7ff79fa347a1 5176->5177 5178 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 5176->5178 5179 7ff79fa347df-7ff79fa347ee FindNextFileW 5177->5179 5180 7ff79fa347a3-7ff79fa347a6 5177->5180 5178->5179 5179->5176 5182 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 5179->5182 5180->5178 5183 7ff79fa347a8-7ff79fa347ab 5180->5183 5201 7ff79fa34947-7ff79fa3494e 5182->5201 5202 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 5182->5202 5183->5178 5185 7ff79fa347ad-7ff79fa347b2 5183->5185 5185->5178 5185->5179 5203 7ff79fa34950-7ff79fa34954 5201->5203 5209 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 5202->5209 5210 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 5202->5210 5205 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 5203->5205 5206 7ff79fa34f83-7ff79fa34f86 5203->5206 5215 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 5205->5215 5216 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 5205->5216 5206->5202 5206->5203 5221 7ff79fa34ff8 5210->5221 5222 7ff79fa35061-7ff79fa35064 CloseHandle 5210->5222 5229 7ff79fa349f9-7ff79fa34a00 5215->5229 5230 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 5215->5230 5284 7ff79fa34d00-7ff79fa34d12 5216->5284 5226 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 5221->5226 5222->5209 5239 7ff79fa35027-7ff79fa3503f OpenProcess 5226->5239 5240 7ff79fa35014-7ff79fa35023 Process32NextW 5226->5240 5229->5230 5234 7ff79fa34a06-7ff79fa34a0c 5229->5234 5230->5216 5238 7ff79fa34a10-7ff79fa34a1a 5234->5238 5243 7ff79fa34a20-7ff79fa34a28 5238->5243 5239->5222 5241 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 5239->5241 5240->5226 5244 7ff79fa35025 5240->5244 5241->5222 5243->5243 5247 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 5243->5247 5244->5222 5253 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 5247->5253 5254 7ff79fa34a40-7ff79fa34a49 5247->5254 5253->5230 5265 7ff79fa34a7f-7ff79fa34a97 WriteFile 5253->5265 5254->5238 5256 7ff79fa34a4b 5254->5256 5256->5230 5265->5230 5285 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 5284->5285 5286 7ff79fa34d14-7ff79fa34d17 5284->5286 5288 7ff79fa34d57-7ff79fa34d69 FindNextFileW 5285->5288 5287 7ff79fa34d19-7ff79fa34d1c 5286->5287 5286->5288 5287->5285 5290 7ff79fa34d1e-7ff79fa34d21 5287->5290 5288->5284 5291 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 5288->5291 5290->5285 5292 7ff79fa34d23-7ff79fa34d2b 5290->5292 5295 7ff79fa34dc0-7ff79fa34dd2 5291->5295 5292->5285 5292->5288 5296 7ff79fa34df5-7ff79fa34dfc 5295->5296 5297 7ff79fa34dd4-7ff79fa34dd7 5295->5297 5298 7ff79fa34f07-7ff79fa34f19 FindNextFileW 5296->5298 5300 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 5296->5300 5297->5298 5299 7ff79fa34ddd-7ff79fa34de0 5297->5299 5298->5295 5303 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 5298->5303 5299->5296 5301 7ff79fa34de2-7ff79fa34de5 5299->5301 5307 7ff79fa34e20-7ff79fa34e37 5300->5307 5301->5296 5304 7ff79fa34de7-7ff79fa34def 5301->5304 5303->5206 5304->5296 5304->5298 5307->5307 5309 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 5307->5309 5315 7ff79fa34e80-7ff79fa34e8c 5309->5315 5317 7ff79fa34e8e-7ff79fa34e91 5315->5317 5318 7ff79fa34ea4-7ff79fa34eb8 StrStrW 5315->5318 5321 7ff79fa34eed-7ff79fa34efc FindNextFileW 5317->5321 5322 7ff79fa34e93-7ff79fa34e96 5317->5322 5320 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 5318->5320 5318->5321 5320->5321 5321->5315 5325 7ff79fa34efe-7ff79fa34f01 FindClose 5321->5325 5322->5318 5326 7ff79fa34e98-7ff79fa34e9b 5322->5326 5325->5298 5326->5318 5327 7ff79fa34e9d-7ff79fa34ea2 5326->5327 5327->5318 5327->5321
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral$HARDWARE\DEVICEMAP\Scsi$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\TPM\ODUID$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-3446921311
    • Opcode ID: 9a86fd3ddd5552888b12df08b507427053aaba8bae19fa76aec2a546f1327359
    • Instruction ID: bd4b608262390d8bba02281b26a52bbd779654f66ca8a7b5154213cfa44504e7
    • Opcode Fuzzy Hash: 9a86fd3ddd5552888b12df08b507427053aaba8bae19fa76aec2a546f1327359
    • Instruction Fuzzy Hash: 5DE25E65A18AC391EB30EF35E840AE9A365FF96758FC04131DA5D476A9DF7CE209C320
    Function 00007FF79FA32940 Relevance: 310.9, APIs: 105, Strings: 72, Instructions: 1174registrynativeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5328 7ff79fa32940-7ff79fa3294a call 7ff79fa382b8 5331 7ff79fa3294c-7ff79fa32953 5328->5331 5332 7ff79fa32955-7ff79fa32962 5328->5332 5331->5332 5332->5328 5333 7ff79fa32964-7ff79fa329f3 RegSetValueExW call 7ff79fa3a944 call 7ff79fa37440 NtQueryKey 5332->5333 5338 7ff79fa329ff-7ff79fa3410a RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 5333->5338 5339 7ff79fa329fa call 7ff79fa31010 5333->5339 5469 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 5338->5469 5470 7ff79fa34110-7ff79fa34129 5338->5470 5339->5338 5471 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 5469->5471 5472 7ff79fa341ff-7ff79fa34218 5469->5472 5473 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5470->5473 5474 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 5470->5474 5478 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 5471->5478 5479 7ff79fa342ee-7ff79fa34307 5471->5479 5476 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5472->5476 5477 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 5472->5477 5473->5469 5474->5469 5489 7ff79fa341d6 call 7ff79fa31010 5474->5489 5476->5471 5477->5471 5497 7ff79fa342c5 call 7ff79fa31010 5477->5497 5524 7ff79fa34790-7ff79fa3479c 5478->5524 5486 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5479->5486 5487 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 5479->5487 5486->5478 5487->5478 5503 7ff79fa343b4 call 7ff79fa31010 5487->5503 5489->5469 5497->5471 5503->5478 5525 7ff79fa3479e-7ff79fa347a1 5524->5525 5526 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 5524->5526 5527 7ff79fa347df-7ff79fa347ee FindNextFileW 5525->5527 5528 7ff79fa347a3-7ff79fa347a6 5525->5528 5526->5527 5527->5524 5530 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 5527->5530 5528->5526 5531 7ff79fa347a8-7ff79fa347ab 5528->5531 5549 7ff79fa34947-7ff79fa3494e 5530->5549 5550 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 5530->5550 5531->5526 5533 7ff79fa347ad-7ff79fa347b2 5531->5533 5533->5526 5533->5527 5551 7ff79fa34950-7ff79fa34954 5549->5551 5557 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 5550->5557 5558 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 5550->5558 5553 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 5551->5553 5554 7ff79fa34f83-7ff79fa34f86 5551->5554 5563 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 5553->5563 5564 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 5553->5564 5554->5550 5554->5551 5569 7ff79fa34ff8 5558->5569 5570 7ff79fa35061-7ff79fa35064 CloseHandle 5558->5570 5577 7ff79fa349f9-7ff79fa34a00 5563->5577 5578 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 5563->5578 5632 7ff79fa34d00-7ff79fa34d12 5564->5632 5574 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 5569->5574 5570->5557 5587 7ff79fa35027-7ff79fa3503f OpenProcess 5574->5587 5588 7ff79fa35014-7ff79fa35023 Process32NextW 5574->5588 5577->5578 5582 7ff79fa34a06-7ff79fa34a0c 5577->5582 5578->5564 5586 7ff79fa34a10-7ff79fa34a1a 5582->5586 5591 7ff79fa34a20-7ff79fa34a28 5586->5591 5587->5570 5589 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 5587->5589 5588->5574 5592 7ff79fa35025 5588->5592 5589->5570 5591->5591 5595 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 5591->5595 5592->5570 5601 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 5595->5601 5602 7ff79fa34a40-7ff79fa34a49 5595->5602 5601->5578 5613 7ff79fa34a7f-7ff79fa34a97 WriteFile 5601->5613 5602->5586 5604 7ff79fa34a4b 5602->5604 5604->5578 5613->5578 5633 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 5632->5633 5634 7ff79fa34d14-7ff79fa34d17 5632->5634 5636 7ff79fa34d57-7ff79fa34d69 FindNextFileW 5633->5636 5635 7ff79fa34d19-7ff79fa34d1c 5634->5635 5634->5636 5635->5633 5638 7ff79fa34d1e-7ff79fa34d21 5635->5638 5636->5632 5639 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 5636->5639 5638->5633 5640 7ff79fa34d23-7ff79fa34d2b 5638->5640 5643 7ff79fa34dc0-7ff79fa34dd2 5639->5643 5640->5633 5640->5636 5644 7ff79fa34df5-7ff79fa34dfc 5643->5644 5645 7ff79fa34dd4-7ff79fa34dd7 5643->5645 5646 7ff79fa34f07-7ff79fa34f19 FindNextFileW 5644->5646 5648 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 5644->5648 5645->5646 5647 7ff79fa34ddd-7ff79fa34de0 5645->5647 5646->5643 5651 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 5646->5651 5647->5644 5649 7ff79fa34de2-7ff79fa34de5 5647->5649 5655 7ff79fa34e20-7ff79fa34e37 5648->5655 5649->5644 5652 7ff79fa34de7-7ff79fa34def 5649->5652 5651->5554 5652->5644 5652->5646 5655->5655 5657 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 5655->5657 5663 7ff79fa34e80-7ff79fa34e8c 5657->5663 5665 7ff79fa34e8e-7ff79fa34e91 5663->5665 5666 7ff79fa34ea4-7ff79fa34eb8 StrStrW 5663->5666 5669 7ff79fa34eed-7ff79fa34efc FindNextFileW 5665->5669 5670 7ff79fa34e93-7ff79fa34e96 5665->5670 5668 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 5666->5668 5666->5669 5668->5669 5669->5663 5673 7ff79fa34efe-7ff79fa34f01 FindClose 5669->5673 5670->5666 5674 7ff79fa34e98-7ff79fa34e9b 5670->5674 5673->5646 5674->5666 5675 7ff79fa34e9d-7ff79fa34ea2 5674->5675 5675->5666 5675->5669
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$RandomSeed$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 1479153340-3617408651
    • Opcode ID: faded6f2ed404337f7b512f11a6f072cd78c35824d9e8dc123577cc7aa1af6fe
    • Instruction ID: 7498d906d4d50b2678f65abc501039dd251c2435e757809bfd422a5808d2393c
    • Opcode Fuzzy Hash: faded6f2ed404337f7b512f11a6f072cd78c35824d9e8dc123577cc7aa1af6fe
    • Instruction Fuzzy Hash: E2D26D65A18AC391EB30EF35E840AE9A361FF96758FD04131DA5D476A9DF7CE209C320
    Function 00007FF79FA328AE Relevance: 309.2, APIs: 104, Strings: 72, Instructions: 1150nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5676 7ff79fa328ae-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 5811 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 5676->5811 5812 7ff79fa34110-7ff79fa34129 5676->5812 5813 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 5811->5813 5814 7ff79fa341ff-7ff79fa34218 5811->5814 5815 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5812->5815 5816 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 5812->5816 5820 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 5813->5820 5821 7ff79fa342ee-7ff79fa34307 5813->5821 5818 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5814->5818 5819 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 5814->5819 5815->5811 5816->5811 5831 7ff79fa341d6 call 7ff79fa31010 5816->5831 5818->5813 5819->5813 5839 7ff79fa342c5 call 7ff79fa31010 5819->5839 5866 7ff79fa34790-7ff79fa3479c 5820->5866 5828 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 5821->5828 5829 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 5821->5829 5828->5820 5829->5820 5845 7ff79fa343b4 call 7ff79fa31010 5829->5845 5831->5811 5839->5813 5845->5820 5867 7ff79fa3479e-7ff79fa347a1 5866->5867 5868 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 5866->5868 5869 7ff79fa347df-7ff79fa347ee FindNextFileW 5867->5869 5870 7ff79fa347a3-7ff79fa347a6 5867->5870 5868->5869 5869->5866 5872 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 5869->5872 5870->5868 5873 7ff79fa347a8-7ff79fa347ab 5870->5873 5891 7ff79fa34947-7ff79fa3494e 5872->5891 5892 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 5872->5892 5873->5868 5875 7ff79fa347ad-7ff79fa347b2 5873->5875 5875->5868 5875->5869 5893 7ff79fa34950-7ff79fa34954 5891->5893 5899 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 5892->5899 5900 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 5892->5900 5895 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 5893->5895 5896 7ff79fa34f83-7ff79fa34f86 5893->5896 5905 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 5895->5905 5906 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 5895->5906 5896->5892 5896->5893 5911 7ff79fa34ff8 5900->5911 5912 7ff79fa35061-7ff79fa35064 CloseHandle 5900->5912 5919 7ff79fa349f9-7ff79fa34a00 5905->5919 5920 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 5905->5920 5974 7ff79fa34d00-7ff79fa34d12 5906->5974 5916 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 5911->5916 5912->5899 5929 7ff79fa35027-7ff79fa3503f OpenProcess 5916->5929 5930 7ff79fa35014-7ff79fa35023 Process32NextW 5916->5930 5919->5920 5924 7ff79fa34a06-7ff79fa34a0c 5919->5924 5920->5906 5928 7ff79fa34a10-7ff79fa34a1a 5924->5928 5933 7ff79fa34a20-7ff79fa34a28 5928->5933 5929->5912 5931 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 5929->5931 5930->5916 5934 7ff79fa35025 5930->5934 5931->5912 5933->5933 5937 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 5933->5937 5934->5912 5943 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 5937->5943 5944 7ff79fa34a40-7ff79fa34a49 5937->5944 5943->5920 5955 7ff79fa34a7f-7ff79fa34a97 WriteFile 5943->5955 5944->5928 5946 7ff79fa34a4b 5944->5946 5946->5920 5955->5920 5975 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 5974->5975 5976 7ff79fa34d14-7ff79fa34d17 5974->5976 5978 7ff79fa34d57-7ff79fa34d69 FindNextFileW 5975->5978 5977 7ff79fa34d19-7ff79fa34d1c 5976->5977 5976->5978 5977->5975 5980 7ff79fa34d1e-7ff79fa34d21 5977->5980 5978->5974 5981 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 5978->5981 5980->5975 5982 7ff79fa34d23-7ff79fa34d2b 5980->5982 5985 7ff79fa34dc0-7ff79fa34dd2 5981->5985 5982->5975 5982->5978 5986 7ff79fa34df5-7ff79fa34dfc 5985->5986 5987 7ff79fa34dd4-7ff79fa34dd7 5985->5987 5988 7ff79fa34f07-7ff79fa34f19 FindNextFileW 5986->5988 5990 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 5986->5990 5987->5988 5989 7ff79fa34ddd-7ff79fa34de0 5987->5989 5988->5985 5993 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 5988->5993 5989->5986 5991 7ff79fa34de2-7ff79fa34de5 5989->5991 5997 7ff79fa34e20-7ff79fa34e37 5990->5997 5991->5986 5994 7ff79fa34de7-7ff79fa34def 5991->5994 5993->5896 5994->5986 5994->5988 5997->5997 5999 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 5997->5999 6005 7ff79fa34e80-7ff79fa34e8c 5999->6005 6007 7ff79fa34e8e-7ff79fa34e91 6005->6007 6008 7ff79fa34ea4-7ff79fa34eb8 StrStrW 6005->6008 6011 7ff79fa34eed-7ff79fa34efc FindNextFileW 6007->6011 6012 7ff79fa34e93-7ff79fa34e96 6007->6012 6010 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 6008->6010 6008->6011 6010->6011 6011->6005 6015 7ff79fa34efe-7ff79fa34f01 FindClose 6011->6015 6012->6008 6016 7ff79fa34e98-7ff79fa34e9b 6012->6016 6015->5988 6016->6008 6017 7ff79fa34e9d-7ff79fa34ea2 6016->6017 6017->6008 6017->6011
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$RandomSeed$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-2818654216
    • Opcode ID: 0c6db1f586e690110028e66d487cd8ee7c9df1472a76621a89acc1cf0bd13a73
    • Instruction ID: c58ebfee24bf280bf88d027c07857dd5d8c64e03c7d737de02cfd3a66fabec80
    • Opcode Fuzzy Hash: 0c6db1f586e690110028e66d487cd8ee7c9df1472a76621a89acc1cf0bd13a73
    • Instruction Fuzzy Hash: BDD25C65A18AC391EB30EF35E840AE9A361FF96758FD04131DA5D476A9DF7CE209C320
    Function 00007FF79FA3291F Relevance: 305.6, APIs: 103, Strings: 71, Instructions: 1136nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6018 7ff79fa3291f-7ff79fa3410a call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 6151 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 6018->6151 6152 7ff79fa34110-7ff79fa34129 6018->6152 6153 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 6151->6153 6154 7ff79fa341ff-7ff79fa34218 6151->6154 6155 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6152->6155 6156 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 6152->6156 6160 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 6153->6160 6161 7ff79fa342ee-7ff79fa34307 6153->6161 6158 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6154->6158 6159 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 6154->6159 6155->6151 6156->6151 6171 7ff79fa341d6 call 7ff79fa31010 6156->6171 6158->6153 6159->6153 6179 7ff79fa342c5 call 7ff79fa31010 6159->6179 6206 7ff79fa34790-7ff79fa3479c 6160->6206 6168 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6161->6168 6169 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 6161->6169 6168->6160 6169->6160 6185 7ff79fa343b4 call 7ff79fa31010 6169->6185 6171->6151 6179->6153 6185->6160 6207 7ff79fa3479e-7ff79fa347a1 6206->6207 6208 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 6206->6208 6209 7ff79fa347df-7ff79fa347ee FindNextFileW 6207->6209 6210 7ff79fa347a3-7ff79fa347a6 6207->6210 6208->6209 6209->6206 6212 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 6209->6212 6210->6208 6213 7ff79fa347a8-7ff79fa347ab 6210->6213 6231 7ff79fa34947-7ff79fa3494e 6212->6231 6232 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 6212->6232 6213->6208 6215 7ff79fa347ad-7ff79fa347b2 6213->6215 6215->6208 6215->6209 6233 7ff79fa34950-7ff79fa34954 6231->6233 6239 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 6232->6239 6240 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 6232->6240 6235 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 6233->6235 6236 7ff79fa34f83-7ff79fa34f86 6233->6236 6245 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 6235->6245 6246 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 6235->6246 6236->6232 6236->6233 6251 7ff79fa34ff8 6240->6251 6252 7ff79fa35061-7ff79fa35064 CloseHandle 6240->6252 6259 7ff79fa349f9-7ff79fa34a00 6245->6259 6260 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 6245->6260 6314 7ff79fa34d00-7ff79fa34d12 6246->6314 6256 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 6251->6256 6252->6239 6269 7ff79fa35027-7ff79fa3503f OpenProcess 6256->6269 6270 7ff79fa35014-7ff79fa35023 Process32NextW 6256->6270 6259->6260 6264 7ff79fa34a06-7ff79fa34a0c 6259->6264 6260->6246 6268 7ff79fa34a10-7ff79fa34a1a 6264->6268 6273 7ff79fa34a20-7ff79fa34a28 6268->6273 6269->6252 6271 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 6269->6271 6270->6256 6274 7ff79fa35025 6270->6274 6271->6252 6273->6273 6277 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 6273->6277 6274->6252 6283 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 6277->6283 6284 7ff79fa34a40-7ff79fa34a49 6277->6284 6283->6260 6295 7ff79fa34a7f-7ff79fa34a97 WriteFile 6283->6295 6284->6268 6286 7ff79fa34a4b 6284->6286 6286->6260 6295->6260 6315 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 6314->6315 6316 7ff79fa34d14-7ff79fa34d17 6314->6316 6318 7ff79fa34d57-7ff79fa34d69 FindNextFileW 6315->6318 6317 7ff79fa34d19-7ff79fa34d1c 6316->6317 6316->6318 6317->6315 6320 7ff79fa34d1e-7ff79fa34d21 6317->6320 6318->6314 6321 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 6318->6321 6320->6315 6322 7ff79fa34d23-7ff79fa34d2b 6320->6322 6325 7ff79fa34dc0-7ff79fa34dd2 6321->6325 6322->6315 6322->6318 6326 7ff79fa34df5-7ff79fa34dfc 6325->6326 6327 7ff79fa34dd4-7ff79fa34dd7 6325->6327 6328 7ff79fa34f07-7ff79fa34f19 FindNextFileW 6326->6328 6330 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 6326->6330 6327->6328 6329 7ff79fa34ddd-7ff79fa34de0 6327->6329 6328->6325 6333 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 6328->6333 6329->6326 6331 7ff79fa34de2-7ff79fa34de5 6329->6331 6337 7ff79fa34e20-7ff79fa34e37 6330->6337 6331->6326 6334 7ff79fa34de7-7ff79fa34def 6331->6334 6333->6236 6334->6326 6334->6328 6337->6337 6339 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 6337->6339 6345 7ff79fa34e80-7ff79fa34e8c 6339->6345 6347 7ff79fa34e8e-7ff79fa34e91 6345->6347 6348 7ff79fa34ea4-7ff79fa34eb8 StrStrW 6345->6348 6351 7ff79fa34eed-7ff79fa34efc FindNextFileW 6347->6351 6352 7ff79fa34e93-7ff79fa34e96 6347->6352 6350 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 6348->6350 6348->6351 6350->6351 6351->6345 6355 7ff79fa34efe-7ff79fa34f01 FindClose 6351->6355 6352->6348 6356 7ff79fa34e98-7ff79fa34e9b 6352->6356 6355->6328 6356->6348 6357 7ff79fa34e9d-7ff79fa34ea2 6356->6357 6357->6348 6357->6351
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Cryptography$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-2054001295
    • Opcode ID: 7507718c2b71fbba0481c68e5da24dde3a01e56d35c8cb3026eb06350aa76acb
    • Instruction ID: 8bd5461dfd2ab070063b71d7a25ed396c1aefc5f75adf0fbb206e1e404cbed6c
    • Opcode Fuzzy Hash: 7507718c2b71fbba0481c68e5da24dde3a01e56d35c8cb3026eb06350aa76acb
    • Instruction Fuzzy Hash: BAD25C65A18AC391EB30EF35E840AE9A361FF96758FD04131DA5D476A9DF7CE209C320
    Function 00007FF79FA32EF4 Relevance: 286.3, APIs: 93, Strings: 70, Instructions: 1012registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$SusClientIdValidation$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-$D
    • API String ID: 1479153340-793026362
    • Opcode ID: e0181b0383ffc4b0ab0f4109491b48c32343401f0f1c87924f102d16b426ddaf
    • Instruction ID: e4e5b83195432c690a62cadee79676cdb0cbccc90582aa56da43633ff49c2185
    • Opcode Fuzzy Hash: e0181b0383ffc4b0ab0f4109491b48c32343401f0f1c87924f102d16b426ddaf
    • Instruction Fuzzy Hash: 1AC25B65A18AC395EB30EF34E840AE9A361FF96758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA32E67 Relevance: 282.7, APIs: 92, Strings: 69, Instructions: 988nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6670 7ff79fa32e67-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 6769 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 6670->6769 6770 7ff79fa34110-7ff79fa34129 6670->6770 6771 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 6769->6771 6772 7ff79fa341ff-7ff79fa34218 6769->6772 6773 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6770->6773 6774 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 6770->6774 6778 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 6771->6778 6779 7ff79fa342ee-7ff79fa34307 6771->6779 6776 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6772->6776 6777 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 6772->6777 6773->6769 6774->6769 6789 7ff79fa341d6 call 7ff79fa31010 6774->6789 6776->6771 6777->6771 6797 7ff79fa342c5 call 7ff79fa31010 6777->6797 6824 7ff79fa34790-7ff79fa3479c 6778->6824 6786 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6779->6786 6787 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 6779->6787 6786->6778 6787->6778 6803 7ff79fa343b4 call 7ff79fa31010 6787->6803 6789->6769 6797->6771 6803->6778 6825 7ff79fa3479e-7ff79fa347a1 6824->6825 6826 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 6824->6826 6827 7ff79fa347df-7ff79fa347ee FindNextFileW 6825->6827 6828 7ff79fa347a3-7ff79fa347a6 6825->6828 6826->6827 6827->6824 6830 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 6827->6830 6828->6826 6831 7ff79fa347a8-7ff79fa347ab 6828->6831 6849 7ff79fa34947-7ff79fa3494e 6830->6849 6850 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 6830->6850 6831->6826 6833 7ff79fa347ad-7ff79fa347b2 6831->6833 6833->6826 6833->6827 6851 7ff79fa34950-7ff79fa34954 6849->6851 6857 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 6850->6857 6858 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 6850->6858 6853 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 6851->6853 6854 7ff79fa34f83-7ff79fa34f86 6851->6854 6863 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 6853->6863 6864 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 6853->6864 6854->6850 6854->6851 6869 7ff79fa34ff8 6858->6869 6870 7ff79fa35061-7ff79fa35064 CloseHandle 6858->6870 6877 7ff79fa349f9-7ff79fa34a00 6863->6877 6878 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 6863->6878 6932 7ff79fa34d00-7ff79fa34d12 6864->6932 6874 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 6869->6874 6870->6857 6887 7ff79fa35027-7ff79fa3503f OpenProcess 6874->6887 6888 7ff79fa35014-7ff79fa35023 Process32NextW 6874->6888 6877->6878 6882 7ff79fa34a06-7ff79fa34a0c 6877->6882 6878->6864 6886 7ff79fa34a10-7ff79fa34a1a 6882->6886 6891 7ff79fa34a20-7ff79fa34a28 6886->6891 6887->6870 6889 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 6887->6889 6888->6874 6892 7ff79fa35025 6888->6892 6889->6870 6891->6891 6895 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 6891->6895 6892->6870 6901 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 6895->6901 6902 7ff79fa34a40-7ff79fa34a49 6895->6902 6901->6878 6913 7ff79fa34a7f-7ff79fa34a97 WriteFile 6901->6913 6902->6886 6904 7ff79fa34a4b 6902->6904 6904->6878 6913->6878 6933 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 6932->6933 6934 7ff79fa34d14-7ff79fa34d17 6932->6934 6936 7ff79fa34d57-7ff79fa34d69 FindNextFileW 6933->6936 6935 7ff79fa34d19-7ff79fa34d1c 6934->6935 6934->6936 6935->6933 6938 7ff79fa34d1e-7ff79fa34d21 6935->6938 6936->6932 6939 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 6936->6939 6938->6933 6940 7ff79fa34d23-7ff79fa34d2b 6938->6940 6943 7ff79fa34dc0-7ff79fa34dd2 6939->6943 6940->6933 6940->6936 6944 7ff79fa34df5-7ff79fa34dfc 6943->6944 6945 7ff79fa34dd4-7ff79fa34dd7 6943->6945 6946 7ff79fa34f07-7ff79fa34f19 FindNextFileW 6944->6946 6948 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 6944->6948 6945->6946 6947 7ff79fa34ddd-7ff79fa34de0 6945->6947 6946->6943 6951 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 6946->6951 6947->6944 6949 7ff79fa34de2-7ff79fa34de5 6947->6949 6955 7ff79fa34e20-7ff79fa34e37 6948->6955 6949->6944 6952 7ff79fa34de7-7ff79fa34def 6949->6952 6951->6854 6952->6944 6952->6946 6955->6955 6957 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 6955->6957 6963 7ff79fa34e80-7ff79fa34e8c 6957->6963 6965 7ff79fa34e8e-7ff79fa34e91 6963->6965 6966 7ff79fa34ea4-7ff79fa34eb8 StrStrW 6963->6966 6969 7ff79fa34eed-7ff79fa34efc FindNextFileW 6965->6969 6970 7ff79fa34e93-7ff79fa34e96 6965->6970 6968 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 6966->6968 6966->6969 6968->6969 6969->6963 6973 7ff79fa34efe-7ff79fa34f01 FindClose 6969->6973 6970->6966 6974 7ff79fa34e98-7ff79fa34e9b 6970->6974 6973->6946 6974->6966 6975 7ff79fa34e9d-7ff79fa34ea2 6974->6975 6975->6966 6975->6969
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$SusClientIdValidation$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-4050218024
    • Opcode ID: 9a4039755c21977a9616b2e077c867a5dcd0c16e7a941c8ababaa702b8d9133f
    • Instruction ID: a7e98c7dd876f7c86d0dbf7a5b8171c3cd969492c2aef69b701f7dd0ef5f283a
    • Opcode Fuzzy Hash: 9a4039755c21977a9616b2e077c867a5dcd0c16e7a941c8ababaa702b8d9133f
    • Instruction Fuzzy Hash: E7C25A65A18AC395EB30EF35E840AE9A361FF92758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA33110 Relevance: 281.0, APIs: 91, Strings: 69, Instructions: 985registrynativeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6976 7ff79fa33110 6977 7ff79fa33110-7ff79fa3311a call 7ff79fa382b8 6976->6977 6979 7ff79fa3311c-7ff79fa33123 6977->6979 6980 7ff79fa33125-7ff79fa33132 6977->6980 6979->6980 6980->6976 6981 7ff79fa33134-7ff79fa33159 RegSetValueExW call 7ff79fa3a944 6980->6981 6983 7ff79fa3315e-7ff79fa33175 call 7ff79fa37440 6981->6983 6985 7ff79fa3317a-7ff79fa3320e NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW 6983->6985 6989 7ff79fa33210-7ff79fa3325f call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6985->6989 6993 7ff79fa33264-7ff79fa332c3 call 7ff79fa352a0 RegOpenKeyExW 6989->6993 6997 7ff79fa332c5-7ff79fa3331f call 7ff79fa37440 NtQueryKey call 7ff79fa31010 6993->6997 7001 7ff79fa33324-7ff79fa334ee RegOpenKeyExW 6997->7001 7003 7ff79fa334f0-7ff79fa3353f call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7001->7003 7007 7ff79fa33544-7ff79fa335ec call 7ff79fa35560 * 3 RegOpenKeyExW 7003->7007 7015 7ff79fa335ee-7ff79fa33648 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7007->7015 7019 7ff79fa3364d-7ff79fa33808 RegOpenKeyExW 7015->7019 7021 7ff79fa3380a-7ff79fa33864 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7019->7021 7025 7ff79fa33869-7ff79fa33a2e RegOpenKeyExW 7021->7025 7027 7ff79fa33a30-7ff79fa33a7f call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7025->7027 7031 7ff79fa33a84-7ff79fa33ae6 RegOpenKeyExW 7027->7031 7033 7ff79fa33ae8-7ff79fa33b37 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7031->7033 7037 7ff79fa33b3c-7ff79fa33b9e RegOpenKeyExW 7033->7037 7039 7ff79fa33ba0-7ff79fa33bef call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7037->7039 7043 7ff79fa33bf4-7ff79fa33c56 RegOpenKeyExW 7039->7043 7045 7ff79fa33c58-7ff79fa33ca7 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7043->7045 7049 7ff79fa33cac-7ff79fa33d0e RegOpenKeyExW 7045->7049 7051 7ff79fa33d10-7ff79fa33d64 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7049->7051 7056 7ff79fa33d90-7ff79fa33dc6 RegOpenKeyExW 7051->7056 7057 7ff79fa33dc8-7ff79fa33e1c call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7056->7057 7062 7ff79fa33e48-7ff79fa33e7e RegOpenKeyExW 7057->7062 7063 7ff79fa33e80-7ff79fa33ed4 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7062->7063 7068 7ff79fa340a5-7ff79fa3410a call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 7063->7068 7075 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 7068->7075 7076 7ff79fa34110-7ff79fa34129 7068->7076 7077 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 7075->7077 7078 7ff79fa341ff-7ff79fa34218 7075->7078 7079 7ff79fa3412b call 7ff79fa37440 7076->7079 7080 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 7076->7080 7084 7ff79fa343b9-7ff79fa34422 call 7ff79fa35b70 * 3 RegOpenKeyExW 7077->7084 7085 7ff79fa342ee-7ff79fa34307 7077->7085 7082 7ff79fa3421a call 7ff79fa37440 7078->7082 7083 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 7078->7083 7087 7ff79fa34130-7ff79fa34185 NtQueryKey call 7ff79fa31010 7079->7087 7080->7075 7095 7ff79fa341d6 call 7ff79fa31010 7080->7095 7098 7ff79fa3421f-7ff79fa34274 NtQueryKey call 7ff79fa31010 7082->7098 7083->7077 7103 7ff79fa342c5 call 7ff79fa31010 7083->7103 7114 7ff79fa34424-7ff79fa34439 call 7ff79fa37440 7084->7114 7092 7ff79fa34309 call 7ff79fa37440 7085->7092 7093 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 7085->7093 7101 7ff79fa3418a 7087->7101 7106 7ff79fa3430e-7ff79fa34363 NtQueryKey call 7ff79fa31010 7092->7106 7093->7084 7109 7ff79fa343b4 call 7ff79fa31010 7093->7109 7095->7075 7108 7ff79fa34279 7098->7108 7101->7075 7103->7077 7111 7ff79fa34368 7106->7111 7108->7077 7109->7084 7111->7084 7116 7ff79fa3443e-7ff79fa3447c NtQueryKey call 7ff79fa31010 7114->7116 7118 7ff79fa34481-7ff79fa346ed call 7ff79fa37440 * 4 7116->7118 7127 7ff79fa346f2-7ff79fa34786 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 7118->7127 7130 7ff79fa34790-7ff79fa3479c 7127->7130 7131 7ff79fa3479e-7ff79fa347a1 7130->7131 7132 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 7130->7132 7133 7ff79fa347df-7ff79fa347ee FindNextFileW 7131->7133 7134 7ff79fa347a3-7ff79fa347a6 7131->7134 7132->7133 7133->7130 7136 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 7133->7136 7134->7132 7137 7ff79fa347a8-7ff79fa347ab 7134->7137 7155 7ff79fa34947-7ff79fa3494e 7136->7155 7156 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 7136->7156 7137->7132 7139 7ff79fa347ad-7ff79fa347b2 7137->7139 7139->7132 7139->7133 7157 7ff79fa34950-7ff79fa34954 7155->7157 7163 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 7156->7163 7164 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 7156->7164 7159 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 7157->7159 7160 7ff79fa34f83-7ff79fa34f86 7157->7160 7169 7ff79fa349ba-7ff79fa349c9 call 7ff79fa37440 7159->7169 7170 7ff79fa34aa6-7ff79fa34cae wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 7159->7170 7160->7156 7160->7157 7175 7ff79fa34ff8 7164->7175 7176 7ff79fa35061-7ff79fa35064 CloseHandle 7164->7176 7179 7ff79fa349ce-7ff79fa349f3 ReadFile 7169->7179 7235 7ff79fa34cb3-7ff79fa34cd9 wsprintfW call 7ff79fa37440 7170->7235 7180 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 7175->7180 7176->7163 7183 7ff79fa349f9-7ff79fa34a00 7179->7183 7184 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 7179->7184 7193 7ff79fa35027-7ff79fa3503f OpenProcess 7180->7193 7194 7ff79fa35014-7ff79fa35023 Process32NextW 7180->7194 7183->7184 7188 7ff79fa34a06-7ff79fa34a0c 7183->7188 7184->7170 7192 7ff79fa34a10-7ff79fa34a1a 7188->7192 7197 7ff79fa34a20-7ff79fa34a28 7192->7197 7193->7176 7195 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 7193->7195 7194->7180 7198 7ff79fa35025 7194->7198 7195->7176 7197->7197 7201 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 7197->7201 7198->7176 7207 7ff79fa34a4d-7ff79fa34a57 call 7ff79fa382b8 * 2 7201->7207 7208 7ff79fa34a40-7ff79fa34a49 7201->7208 7217 7ff79fa34a5c-7ff79fa34a7d SetFilePointer 7207->7217 7208->7192 7210 7ff79fa34a4b 7208->7210 7210->7184 7217->7184 7219 7ff79fa34a7f-7ff79fa34a97 WriteFile 7217->7219 7219->7184 7237 7ff79fa34cde-7ff79fa34cf5 FindFirstFileW 7235->7237 7238 7ff79fa34d00-7ff79fa34d12 7237->7238 7239 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 7238->7239 7240 7ff79fa34d14-7ff79fa34d17 7238->7240 7242 7ff79fa34d57-7ff79fa34d69 FindNextFileW 7239->7242 7241 7ff79fa34d19-7ff79fa34d1c 7240->7241 7240->7242 7241->7239 7244 7ff79fa34d1e-7ff79fa34d21 7241->7244 7242->7238 7245 7ff79fa34d6b-7ff79fa34d9a FindClose wsprintfW call 7ff79fa37440 7242->7245 7244->7239 7246 7ff79fa34d23-7ff79fa34d2b 7244->7246 7248 7ff79fa34d9f-7ff79fa34db6 FindFirstFileW 7245->7248 7246->7239 7246->7242 7249 7ff79fa34dc0-7ff79fa34dd2 7248->7249 7250 7ff79fa34df5-7ff79fa34dfc 7249->7250 7251 7ff79fa34dd4-7ff79fa34dd7 7249->7251 7252 7ff79fa34f07-7ff79fa34f19 FindNextFileW 7250->7252 7254 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 7250->7254 7251->7252 7253 7ff79fa34ddd-7ff79fa34de0 7251->7253 7252->7249 7257 7ff79fa34f1f-7ff79fa34f46 FindClose wsprintfW call 7ff79fa360b0 7252->7257 7253->7250 7255 7ff79fa34de2-7ff79fa34de5 7253->7255 7261 7ff79fa34e20-7ff79fa34e37 7254->7261 7255->7250 7258 7ff79fa34de7-7ff79fa34def 7255->7258 7262 7ff79fa34f4b-7ff79fa34f81 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 7257->7262 7258->7250 7258->7252 7261->7261 7263 7ff79fa34e39-7ff79fa34e63 wsprintfW call 7ff79fa37440 7261->7263 7262->7160 7267 7ff79fa34e68-7ff79fa34e7c FindFirstFileW 7263->7267 7269 7ff79fa34e80-7ff79fa34e8c 7267->7269 7271 7ff79fa34e8e-7ff79fa34e91 7269->7271 7272 7ff79fa34ea4-7ff79fa34eb8 StrStrW 7269->7272 7275 7ff79fa34eed-7ff79fa34efc FindNextFileW 7271->7275 7276 7ff79fa34e93-7ff79fa34e96 7271->7276 7274 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 7272->7274 7272->7275 7274->7275 7275->7269 7279 7ff79fa34efe-7ff79fa34f01 FindClose 7275->7279 7276->7272 7280 7ff79fa34e98-7ff79fa34e9b 7276->7280 7279->7252 7280->7272 7281 7ff79fa34e9d-7ff79fa34ea2 7280->7281 7281->7272 7281->7275
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Dhcpv6DUID$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-$w
    • API String ID: 1479153340-4135747075
    • Opcode ID: ffd395109e45c944a61d0767720ec01d0269a40dd02f6b53a0373a5ad67c1f7e
    • Instruction ID: c788c05745fdd86513f6a64d346707c8ad7f0eeaf62d32454a17f4a81b67f1ba
    • Opcode Fuzzy Hash: ffd395109e45c944a61d0767720ec01d0269a40dd02f6b53a0373a5ad67c1f7e
    • Instruction Fuzzy Hash: BEB25B65A18AC395EB30EF34E840AE9A361FF92758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA32ED8 Relevance: 279.2, APIs: 91, Strings: 68, Instructions: 974nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7282 7ff79fa32ed8-7ff79fa3410a call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 7379 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 7282->7379 7380 7ff79fa34110-7ff79fa34129 7282->7380 7381 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 7379->7381 7382 7ff79fa341ff-7ff79fa34218 7379->7382 7383 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7380->7383 7384 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 7380->7384 7388 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 7381->7388 7389 7ff79fa342ee-7ff79fa34307 7381->7389 7386 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7382->7386 7387 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 7382->7387 7383->7379 7384->7379 7399 7ff79fa341d6 call 7ff79fa31010 7384->7399 7386->7381 7387->7381 7407 7ff79fa342c5 call 7ff79fa31010 7387->7407 7434 7ff79fa34790-7ff79fa3479c 7388->7434 7396 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7389->7396 7397 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 7389->7397 7396->7388 7397->7388 7413 7ff79fa343b4 call 7ff79fa31010 7397->7413 7399->7379 7407->7381 7413->7388 7435 7ff79fa3479e-7ff79fa347a1 7434->7435 7436 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 7434->7436 7437 7ff79fa347df-7ff79fa347ee FindNextFileW 7435->7437 7438 7ff79fa347a3-7ff79fa347a6 7435->7438 7436->7437 7437->7434 7440 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 7437->7440 7438->7436 7441 7ff79fa347a8-7ff79fa347ab 7438->7441 7459 7ff79fa34947-7ff79fa3494e 7440->7459 7460 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 7440->7460 7441->7436 7443 7ff79fa347ad-7ff79fa347b2 7441->7443 7443->7436 7443->7437 7461 7ff79fa34950-7ff79fa34954 7459->7461 7467 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 7460->7467 7468 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 7460->7468 7463 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 7461->7463 7464 7ff79fa34f83-7ff79fa34f86 7461->7464 7473 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 7463->7473 7474 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 7463->7474 7464->7460 7464->7461 7479 7ff79fa34ff8 7468->7479 7480 7ff79fa35061-7ff79fa35064 CloseHandle 7468->7480 7487 7ff79fa349f9-7ff79fa34a00 7473->7487 7488 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 7473->7488 7542 7ff79fa34d00-7ff79fa34d12 7474->7542 7484 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 7479->7484 7480->7467 7497 7ff79fa35027-7ff79fa3503f OpenProcess 7484->7497 7498 7ff79fa35014-7ff79fa35023 Process32NextW 7484->7498 7487->7488 7492 7ff79fa34a06-7ff79fa34a0c 7487->7492 7488->7474 7496 7ff79fa34a10-7ff79fa34a1a 7492->7496 7501 7ff79fa34a20-7ff79fa34a28 7496->7501 7497->7480 7499 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 7497->7499 7498->7484 7502 7ff79fa35025 7498->7502 7499->7480 7501->7501 7505 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 7501->7505 7502->7480 7511 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 7505->7511 7512 7ff79fa34a40-7ff79fa34a49 7505->7512 7511->7488 7523 7ff79fa34a7f-7ff79fa34a97 WriteFile 7511->7523 7512->7496 7514 7ff79fa34a4b 7512->7514 7514->7488 7523->7488 7543 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 7542->7543 7544 7ff79fa34d14-7ff79fa34d17 7542->7544 7546 7ff79fa34d57-7ff79fa34d69 FindNextFileW 7543->7546 7545 7ff79fa34d19-7ff79fa34d1c 7544->7545 7544->7546 7545->7543 7548 7ff79fa34d1e-7ff79fa34d21 7545->7548 7546->7542 7549 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 7546->7549 7548->7543 7550 7ff79fa34d23-7ff79fa34d2b 7548->7550 7553 7ff79fa34dc0-7ff79fa34dd2 7549->7553 7550->7543 7550->7546 7554 7ff79fa34df5-7ff79fa34dfc 7553->7554 7555 7ff79fa34dd4-7ff79fa34dd7 7553->7555 7556 7ff79fa34f07-7ff79fa34f19 FindNextFileW 7554->7556 7558 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 7554->7558 7555->7556 7557 7ff79fa34ddd-7ff79fa34de0 7555->7557 7556->7553 7561 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 7556->7561 7557->7554 7559 7ff79fa34de2-7ff79fa34de5 7557->7559 7565 7ff79fa34e20-7ff79fa34e37 7558->7565 7559->7554 7562 7ff79fa34de7-7ff79fa34def 7559->7562 7561->7464 7562->7554 7562->7556 7565->7565 7567 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 7565->7567 7573 7ff79fa34e80-7ff79fa34e8c 7567->7573 7575 7ff79fa34e8e-7ff79fa34e91 7573->7575 7576 7ff79fa34ea4-7ff79fa34eb8 StrStrW 7573->7576 7579 7ff79fa34eed-7ff79fa34efc FindNextFileW 7575->7579 7580 7ff79fa34e93-7ff79fa34e96 7575->7580 7578 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 7576->7578 7576->7579 7578->7579 7579->7573 7583 7ff79fa34efe-7ff79fa34f01 FindClose 7579->7583 7580->7576 7584 7ff79fa34e98-7ff79fa34e9b 7580->7584 7583->7556 7584->7576 7585 7ff79fa34e9d-7ff79fa34ea2 7584->7585 7585->7576 7585->7579
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-622763180
    • Opcode ID: 111060260200f613040c6e15ddd628d3b75cbc21f4475789241096ee7294fddc
    • Instruction ID: 35e437a19dace4a3cde3a2acd71c661ace13ad518f345ff7834d25e36aa1f360
    • Opcode Fuzzy Hash: 111060260200f613040c6e15ddd628d3b75cbc21f4475789241096ee7294fddc
    • Instruction Fuzzy Hash: F6B25A65A18AC395EB30EF35E840AE9A361FF92758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA33083 Relevance: 277.5, APIs: 90, Strings: 68, Instructions: 961nativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7586 7ff79fa33083-7ff79fa3410a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegCloseKey RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa352a0 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35560 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa35b70 call 7ff79fa35560 * 2 SHDeleteValueW 7679 7ff79fa341db-7ff79fa341f9 SHDeleteValueW 7586->7679 7680 7ff79fa34110-7ff79fa34129 7586->7680 7681 7ff79fa342ca-7ff79fa342e8 SHDeleteValueW 7679->7681 7682 7ff79fa341ff-7ff79fa34218 7679->7682 7683 7ff79fa3412b-7ff79fa3418a call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7680->7683 7684 7ff79fa3418c-7ff79fa341cf call 7ff79fa37440 NtQueryKey 7680->7684 7688 7ff79fa343b9-7ff79fa34786 call 7ff79fa35b70 * 3 RegOpenKeyExW call 7ff79fa37440 NtQueryKey call 7ff79fa31010 call 7ff79fa37440 * 4 GetTempPathW SHGetFolderPathW * 2 wsprintfW call 7ff79fa37440 FindFirstFileW 7681->7688 7689 7ff79fa342ee-7ff79fa34307 7681->7689 7686 7ff79fa3421a-7ff79fa34279 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7682->7686 7687 7ff79fa3427b-7ff79fa342be call 7ff79fa37440 NtQueryKey 7682->7687 7683->7679 7684->7679 7699 7ff79fa341d6 call 7ff79fa31010 7684->7699 7686->7681 7687->7681 7707 7ff79fa342c5 call 7ff79fa31010 7687->7707 7734 7ff79fa34790-7ff79fa3479c 7688->7734 7696 7ff79fa34309-7ff79fa34368 call 7ff79fa37440 NtQueryKey call 7ff79fa31010 7689->7696 7697 7ff79fa3436a-7ff79fa343ad call 7ff79fa37440 NtQueryKey 7689->7697 7696->7688 7697->7688 7713 7ff79fa343b4 call 7ff79fa31010 7697->7713 7699->7679 7707->7681 7713->7688 7735 7ff79fa3479e-7ff79fa347a1 7734->7735 7736 7ff79fa347b4-7ff79fa347da wsprintfW call 7ff79fa35d70 7734->7736 7737 7ff79fa347df-7ff79fa347ee FindNextFileW 7735->7737 7738 7ff79fa347a3-7ff79fa347a6 7735->7738 7736->7737 7737->7734 7740 7ff79fa347f0-7ff79fa34941 FindClose wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 GetLogicalDrives 7737->7740 7738->7736 7741 7ff79fa347a8-7ff79fa347ab 7738->7741 7759 7ff79fa34947-7ff79fa3494e 7740->7759 7760 7ff79fa34f8c-7ff79fa34fc9 call 7ff79fa3a79c CreateToolhelp32Snapshot 7740->7760 7741->7736 7743 7ff79fa347ad-7ff79fa347b2 7741->7743 7743->7736 7743->7737 7761 7ff79fa34950-7ff79fa34954 7759->7761 7767 7ff79fa3506a-7ff79fa350ad call 7ff79fa3a79c * 2 call 7ff79fa36220 7760->7767 7768 7ff79fa34fcf-7ff79fa34ff6 call 7ff79fa37440 Process32FirstW 7760->7768 7763 7ff79fa3495a-7ff79fa349b4 call 7ff79fa31010 wsprintfW CreateFileW 7761->7763 7764 7ff79fa34f83-7ff79fa34f86 7761->7764 7773 7ff79fa349ba-7ff79fa349f3 call 7ff79fa37440 ReadFile 7763->7773 7774 7ff79fa34aa6-7ff79fa34cf5 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa35d70 wsprintfW call 7ff79fa37440 FindFirstFileW 7763->7774 7764->7760 7764->7761 7779 7ff79fa34ff8 7768->7779 7780 7ff79fa35061-7ff79fa35064 CloseHandle 7768->7780 7787 7ff79fa349f9-7ff79fa34a00 7773->7787 7788 7ff79fa34a9d-7ff79fa34aa0 CloseHandle 7773->7788 7842 7ff79fa34d00-7ff79fa34d12 7774->7842 7784 7ff79fa35000-7ff79fa35012 call 7ff79fa38580 7779->7784 7780->7767 7797 7ff79fa35027-7ff79fa3503f OpenProcess 7784->7797 7798 7ff79fa35014-7ff79fa35023 Process32NextW 7784->7798 7787->7788 7792 7ff79fa34a06-7ff79fa34a0c 7787->7792 7788->7774 7796 7ff79fa34a10-7ff79fa34a1a 7792->7796 7801 7ff79fa34a20-7ff79fa34a28 7796->7801 7797->7780 7799 7ff79fa35041-7ff79fa3505b call 7ff79fa31010 TerminateProcess CloseHandle 7797->7799 7798->7784 7802 7ff79fa35025 7798->7802 7799->7780 7801->7801 7805 7ff79fa34a2a-7ff79fa34a3e call 7ff79fa49880 7801->7805 7802->7780 7811 7ff79fa34a4d-7ff79fa34a7d call 7ff79fa382b8 * 2 SetFilePointer 7805->7811 7812 7ff79fa34a40-7ff79fa34a49 7805->7812 7811->7788 7823 7ff79fa34a7f-7ff79fa34a97 WriteFile 7811->7823 7812->7796 7814 7ff79fa34a4b 7812->7814 7814->7788 7823->7788 7843 7ff79fa34d2d-7ff79fa34d52 wsprintfW call 7ff79fa35d70 7842->7843 7844 7ff79fa34d14-7ff79fa34d17 7842->7844 7846 7ff79fa34d57-7ff79fa34d69 FindNextFileW 7843->7846 7845 7ff79fa34d19-7ff79fa34d1c 7844->7845 7844->7846 7845->7843 7848 7ff79fa34d1e-7ff79fa34d21 7845->7848 7846->7842 7849 7ff79fa34d6b-7ff79fa34db6 FindClose wsprintfW call 7ff79fa37440 FindFirstFileW 7846->7849 7848->7843 7850 7ff79fa34d23-7ff79fa34d2b 7848->7850 7853 7ff79fa34dc0-7ff79fa34dd2 7849->7853 7850->7843 7850->7846 7854 7ff79fa34df5-7ff79fa34dfc 7853->7854 7855 7ff79fa34dd4-7ff79fa34dd7 7853->7855 7856 7ff79fa34f07-7ff79fa34f19 FindNextFileW 7854->7856 7858 7ff79fa34e02-7ff79fa34e19 call 7ff79fa37440 7854->7858 7855->7856 7857 7ff79fa34ddd-7ff79fa34de0 7855->7857 7856->7853 7861 7ff79fa34f1f-7ff79fa34f81 FindClose wsprintfW call 7ff79fa360b0 call 7ff79fa37440 call 7ff79fa31070 call 7ff79fa3a79c 7856->7861 7857->7854 7859 7ff79fa34de2-7ff79fa34de5 7857->7859 7865 7ff79fa34e20-7ff79fa34e37 7858->7865 7859->7854 7862 7ff79fa34de7-7ff79fa34def 7859->7862 7861->7764 7862->7854 7862->7856 7865->7865 7867 7ff79fa34e39-7ff79fa34e7c wsprintfW call 7ff79fa37440 FindFirstFileW 7865->7867 7873 7ff79fa34e80-7ff79fa34e8c 7867->7873 7875 7ff79fa34e8e-7ff79fa34e91 7873->7875 7876 7ff79fa34ea4-7ff79fa34eb8 StrStrW 7873->7876 7879 7ff79fa34eed-7ff79fa34efc FindNextFileW 7875->7879 7880 7ff79fa34e93-7ff79fa34e96 7875->7880 7878 7ff79fa34eba-7ff79fa34ee8 wsprintfW call 7ff79fa35d70 7876->7878 7876->7879 7878->7879 7879->7873 7883 7ff79fa34efe-7ff79fa34f01 FindClose 7879->7883 7880->7876 7884 7ff79fa34e98-7ff79fa34e9b 7880->7884 7883->7856 7884->7876 7885 7ff79fa34e9d-7ff79fa34ea2 7884->7885 7885->7876 7885->7879
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Dhcpv6DUID$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1116883173
    • Opcode ID: d693aac7feb14787e5f7030110ab1ab0a1e2fab3a8588540b4e10fc32657843f
    • Instruction ID: 8097b45495010c815ac3661adff5cbda4967f4c0f2795efc4351bb5984a76656
    • Opcode Fuzzy Hash: d693aac7feb14787e5f7030110ab1ab0a1e2fab3a8588540b4e10fc32657843f
    • Instruction Fuzzy Hash: CFB25A65A18AC395EB30EF35E840AE9A361FF92758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA330F4 Relevance: 273.9, APIs: 89, Strings: 67, Instructions: 947nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Internet Explorer\Migration$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$SYSTEM\CurrentControlSet\Control\SystemInformation$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1492865464
    • Opcode ID: 192722111cb88c97ba38ad10c4d5b3897320cc0e245dcc5068a81c1674b3b684
    • Instruction ID: ff6bf51472acdcda1b73aca0c33dea892e708bf5d6a6e112cefa525779420871
    • Opcode Fuzzy Hash: 192722111cb88c97ba38ad10c4d5b3897320cc0e245dcc5068a81c1674b3b684
    • Instruction Fuzzy Hash: 76B25A65A18AC395EB30EF35E840AE9A361FF92758FC04131DA5D476A9DF7CE209C360
    Function 00007FF79FA333F0 Relevance: 270.4, APIs: 87, Strings: 67, Instructions: 930registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$IE Installed Date$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-$?
    • API String ID: 335515371-206350793
    • Opcode ID: fa003fbf088fc43eec5c187c35b29a03a0b899aa3a652ce58f06bfa2e3e735dc
    • Instruction ID: 73267e6fa068e1105946758cb44f25e6ef9fe6a6254e44974449518836a96e8e
    • Opcode Fuzzy Hash: fa003fbf088fc43eec5c187c35b29a03a0b899aa3a652ce58f06bfa2e3e735dc
    • Instruction Fuzzy Hash: 4FB25B65A18AC395EB30EF34E850AE9A361FF92758FC04131DA4D476A9DF7CE609C360
    Function 00007FF79FA3335C Relevance: 266.9, APIs: 86, Strings: 66, Instructions: 906nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$IE Installed Date$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1515024828
    • Opcode ID: 8fc3294cba6efcecc0c497038ce1b8318750b4325cb419c3a9fcc8b023d74ac9
    • Instruction ID: 30c1fa344c20ab53cb4362fc0e4a8ef7d323ff5df40dfde0731b2f587e15d93e
    • Opcode Fuzzy Hash: 8fc3294cba6efcecc0c497038ce1b8318750b4325cb419c3a9fcc8b023d74ac9
    • Instruction Fuzzy Hash: 72B24B65A18AC395EB30EF35E840AE9A361FF92758FC04131DA4D476A9DF7CE609C360
    Function 00007FF79FA333CD Relevance: 263.4, APIs: 85, Strings: 65, Instructions: 892nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$InstallDate$InstallTime$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\SQMClient$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WinSqmFirstSessionStartTime$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1634009671
    • Opcode ID: 72a8d7183a9ffb8756199dac294068423cb9480c477a1f75c157d8c8b4f1a043
    • Instruction ID: 30ce25328df40632ee8935bf08634348efbfc195267b0b2989beefed34a5bdd1
    • Opcode Fuzzy Hash: 72a8d7183a9ffb8756199dac294068423cb9480c477a1f75c157d8c8b4f1a043
    • Instruction Fuzzy Hash: ADB24A65A18AC395EB30EF34E850AE9A361FF92758FC04131DA4D476A9DF7CE609C360
    Function 00007FF79FA33712 Relevance: 256.4, APIs: 83, Strings: 63, Instructions: 864registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$DigitalProductId$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-$q
    • API String ID: 1479153340-2564550749
    • Opcode ID: 2ddb362e1032a966aa632be02266f185252345d675df183e4ef5153bb4540905
    • Instruction ID: 6b815157858193a4b5a467f2c2771d05552344303e253d7bcff58848b3fda3b4
    • Opcode Fuzzy Hash: 2ddb362e1032a966aa632be02266f185252345d675df183e4ef5153bb4540905
    • Instruction Fuzzy Hash: 85A24B65A18AC395EB30EF34E850AE9A361FF92758FC04131DA4D476A9DF7CE609C360
    Function 00007FF79FA33685 Relevance: 252.8, APIs: 82, Strings: 62, Instructions: 840nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$DigitalProductId$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-3128925266
    • Opcode ID: 3241cb92fe11a76d32084f7d2594e847b0b6d8f9d6668ebe4c9091609857224d
    • Instruction ID: 2517ad162ee37f814c51f78509f4e176a3adf88e13f7b0876dd9a57b186e476c
    • Opcode Fuzzy Hash: 3241cb92fe11a76d32084f7d2594e847b0b6d8f9d6668ebe4c9091609857224d
    • Instruction Fuzzy Hash: C4A24B65A18AC395EB30EF35E850AE9A361FF92758FC04131DA0D476A9DF7CE609C360
    Function 00007FF79FA33930 Relevance: 251.1, APIs: 81, Strings: 62, Instructions: 837registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: OpenQuery$CloseValue
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws%c%c binary of length %d$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$DigitalProductId4$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 1479153340-2919401455
    • Opcode ID: 16733c9a6f1f144d29151f80f0b15ebca00035cd2be8a28d3efc859e453d35ae
    • Instruction ID: 3a8c09b928e7ca3bea95fcecc15285b061e1a5bc0b05d91cf4feabd463cfb2ca
    • Opcode Fuzzy Hash: 16733c9a6f1f144d29151f80f0b15ebca00035cd2be8a28d3efc859e453d35ae
    • Instruction Fuzzy Hash: FEA24C65A18AC395EB30EF34E850AE9A361FF92758FC04131DA0D476A9DF7CE609C360
    Function 00007FF79FA336F6 Relevance: 249.3, APIs: 81, Strings: 61, Instructions: 826nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1903910896
    • Opcode ID: 571b743cbd0c1c822bbcd5fa33eaf352cf16d4c58b99335feceb9740f9ab6c80
    • Instruction ID: f09b7f11e91d4a380a98395c78597102ff6754bdfd6b2c960ca474a1bc433aed
    • Opcode Fuzzy Hash: 571b743cbd0c1c822bbcd5fa33eaf352cf16d4c58b99335feceb9740f9ab6c80
    • Instruction Fuzzy Hash: B8A24B65A18AC395EB30BF34E850AE9A361FF92758FD04131DA0D476A9DF7CE609C360
    Function 00007FF79FA338A1 Relevance: 249.3, APIs: 80, Strings: 62, Instructions: 813nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$DigitalProductId4$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-832870992
    • Opcode ID: 4f72197274e2dd6314c4e50b35c2b140646daee875912034fb1e1e3bbff14c53
    • Instruction ID: 359dd6958a709a9c97a8a848d20744f2155455e0f80e8ae93915e86c40a267da
    • Opcode Fuzzy Hash: 4f72197274e2dd6314c4e50b35c2b140646daee875912034fb1e1e3bbff14c53
    • Instruction Fuzzy Hash: 0FA23B65A18AC395EB30AF35E850AE9A361FF92758FC04131DA0D476A9DF7CE609C360
    Function 00007FF79FA33912 Relevance: 245.8, APIs: 79, Strings: 61, Instructions: 799nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Open$DeleteValue$Close
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2438856394-1903910896
    • Opcode ID: 42568ab30e5d1f7b9cbb93a1fb4bb3efb4337c53ad52f31f91cf02ab441c4411
    • Instruction ID: feb3408e97bc0568a67ad32d41a7ab66e22060e8c5fbf82e7c0d48dcff2f2ce2
    • Opcode Fuzzy Hash: 42568ab30e5d1f7b9cbb93a1fb4bb3efb4337c53ad52f31f91cf02ab441c4411
    • Instruction Fuzzy Hash: 94923C65A18AC395EB30BF34E850AE9A361FF92758FD04131DA0D476A9DF7CE609C360
    Function 00007FF79FA33F30 Relevance: 229.9, APIs: 69, Strings: 62, Instructions: 675nativeregistryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: DeleteQueryValue$CloseEnum_invalid_parameter_noinfo
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\%ws\%ws%c%c deleted$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$BackupProductKeyDefault$Failed to delete value: %ws\%ws\%ws$Failed to open key: %ws\%ws$HARDWARE\UEFI\ESRT$LastEventlogWrittenTime$NetworkAddress$NetworkInterfaceInstallTimestamp$ProductActivationTime$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests$SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager$ServiceSessionId$Software\Hex-Rays\IDA\History$Software\Hex-Rays\IDA\History64$Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist$WmiPrvSE.exe$\\.\%c:$actionlist$configuration$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$properties$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2086151548-2386442464
    • Opcode ID: f46860bb828b9192627e01df74dece9755ba0a81abf64afab2d55abf57d2baa6
    • Instruction ID: df45bc39dd4a3b5f4e884a17ed2577eb81748df778cfa09c85726a959a083229
    • Opcode Fuzzy Hash: f46860bb828b9192627e01df74dece9755ba0a81abf64afab2d55abf57d2baa6
    • Instruction Fuzzy Hash: 75822D65A18AC795EB30FF34E854AE8A361FB52758FC04132DA0E475A9DF7CE609C360
    Function 00007FF79FA34500 Relevance: 177.3, APIs: 58, Strings: 43, Instructions: 569fileregistryprocessCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: wsprintf$FileFind$Close$FirstNext$Path$CreateFolderHandleProcess32$DrivesEnumLogicalPointerReadSnapshotTempToolhelp32Write
    • String ID: -- DRIVE: %c --$%c:\MSOCache$%c:\ProgramData\Microsoft\Windows\WER$%c:\ProgramData\ntuser.pol$%c:\Recovery\ntuser.sys$%c:\System Volume Information\IndexerVolumeGuid$%c:\System Volume Information\WPSettings.dat$%c:\System Volume Information\tracking.log$%c:\Users$%c:\Users\%ws\%ws$%c:\Users\%ws\*$%c:\Users\*$%c:\Users\Default\NTUSER.DAT$%c:\Users\Public\Libraries$%c:\Users\Public\Libraries\collection.dat$%c:\Users\Public\Shared Files$%c:\Windows\INF\setupapi.dev.log$%c:\Windows\INF\setupapi.setup.log$%c:\Windows\Prefetch\%ws$%c:\Windows\Prefetch\*$%c:\Windows\System32\restore\MachineGuid.txt$%c:\desktop.ini$%ws%ws$%ws*$%ws\D3DSCache$%ws\Microsoft\Feeds$%ws\Microsoft\Feeds Cache$%ws\Microsoft\Windows\INetCache$%ws\Microsoft\Windows\INetCookies$%ws\Microsoft\Windows\WebCache$%ws\Microsoft\XboxLive\AuthStateCache.dat$%ws\NVIDIA Corporation\GfeSDK$WmiPrvSE.exe$\\.\%c:$abcdef012345789$fsutil usn deletejournal /d %c:$net stop winmgmt /Y$ntuser$pause$vssadmin delete shadows /All /Quiet$N-$b-$v-
    • API String ID: 2687701999-1636852141
    • Opcode ID: 70f426fe44e36ba8b26442a04149096cbe3d1439a4750031e9d8c994259356f6
    • Instruction ID: adf4819ce115c87b26e6e944ac62d4b0e2a4b32863ba2b0f191e0cfa4456f636
    • Opcode Fuzzy Hash: 70f426fe44e36ba8b26442a04149096cbe3d1439a4750031e9d8c994259356f6
    • Instruction Fuzzy Hash: 88524165A18AC795EB30FF34E854AF86361FB52758FC04132CA0E475A8EF78E659C360
    Function 00007FF79FA35D70 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 184memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: AllocateErrorInitializeLast$ExistsFileFreePath
    • String ID: %ws%c%c deleted$Failed to delete file %ws: %d$Failed to initialize admin SID for %ws: %d$Failed to initialize all SID for %ws: %d$Failed to set ACL entries for %ws: %d$Failed to set DACL info for %ws: %d$Failed to set owner security info for %ws: %d
    • API String ID: 288852331-3281059140
    • Opcode ID: df42c4e1ab98574732ae9780040ae09f55ff5cd20d50a8ce18e6f544c52d3aaf
    • Instruction ID: 9f1a00271d52069268f0f9f24a2a55dc4f7ebcedf9f2ce7bdb25f4ac81d035a8
    • Opcode Fuzzy Hash: df42c4e1ab98574732ae9780040ae09f55ff5cd20d50a8ce18e6f544c52d3aaf
    • Instruction Fuzzy Hash: 86913232A187828AE720AF75E840AEDB7B4FB96794F504135DA8D47B68DF7CD144CB10
    Function 00007FF79FA35950 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 113registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Create$CloseCopyDeleteTree
    • String ID: %ws\%ws%c%c renamed to %ws$?$Failed to copy key: %ws\%ws$Failed to create key: %ws\%ws$Failed to delete key: %ws\%ws
    • API String ID: 4161649468-2427877325
    • Opcode ID: 0195a8e130aa473b8121bc2ddab400e4dee56eee56d7516b3e3f846ef31cadd2
    • Instruction ID: a5c9ee90e845235b47ef80c0f722e7aae3b69dce9f8857844c26c69b305a7e11
    • Opcode Fuzzy Hash: 0195a8e130aa473b8121bc2ddab400e4dee56eee56d7516b3e3f846ef31cadd2
    • Instruction Fuzzy Hash: BB515C61A18BC281FB20AB61F854BEAE764FF96794FC00531D98D43AA5DFBCD509C720
    Function 00007FF79FA352A0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 139registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Value$CloseOpen
    • String ID: %ws\%ws%c%c multi-string of length %d$ComputerHardwareIds$Failed to open key: %ws\%ws$Failed to read: %ws\%ws$SYSTEM\CurrentControlSet\Control\SystemInformation$abcdef012345789
    • API String ID: 3435567062-743368785
    • Opcode ID: 2374348a22f29063b31d9ff49ca34584210712819f955df97fdb65b56b123119
    • Instruction ID: 49656cb1dddedfa475bebb29efd19db44a386e3be2420f613f2f4a3d38b6cf01
    • Opcode Fuzzy Hash: 2374348a22f29063b31d9ff49ca34584210712819f955df97fdb65b56b123119
    • Instruction Fuzzy Hash: 48617271A1CBC285E770AB21E444AEEB365FB86754FC01231EA9D436A9DF7CE116C720
    Function 00007FF79FA35710 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 129registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$CloseOpenValue
    • String ID: %ws\%ws%c%c binary of length %d$Failed to allocate buffer for SpoofBinary$Failed to open key: %ws\%ws$Failed to query size of: %ws\%ws
    • API String ID: 3037986686-3630938552
    • Opcode ID: 6d7da729e2d05afe9cf88b1f46f78ccacf180214c490f2bc60399affdb3e7dfe
    • Instruction ID: 75d5f1662a5cc130a1018dd175cb48ee7c12194f948da424dc1ecca193278f47
    • Opcode Fuzzy Hash: 6d7da729e2d05afe9cf88b1f46f78ccacf180214c490f2bc60399affdb3e7dfe
    • Instruction Fuzzy Hash: F0515325A186C285E770EB35E850AEEA760FF96794FC00135E98D43B69DF7CE105C720
    Function 00007FF79FA35560 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$CloseOpenValue
    • String ID: %ws\%ws%c%c qword$Failed to open key: %ws\%ws$Failed to write: %ws\%ws
    • API String ID: 3037986686-2627636074
    • Opcode ID: e960dcfd0f6a72c86c54ed13c3c059b5900f9e04678fe82ebdfaae8b037f68ac
    • Instruction ID: f5b37143bd4bfd2873d2fe3f89b06e8ce468ac46a9846017b7fcb297d598724c
    • Opcode Fuzzy Hash: e960dcfd0f6a72c86c54ed13c3c059b5900f9e04678fe82ebdfaae8b037f68ac
    • Instruction Fuzzy Hash: 37416E61A19AC281EB70AB21F840BEAA760FF96794FC00531D98E43BA5DF7CD105C720
    Function 00007FF79FA360B0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Find$Filewsprintf$CloseFirstNext
    • String ID: %ws\%ws$%ws\*$desktop.ini
    • API String ID: 3589506793-3989664468
    • Opcode ID: c4ea21cacade08494015642cf7d37f68d84c5fd4b6dfdd685a0e9664394ccfe4
    • Instruction ID: a23d693b7dffd02fdc38ef2463557805b1922b12307bc6417c02ce372ee5813a
    • Opcode Fuzzy Hash: c4ea21cacade08494015642cf7d37f68d84c5fd4b6dfdd685a0e9664394ccfe4
    • Instruction Fuzzy Hash: 56315E15A1C6C285EA74BF24E494AFAA3A1FF86748FC44031DA8E43695DF6CE548CB20
    Function 00007FF79FA350B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 111registrynativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Value
    • String ID: %ws$%ws\%ws%c%c %ws -> $Failed to read: %ws\%ws$abcdef012345789
    • API String ID: 3306159399-1237074793
    • Opcode ID: a02fdf183702a5f91de443ef895afcae1a7b7d4a3b2d0ca32be171337a310dc0
    • Instruction ID: 68dd83661fa016f42614fa29153f0e2fbae49c0221bed271aa8cebb60e615c57
    • Opcode Fuzzy Hash: a02fdf183702a5f91de443ef895afcae1a7b7d4a3b2d0ca32be171337a310dc0
    • Instruction Fuzzy Hash: 3341B561A18AC185E770AB35E810AAAF364FF967A4F800331EDAD437E9DF7CD5458710
    Function 00007FF79FA35C70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56nativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$DeleteValue
    • String ID: %ws\%ws\%ws%c%c deleted$Failed to delete value: %ws\%ws\%ws
    • API String ID: 3557171673-216734843
    • Opcode ID: 1266ad938652ed2f99fcdff4ce156d2f280c24a26b5e050f226bbb1cf3acd9fb
    • Instruction ID: f6a71251c2eec73b97cf0d072770f2a8eeba1b84270d943e99dd33952f03f649
    • Opcode Fuzzy Hash: 1266ad938652ed2f99fcdff4ce156d2f280c24a26b5e050f226bbb1cf3acd9fb
    • Instruction Fuzzy Hash: D9216DA0A187C281FA60EB21E844AEAA764FF96794FC00531ED4E437A5DF7CE519C720
    Function 00007FF79FA35B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51nativeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Query$Delete
    • String ID: %ws\%ws%c%c deleted$Failed to delete value: %ws\%ws
    • API String ID: 3195291132-2427018271
    • Opcode ID: 1f8bff694e539e4b9fb0aa7fa286d98fd51645e1effe18c8031bc19fbb78aba1
    • Instruction ID: f786e6bf854561f0da1a97d2585de3146482865e3c5b69859b659519f37fe785
    • Opcode Fuzzy Hash: 1f8bff694e539e4b9fb0aa7fa286d98fd51645e1effe18c8031bc19fbb78aba1
    • Instruction Fuzzy Hash: D0218E60A1CBC281EA60EB21F851AEAA360FF96784FC00531D94E83765DF7CE115C720
    Function 00007FF79FA439C4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
    Download Yara Rule
    APIs
    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF79FA43A06
    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79FA43983,?,?,?,00007FF79FA4591A), ref: 00007FF79FA43AC4
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79FA43983,?,?,?,00007FF79FA4591A), ref: 00007FF79FA43B4E
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
    • String ID:
    • API String ID: 2210144848-0
    • Opcode ID: 4c4467eb53e8b2ae86fe8d3ccc315edba3cca0a65856e8ce8aca3aa4e5709194
    • Instruction ID: e5109e54fa843218b6ce0c10d1ced528e7d5a5b77d12a3958f2fd78860e30834
    • Opcode Fuzzy Hash: 4c4467eb53e8b2ae86fe8d3ccc315edba3cca0a65856e8ce8aca3aa4e5709194
    • Instruction Fuzzy Hash: D481AD22A1879299FB70BF75C840AFCA7A0EB46B94F844132DE0E57692DF3CA445D730
    Function 00007FF79FA36324 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
    • String ID:
    • API String ID: 1321466686-0
    • Opcode ID: 515d937c87dba087898e4e0cd710d90ce6468553d48aee6d9aa1c844c06d13bd
    • Instruction ID: adf8c6ce9a20365aa39fe85f553f6133b6057052fc9efdac61d99517d1745104
    • Opcode Fuzzy Hash: 515d937c87dba087898e4e0cd710d90ce6468553d48aee6d9aa1c844c06d13bd
    • Instruction Fuzzy Hash: 4E31F721E086828AFA78BB719551FF9E291EF87788FC44035E64E473D7DEADA4448270
    Function 00007FF79FA43548 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: 32a2b4e4b88f8da168daa2c2bd6c2917aa8552b2abb9d2aa6696ea08c37a84dc
    • Instruction ID: 24cbe689cdbb6b11a2a57430fc1c25ffa30595836713e26f7565c15f5e9a6084
    • Opcode Fuzzy Hash: 32a2b4e4b88f8da168daa2c2bd6c2917aa8552b2abb9d2aa6696ea08c37a84dc
    • Instruction Fuzzy Hash: 5031B432618BC18AEB20BF25E440AE9B764FB59780F944032DB4D87755DF3CD415DB11
    Function 00007FF79FA3D7CC Relevance: 3.1, APIs: 2, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: FileHandleType
    • String ID:
    • API String ID: 3000768030-0
    • Opcode ID: 6aed8674480650ff07d60e89b8cf7cbd43bf15c2ac8e801b4554042e9f1dead7
    • Instruction ID: d9b237afe8d271a3f1dd7b7963c25b51008ab1c741319d23df5e3d8027c0667d
    • Opcode Fuzzy Hash: 6aed8674480650ff07d60e89b8cf7cbd43bf15c2ac8e801b4554042e9f1dead7
    • Instruction Fuzzy Hash: 13316221E18A9AD1D774BB3585905B8AA50FB46BB0BA80739DB6E073E0CF78F461D350
    Function 00007FF79FA438D8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c42d1c999636a2b37f4cad211ac4ca3a21fd06dab35280320b4c99c2e9fefcc4
    • Instruction ID: 1af08df2ff25607726f37644f021cae7ea50206e56447fa960976af0e800c869
    • Opcode Fuzzy Hash: c42d1c999636a2b37f4cad211ac4ca3a21fd06dab35280320b4c99c2e9fefcc4
    • Instruction Fuzzy Hash: 5321AE22A083C295E621BF35A851BBDA690EF427A1F954535E91D873D3CEBCE4418721
    Function 00007FF79FA41CF4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: d77e3752368867859d0a385846c9dbc6cefc24ef53efaaaa48905b502b88a6bb
    • Instruction ID: c0bb2490504504daeac4bc131d77f27fc61263e5125ddd1315211fd074bda077
    • Opcode Fuzzy Hash: d77e3752368867859d0a385846c9dbc6cefc24ef53efaaaa48905b502b88a6bb
    • Instruction Fuzzy Hash: E5118F76A1CAC282F331BB24E4409E9F3A4EB52740F990435D65D477A2DF3CE8108B60
    Function 00007FF79FA3A708 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: d2cb98bfa48d42a8f71358cd5d5a6bf3f4cb9462fd4dfb6ce9fc2ed034e1bb4a
    • Instruction ID: e5817b41779af2f9629c9ffa3a1fafb0a98114535f0d622ba619ce8132b30e6f
    • Opcode Fuzzy Hash: d2cb98bfa48d42a8f71358cd5d5a6bf3f4cb9462fd4dfb6ce9fc2ed034e1bb4a
    • Instruction Fuzzy Hash: 28110676A10F559CEB10DFB0E8814DC37B8FB193ACB900626EA4D52B59EF74D1A5C390
    Function 00007FF79FA3CC10 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(?,?,00000000,00007FF79FA3C7ED,?,?,?,00007FF79FA3CBF9,?,?,?,?,00007FF79FA3A733), ref: 00007FF79FA3CC65
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: AllocHeap
    • String ID:
    • API String ID: 4292702814-0
    • Opcode ID: ae2c2901f39d99e1dd5525730d5fce183a7bfda541585b2af8d5349738661e99
    • Instruction ID: ff9e43967a22f9c4d6c9f3dd0e17670ce7594be385b6f111e53dda020befad3b
    • Opcode Fuzzy Hash: ae2c2901f39d99e1dd5525730d5fce183a7bfda541585b2af8d5349738661e99
    • Instruction Fuzzy Hash: FBF06D74B0A29385FE787B769C51AF582E0DF5BB80F8C5434C80E863E2DDACE5804230
    Function 00007FF79FA3DAA8 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(?,?,?,00007FF79FA3EFD6,?,?,?,00007FF79FA38BFF), ref: 00007FF79FA3DAE6
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: AllocHeap
    • String ID:
    • API String ID: 4292702814-0
    • Opcode ID: a2ee8bf492c16899c4098c7e5da8a8541a0e0ce49ccc1f633475b4c1e87850b8
    • Instruction ID: bc78c1eb5b5ad342d437babe4e35821baf5068411d2b79468778bde6634fe28a
    • Opcode Fuzzy Hash: a2ee8bf492c16899c4098c7e5da8a8541a0e0ce49ccc1f633475b4c1e87850b8
    • Instruction Fuzzy Hash: BDF05E00E1E2CA81FA743B719A51EF59280DF467A0F884634DC2E852D2DEECA4404170

    Non-executed Functions

    Function 00007FF79FA3C8BC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: d13820fffb8678dd24d5826c02e5315ff45007443369eabc7ee8057054167be5
    • Instruction ID: 11907932bda98d431e4de44ccf8fc33ac750186445dd127e6c0b5597a2bcd01e
    • Opcode Fuzzy Hash: d13820fffb8678dd24d5826c02e5315ff45007443369eabc7ee8057054167be5
    • Instruction Fuzzy Hash: 3B317F36608BC186E760AF38E8406EEB3A4FB89758F900136EA9D43B58DF7CD555CB10
    Function 00007FF79FA4305C Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: ErrorFileLastWrite$ConsoleOutput
    • String ID:
    • API String ID: 1443284424-0
    • Opcode ID: cc373f5ee97a76e07c8fb47227af151b9235c2e13b1a335bc7f9cd6957b81425
    • Instruction ID: eea2f5c8fb69bbe4d7b43170f9e7fdc3d5d7c475c3776cb5847db93c6ec9b069
    • Opcode Fuzzy Hash: cc373f5ee97a76e07c8fb47227af151b9235c2e13b1a335bc7f9cd6957b81425
    • Instruction Fuzzy Hash: 0EE1FE22B18BC19AE721EF74D0409EDBBB0FB46788B948136DE4E57B99DE38D446C710
    Function 00007FF79FA45C54 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: CurrentFeaturePresentProcessProcessor
    • String ID: Syst$emRo
    • API String ID: 1010374628-2127360862
    • Opcode ID: bb79c4f2d1116c76738481ef8e36bd2de68ac148b6c4f79657034690167a0bde
    • Instruction ID: d8c7a696976db13ba083d01fcc03d4c9b5695f8f0aa86d23be8f03bea138fafa
    • Opcode Fuzzy Hash: bb79c4f2d1116c76738481ef8e36bd2de68ac148b6c4f79657034690167a0bde
    • Instruction Fuzzy Hash: A7B1A262F096D149FB61FB719810AFEAA90EF46B94F944530DE5E177C5EE3CE8428320
    Function 00007FF79FA42848 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: d2eccbb6f9b0f08722a6682291c120512edfd3b3209812096fba3dc0373e4828
    • Instruction ID: a34abce3fe58fc7ec8abdd8706da00182f6a85bf529f2bdad50eec67298b3414
    • Opcode Fuzzy Hash: d2eccbb6f9b0f08722a6682291c120512edfd3b3209812096fba3dc0373e4828
    • Instruction Fuzzy Hash: 3AB09220E07A86C2EA183B256C82658A3A4BF49720FD44038C00C41320DF3C25B54B20
    Function 00007FF79FA3B87C Relevance: .1, Instructions: 126COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast
    • String ID:
    • API String ID: 485612231-0
    • Opcode ID: 12f04c0efc1edea4b60523cd0fe6387ebf03eecceb3483c47a576535956ccdcd
    • Instruction ID: 84f5f8acd2ca47560ccac9498937b8416ed082cc0a5466a6ae835d96c330920f
    • Opcode Fuzzy Hash: 12f04c0efc1edea4b60523cd0fe6387ebf03eecceb3483c47a576535956ccdcd
    • Instruction Fuzzy Hash: 40410522714A9882EF54DF3AD9145A9B3A1F749FD4B889032EE4D97B58DF7CC5458300
    Function 00007FF79FA490F0 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b79d7360a712701c374448f31ce732a132e3e022c7168972728fa694f36ce3b3
    • Instruction ID: 46a0b380d2f5932526dafac304542cbf480f86564efc19e874aeeeceeb400e60
    • Opcode Fuzzy Hash: b79d7360a712701c374448f31ce732a132e3e022c7168972728fa694f36ce3b3
    • Instruction Fuzzy Hash: 7FF068B17192958ADBB8DF3DA443A6977D0E708394F908039D58D83B14DA3C90A08F14
    Function 00007FF79FA36C68 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4934b759d9ba8d4900929ccd6db34eb47d1366c4fa2aaca892cf2bb53195baf6
    • Instruction ID: a85fc135b7b9f864a888647007bf751729681024235199ed869160082ac51562
    • Opcode Fuzzy Hash: 4934b759d9ba8d4900929ccd6db34eb47d1366c4fa2aaca892cf2bb53195baf6
    • Instruction Fuzzy Hash: E7A00121919882A8F628AB28A8908F0A230EB52314B800031C10D415609EBCA4808620
    Function 00007FF79FA3F494 Relevance: 16.7, APIs: 11, Instructions: 163synchronizationCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait_invalid_parameter_noinfo
    • String ID:
    • API String ID: 2936579111-0
    • Opcode ID: 7a06de935790cd3e07003de2fdf68dd159302b78c637aaea9b99e23d7ecb7298
    • Instruction ID: 5a9c2fb682333e9bb2425a9b0730689c59df31ab2e8519be95823725eed2c524
    • Opcode Fuzzy Hash: 7a06de935790cd3e07003de2fdf68dd159302b78c637aaea9b99e23d7ecb7298
    • Instruction Fuzzy Hash: 01615022B2979286FB34BF71D8409FCA3A5EB46BA4B810535DD1E17B95CF7CE4068360
    Function 00007FF79FA37820 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,?,?,00007FF79FA37AD2,?,?,?,00007FF79FA377CC,?,?,?,?,00007FF79FA3732D), ref: 00007FF79FA378A5
    • GetLastError.KERNEL32(?,?,?,00007FF79FA37AD2,?,?,?,00007FF79FA377CC,?,?,?,?,00007FF79FA3732D), ref: 00007FF79FA378B3
    • LoadLibraryExW.KERNEL32(?,?,?,00007FF79FA37AD2,?,?,?,00007FF79FA377CC,?,?,?,?,00007FF79FA3732D), ref: 00007FF79FA378DD
    • FreeLibrary.KERNEL32(?,?,?,00007FF79FA37AD2,?,?,?,00007FF79FA377CC,?,?,?,?,00007FF79FA3732D), ref: 00007FF79FA37923
    • GetProcAddress.KERNEL32(?,?,?,00007FF79FA37AD2,?,?,?,00007FF79FA377CC,?,?,?,?,00007FF79FA3732D), ref: 00007FF79FA3792F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: 226df8d268aceeddb525dfbbc928d441151b8aa342c57963fc96d6822b1cf0d6
    • Instruction ID: 91968603955c38b2961f496748eed7da0ab0515b22d157456ec83c0d264f8915
    • Opcode Fuzzy Hash: 226df8d268aceeddb525dfbbc928d441151b8aa342c57963fc96d6822b1cf0d6
    • Instruction Fuzzy Hash: AE31B625A1E68291EE71BB26A8009F5A298FF06B74F994635DD2D06394EF7CE8418320
    Function 00007FF79FA390C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-3916222277
    • Opcode ID: a9a3a08e299bebb17efd841bea1eb4e032b691aa2614d771033c7e3a5a326836
    • Instruction ID: 450875e2406cb54d519ae23c7e7add8e59427883101b4a641905d83c65c44ccf
    • Opcode Fuzzy Hash: a9a3a08e299bebb17efd841bea1eb4e032b691aa2614d771033c7e3a5a326836
    • Instruction Fuzzy Hash: 00517B7291CA8286F774AF7AC049BFCB7A6EB0B748F941135C54A52295CFBCD481C621
    Function 00007FF79FA3D0E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • try_get_function.LIBVCRUNTIME ref: 00007FF79FA3D109
    • TlsSetValue.KERNEL32(?,?,?,00007FF79FA3C7DA,?,?,?,00007FF79FA3CBF9,?,?,?,?,00007FF79FA3A733), ref: 00007FF79FA3D120
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2299130183.00007FF79FA31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79FA30000, based on PE: true
    • Associated: 00000000.00000002.2299114188.00007FF79FA30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299150389.00007FF79FA4A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299168541.00007FF79FA57000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2299184730.00007FF79FA59000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79fa30000_Spoofer.jbxd
    Similarity
    • API ID: Valuetry_get_function
    • String ID: FlsSetValue
    • API String ID: 738293619-3750699315
    • Opcode ID: 6f50a672efe75b09ef701188c55ea55061fff8ef244a95e555dff37628b1cdca
    • Instruction ID: 20bf2fdbc863b4197a51a01503dd46edc47eb7ddcae3d2273b4da5288aa0188a
    • Opcode Fuzzy Hash: 6f50a672efe75b09ef701188c55ea55061fff8ef244a95e555dff37628b1cdca
    • Instruction Fuzzy Hash: 10E06561A1868682EA247F71F4409F5A221EF8AB90FC85031D50D06394CF3CE454C320